I came across this interesting site that cross references your browsing history with the popular feed reader feedly to determine one’s area of interests. When I first visited the website, I was curious about it’s mechanism. I wasn’t sure what to expect; it asked me to click on red boxes and claims that it will determine my interests based on some advanced neuroscience. I did as told because it seems like a harmless thing to do. As I was mechanically clicking boxes, I was wondering how on earth would clicking red boxes reveal anything. Could the order matter? Could the number of wrong clicks reveal that I am somewhat rash, or have some sort of compulsive disorder?
As an aside, I noticed that when my mouse hovered over the boxes, it showed that they were links to websites that I have visited, I thought that it might be one of those click jacking websites, but closer inspection of the source ruled that out.
When I was finally done, I was presently surprised about the result. It did match my interests to a large extent. So I became more curious and peeped into its inner working. Essentially, the boxes represents websites with a category tag, red boxes indicate visited websites, clicking it adds it to a list, ranking the interest is just ranking the tags.
I thought it was a neat idea and wondered if this can be done automatically instead of having the user manually do the clicking. So I thought about using JQuery to select visited links, and realised the query returned nothing. I then tried changing the CSS to only show visited links, or to make the text way bigger for visited links so that it is easier to click on. None of these worked either, and so I started to do some research.
It turns out what I was trying to do has security implications. The feature I want can be used by malicious website to detect a user’s browsing history, and we know that’s not good ;). If that were allowed, it expose a covert channel, which is an unintended channel which information can leak through. For example, detecting whether a link is visited or not acts like a litmus paper with which information about the browsing history can be leaked to the website.
If that is not allowed, one can still work around it if links were allowed to be different in sizes. Because the status of links can be learned by querying other elements of the page which may have been resized because of the difference in sizes.
These holes have been fixed and we can have some confidence that our browsing history is still private, for now.