Thread: Security Warning (CSS Hack)

Originally Posted by chuck norris

I have a suggestion for this thread: We should put together and maintain a list of trackers that are [b]known[b] to ban users from T-I, toning down the amount of paranoia involved with all of this, and to warn other members of those trackers to remember to use a private browsing mode or disable your history.

Well, i can tell u that Mozilla has been working hard at coming up with a fix and apparently they have. The update should be released soon and once it is then there would be no need to worry about this CSS hack anymore.

just when i thought it was safe to remove my tinfoil hat i go and learn of something like this 0.o

Thanks for the heads up. Not sure whether Mozilla made the needed adjustments to FF in order to fix this.
Just to be on the safe side, I've adjusted my config and sat up another FF Profile.

As of July 25 2010, Firefox 3.6 .6 is STILL plagued with this fault.

I tested with the provided link (Stealing browser history with Javascript and CSS) and OH MY GOD, all the sites I've ever visited poped up.... Scary.

Fortunately, disabling CCS history work like a charm:

OPTION 1 - Disable CSS Visited Links [Firefox Only]

• Type "about:config" in the address bar
• Type "layout.css.visited_links_enabled" in the filter list
• Change the default value of "True" to "False" by double clicking it
• Restart Firefox

Re-tested (No need to restart Firefox BTW) and no web site came out this time. I still have access my full history when I press CTRL-SHIFT-H.

I have only 1 question:

What is the purpose of the function "layout.css.visited_links_enabled" in the first place? I mean, disabling it seems to make no difference, save protecting prying eyes from looking at my history. I apparently lost NO functionality whatsoever.

Anyway, thanks for this trick!

Tintin

Ugh. I wish I had seen this thread before. I got myself booted from hey.fux0r.eu. So add that to the list of sites that watch where you're coming from.

The real kicker is I got into fux0r through open registration. Not from an invite here. Though in a way it's a good thing because then I may have screwed someone else over.

I've tried to contact them on the irc, to see if the fact I got in through open registration makes any difference but I'm blocked on all fronts.

Anyone know of someone I could contact to try and appeal the matter?

Anyhow lesson is - MAKE SURE YOU FOLLOW THE ABOVE SO YOU DON'T GET BURNED!!

latest 3.6.10 firefox still has the issue. thanks for the heads up, disabled the css links visited thing

I thought this worked by injecting malicious code? Is it only a data miner?

Hi people! I liked the History Blocker for firefox. Very simple.

well its for FBI..they are watching us xD