24th May, 2004

Background Images Security Flaw?

Yesterday, Simon Willison posted a short overview of some current visited links methods over at Sitepoint, mentioning the method I use here. Good stuff, but is there a security flaw when using background images with CSS link styles?

The link itself does not generate a hit, so we’d never know where the user went, but it does if a background image is ascribed to that style. Yesterday, Jesse Ruderman commented:

I find it amusing that someone is using background images in combination with :link / :visited. That combination also leads to a privacy hole that lets any web site you visit find out e.g. which Slashdot articles you read.

Hmm. It seems there is a potential security issue, as he flagged in 2000 over at Bugzilla (Bug 57351). The comments raised there in response to Jesse’s alert range from major concern through to very little. Jesse and the team argue that it might be possible to track a user’s progress for illegal gains:

By setting up separate styles for each link on a page, it would be possible to find out which links from a list the user has already visited.  A devious scripter might also then load each of those sites (from his web server) to see where they link, and use the trick again to figure out which links the user had followed from the first set of pages.  It could possibly also be used to crack short/guessable passwords that are part of a url the user had visited, without generating network traffic.

The first sentence in the above quote is, I think, key to whether we dare use background images or not. If I’m following the discussion correctly, the problem arises when using a seperate link style for every or certain links. By attaching individual styles to individual links, it may well be possible to launch malicious commands based on what the end user does (maybe by timing performance with javascript, or forcing certain elements off screen etc). Jesse goes into more detail about the potential for this in the article.

Potentially, tracking pages not created by the attacker is dangerous, and it’s possible because a:visited doesn’t look at domains. The user would have to visit the booby-trapped page though, and like anything else, we have to trust that this isn’t happening on a page we navigate to.

However, CollyLogic only uses two sets of link styles, spanning many, many links. Therefore, using this method seems far too general to allow me to chart your movements. Which of the many sidebar links had you clicked? How do I differentiate between them unless I apply an individual style to each one? The a:visited element itself is open to exploitation here, regardless of the use of unique background images. That said, it seemed worthwhile to point out Jesse’s findings in response to the focus the ‘ticked’ links have been getting recently. I’ll let you decide whether it could be a minor or major concern.

But don’t worry about me. I’m an honest, responsible background-image user.

Prev / Next


If you enjoyed this article, please subscribe to my Internet of Natural Things letter, and maybe grab the RSS feed. Thank you.