Bugtraq mailing list archives
Posible privacy problem in Explorer.
From: "Guille (Bisho)" <guille () REDESTB ES>
Date: Fri, 8 Sep 2000 03:57:41 +0200
In the Microsoft website http://search.msn.com.mx the use a method to store the searchs done in his search engine, but without cookies and without login&password. You could deactivate the cookies, delete them, log off your ISP, close the explorer, reboot, and the data will be there again. The link to the script is: <A CLASS='CLSSAVE' HREF="" onClick="StoreResult( 1, 'DE' );return false;" ID='DES1'> The function is inside: <SCRIPT SRC="searchui_IE5.js" LANGUAGE="JScript"> This is an ugly script without newlines. I have procesed ir a bit to make it more readable: $ cat searchui_IE5.js | awk '{ gsub(";", ";\n") } { gsub("}"," }\n") } { gsub("{"," {\n") } { gsub("function","\n\nfunction") } { print $0 }' The results are in: http://www.eurielec.etsit.upm.es/~bisho/searchui_IE5.js.txt It uses the called "User Data Persistence" technology, from Microsoft. Extracted from the microsoft knowledge database: --------------------------------------------- Persistence One big pain in the neck for users on the Web is going to a Web page, modifying it the way they want it, leaving, then returning to the site to find it's not the same: the trees are collapsed, forms filled-out have disappeared, and the page must be reset. Internet Explorer 5.0 takes some of this pain away by providing Web-page persistence via a scripting tag. Internet Explorer 5.0 provides four types of persistence: [...] User Data Persistence: Allows an XML-based storage methodology for saving large amounts of user data. If you have a large amount of data that you want to save from some point in time (for example, all of your favorite sport's teams' scores for the last 10 years), you can use persistence rather than cookies. [...] --------------------------------------------- The problem: Most people deactivate Cookies, or set it in the warn level, but the "User Data Persistence" has not warn level, and is oculted far away of the cookies security options. this could be used to track users without their knowledge, when they espect to be safe without cookies. -- \|||||||/ Guillermo Pérez Pérez < o o > - bisho () onirica com \ L / - bisho () eurielec etsit upm es -oOOo-------oOOo- Onírica: Análisis, diseño e implantación de soluciones informáticas http://www.onirica.com
Current thread:
- Posible privacy problem in Explorer. Guille (Bisho) (Sep 08)
- Re: Posible privacy problem in Explorer. Elias Levy (Sep 08)
- Re: Posible privacy problem in Explorer. Kevin van der Raad (Sep 12)
- <Possible follow-ups>
- Re: Posible privacy problem in Explorer. http-equiv () excite com (Sep 12)
- Re: Posible privacy problem in Explorer. CDE Francis (Sep 12)
- Re: Posible privacy problem in Explorer. Sander Goudswaard (Sep 13)
- Re: Posible privacy problem in Explorer. Elias Levy (Sep 08)