The news is based on a study released by University of California, San Diego researchers who found that a number of sites were “sniffing” the browsing history of visitors to record where they’d been.
This reconnaissance works because browsers display links to sites you’ve visited differently than ones you haven’t: By default, visited links are purple and unvisited links are blue. History-sniffing code running on a Web page simply checks to see if your browser displays links to specific URLs as purple or blue.
These are not new discoveries, but the fact that sites are using this technique to gather information from visitors seems to have caught many by surprise: A lawyer for two California residents said they filed suit against one of the sites named in the report — YouPorn — alleging that it violated consumer-protection laws by using the method.
As has been broadly reported for months, Web analytics companies are starting to market products that directly take advantage of this hack. Eric Peterson reported on an Israeli firm named Beencounter that openly sells a tool to Web site developers to query whether site visitors had previously visited up to 50 specific URLs.
If you’d like see this history sniffing technique in action, check out this blog post (from 2008) and click the “Start Analyzing My Browsing History” button about halfway down the page. That site also will try to guess whether you’re a man or a woman by indexing the sites it finds against the Quantcast Top 10,000 sites. It guessed that there was a 99 percent likelihood I was male (phew!), but your mileage may vary.
Fortunately, the browser makers (most of them) have responded. These sniffing attacks — such as the proof-of-concept I linked to above — do not appear to work against the latest versions of Chrome and Safari. Within Mozilla Firefox, these script attacks can be blocked quite easily using a script-blocking browser plugin, such as the Noscript add-on.