OK so what is Start Panic!
Basically all it does is enumerate your browsing history… but that’s a lot. Everything we do now is online and all those sites we use to do everything from our banking to our social networking. First I want to quickly cover why this information should be kept secret and then explain exactly how they are getting to it.
First this on its own is hardly a problem aside from some embarrassing browsing history there isn’t a lot you can do with the history you steal but combined with the classics (social engineering, weak passwords and phishing) you could be in a lot of trouble. It happened to twitter just recently and it can happen to you, people can guess security questions based on your social networking sites responses “where did you first go to school” or “what’s your pet’s name” are no longer hard to find and you browsing history will tell them exactly where they can find you profiles. With some basic info on you and a crafty email many would fall for a phishing scam and from there they can get even more. 61% of passwords are reused for all sites (1) and that means if one of your online profiles is lost they all are in danger especially if it’s your webmail account. They can just have the sites reset your passwords for them. Yahoo has taken one of the first measures against this by having multiple security questions and the ability to reset your password with your cell but many sites still don’t offer this service.
But enough with the scare tactics let’s look at exactly how this attack is conducted and how some simple functionality gave the attacker the keys to the kingdom.
CSS is the new way to style text on the web and it’s responsible for much of the explosion in design creativity but it can also leak important info (such as your browsing history)
Consider this css: