Acknowledgement sent
to markhobley@yahoo.co.uk:
New Bug report received and forwarded. Copy sent to Josselin Mouette <joss@debian.org>.
(Mon, 26 Apr 2010 06:15:04 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CSS visited elements allow for disclosure of users browser history
Date: Mon, 26 Apr 2010 07:13:49 +0100
Package: epiphany-browser
Version: 2.30.2-1
Severity: normal
There is a "Disclosure of user information" security flaw in the epiphany
browser due to the implementation of support for CSS :visited pseudoclass
elements. It is possible to specify a background-url attribute which will make
a request to the server if a particular link has been visited. Using this CSS
mechanism, it is possible for a hosting server to determine visited links
without using Javascript.
For example:
<style>
a#link1:visited { background-image: url(/log?link1_was_visited); }
a#link2:visited { background-image: url(/log?link2_was_visited); }
</style>
<a href="http://google.com" id="link1">
<a href="http://yahoo.com" id="link2">
If link1 (http://google.com) has been visited, the browser will make a request
back to the server to retrieve the background for the #link1 rule. By
appending a different URL argument to each rule we can determine which of the
links were visited. Please note that this requires no client-side scripting
whatsoever, and only relies on the availability of CSS.
The following website demonstrates a working exploit of this vulnerability:
http://www.whattheinternetknowsaboutyou.com/
Mark.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (60, 'testing'), (50, 'unstable')
Architecture: i386 (i386)
Kernel: Linux 2.6.26-2-486
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Versions of packages epiphany-browser depends on:
ii dbus-x11 1.2.16-2 simple interprocess messaging syst
ii epiphany-browser-data 2.29.3-1 Data files for the GNOME web brows
ii gnome-icon-theme 2.28.0-1 GNOME Desktop icon theme
ii iso-codes 3.14-1 ISO language, territory, currency,
ii libavahi-client3 0.6.25-2 Avahi client library
ii libavahi-common3 0.6.25-2 Avahi common library
ii libavahi-gobject0 0.6.25-3 Avahi GObject library
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libdbus-1-3 1.2.16-2 simple interprocess messaging syst
ii libdbus-glib-1-2 0.82-2 simple interprocess messaging syst
ii libgconf2-4 2.28.0-1 GNOME configuration database syste
ii libgirepository1.0-0 0.6.8-1 Library for handling GObject intro
ii libglib2.0-0 2.24.0-1 The GLib library of C routines
ii libgnome-keyring0 2.28.1-2 GNOME keyring services library
pn libgtk2.0-0 <none> (no description available)
ii libice6 2:1.0.6-1 X11 Inter-Client Exchange library
ii libnotify1 [libnotify1-gtk2 0.4.5-1 sends desktop notifications to a n
ii libnspr4-0d 4.8.2-1 NetScape Portable Runtime Library
ii libnss3-1d 3.12.6-1 Network Security Service libraries
ii libpango1.0-0 1.26.1-1 Layout and rendering of internatio
pn libseed0 <none> (no description available)
ii libsm6 2:1.1.1-1 X11 Session Management library
pn libsoup-gnome2.4-1 <none> (no description available)
pn libsoup2.4-1 <none> (no description available)
pn libwebkit-1.0-2 <none> (no description available)
ii libx11-6 2:1.2.2-1 X11 client-side library
ii libxml2 2.7.6.dfsg-1 GNOME XML library
ii libxslt1.1 1.1.26-1 XSLT processing library - runtime
Versions of packages epiphany-browser recommends:
ii ca-certificates 20090814 Common CA certificates
pn evince <none> (no description available)
ii yelp 2.28.0+webkit-2 Help browser for GNOME
epiphany-browser suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>: Bug#579191; Package epiphany-browser.
(Mon, 26 Apr 2010 07:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to 579191@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>.
(Mon, 26 Apr 2010 07:21:04 GMT) (full text, mbox, link).
To: markhobley@yahoo.co.uk, 579191@bugs.debian.org
Subject: Re: Bug#579191: CSS visited elements allow for disclosure of users
browser history
Date: Mon, 26 Apr 2010 09:17:26 +0200
Le lundi 26 avril 2010 à 07:13 +0100, markhobley@yahoo.co.uk a écrit :
> There is a "Disclosure of user information" security flaw in the epiphany
> browser due to the implementation of support for CSS :visited pseudoclass
> elements. It is possible to specify a background-url attribute which will make
> a request to the server if a particular link has been visited. Using this CSS
> mechanism, it is possible for a hosting server to determine visited links
> without using Javascript.
Could you talk about this with upstream? This is not something we should
fix only at the Debian level.
Cheers,
--
.''`. Josselin Mouette
: :' :
`. `' “A handshake with whitnesses is the same
`- as a signed contact.” -- Jörg Schilling
Reply sent
to Jeremy Bícha <jbicha@debian.org>:
You have taken responsibility.
(Sun, 09 Nov 2025 23:45:08 GMT) (full text, mbox, link).
Notification sent
to markhobley@yahoo.co.uk:
Bug acknowledged by developer.
(Sun, 09 Nov 2025 23:45:08 GMT) (full text, mbox, link).
There have been many changes to Debian since this bug was originally
reported. If you are still experiencing this issue with Debian 13 (or
with Debian 12 or Testing or Unstable), please report a new bug.
Thank you,
Jeremy Bícha
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 08 Dec 2025 07:51:19 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.