Skip to main content

Websites Found Guilty of Browser History Sniffing

A recent study conducted by researchers at the University of California, San Diego has revealed that 46 websites are exploiting a security flaw in current and older browsers that reveal where the user previously visited.

Called "history hijacking" or "history sniffing," these websites are harvesting browsing histories for various reasons. As the Associated Press reports, e-commerce companies can adjust ads or prices on the spot-- an example given was a website using the information to match a lower price offered by a previously visited competitor. Malicious sites can even use the information to learn more about visitors and create personalized attacks.

According to the study, history sniffing is essentially the act of a website or advertisement pulling out a web browser's history and comparing itself to the listed sites the user previously visited. The study indicated that one popular porn site was checking visitor browsing histories to see if they visited 23 other related sites. Code used on two other sites looked for matches against 40 specific websites related to Ford automobiles.

The study investigated around 50,000 of the world's most popular websites and discovered that there were 500 sites that behaved suspiciously, however there wasn't enough evidence to prove any "history hijacking." 60 websites reportedly transferred browser histories to their networks. The 46 sites actually caught stealing personal browsing history included news site and financial research site

"Browser vendors should have fixed this a long time ago," said Jeremiah Grossman, an Internet security expert at WhiteHat Security Inc. "It's more evidence that we not only needed the fix, but that people really should upgrade their browsers. Most people wouldn't know this is possible."

The latest versions of Apple's Safari and Google's Chrome now have built-in protection against history sniffing-- Mozilla plans to add the feature in the next full release of Firefox. Internet Explorer has a toggle to enable private browsing mode (which prevents snooping), however it limits the way the browser tracks its own history for the user.

The study said that typically users have no idea that websites are harvesting their browsing history. Currently U.S. Federal regulators are proposing a "Do Not Track" tool that prevents advertisers from following Web surfers across the Internet to sell them more products.