Carter Cole LinkedInCarters Twitter PageCarter Cole on Facebook Carter Coles RSS

Friday, April 2, 2010

OK so what is Start Panic! and do we need to be?

OK so what is Start Panic!

Basically all it does is enumerate your browsing history… but that’s a lot. Everything we do now is online and all those sites we use to do everything from our banking to our social networking. First I want to quickly cover why this information should be kept secret and then explain exactly how they are getting to it.
First this on its own is hardly a problem aside from some embarrassing browsing history there isn’t a lot you can do with the history you steal but combined with the classics (social engineering, weak passwords and phishing) you could be in a lot of trouble. It happened to twitter just recently and it can happen to you, people can guess security questions based on your social networking sites responses “where did you first go to school” or “what’s your pet’s name” are no longer hard to find and you browsing history will tell them exactly where they can find you profiles. With some basic info on you and a crafty email many would fall for a phishing scam and from there they can get even more. 61% of passwords are reused for all sites (1) and that means if one of your online profiles is lost they all are in danger especially if it’s your webmail account. They can just have the sites reset your passwords for them. Yahoo has taken one of the first measures against this by having multiple security questions and the ability to reset your password with your cell but many sites still don’t offer this service.
But enough with the scare tactics let’s look at exactly how this attack is conducted and how some simple functionality gave the attacker the keys to the kingdom.
CSS is the new way to style text on the web and it’s responsible for much of the explosion in design creativity but it can also leak important info (such as your browsing history)
Consider this css:

Now any links will only display if they have been visited. They write a large number of links to the page from common sites like facebook, or your bank and it’s a simple task to make some JavaScript to check which links on the page are displayed. It’s done they have your browsing history (and know what sites you use and where you bank online)
There is no way to prevent this attack, it is still possible to perform this attack with no JavaScript (it involves using a server side script and requests to the server for images) but it is uncommon and unreliable. So watch out and clear your history because you don’t know who’s reading your history as you pass by on the world wide web


0 remarks:

Post a Comment

Link to this post if you found it usefull

OK so what is Start Panic! and do we need to be?