9 May, 2010

Using Javascript to read a users browser history

Posted by Bhavin Turakhia | (9) Comments

While doing some research I came across this article by Mike Nolet on figuring out the gender of a user based on the websites the user has visited. The article has a javascript that does this – so yea I am adding “Allows you to check your testosterone levels” as a feature of Javascript.

But on a more serious note – I was impressed (and puzzled) mostly by the fact that his javascript managed to figure out which websites exist in my browser history. Now that makes me curious. So a few clicks and a google search later I figure that your browser history is NOT private. There is a nifty javascript hack that can allow any website to figure out which other websites you have visited in the past, from a potential list of websites.

I just had to blog about this. The hack uses the property of the browser which results in changing the color of an already visited link. Basically through javascript one can find out the color of any item in the DOM. So in order to find out whether you have visited a particular website, all I need to do is insert that website in the DOM as a link (albiet in an invisible manner) and check its color property. If its color matches that of a “visited link” then you have visited that website. Seemingly dell already uses this on their website to determine if a user has visited any of its competitors. Think of the potential uses -

• You can check if a user coming to your website has already visited any of your competitors, and if so target specific offers to them
• If you rank at the 5th position in Google for a keyword you can check if the user has visited any of the previous 4 links
• Lets say you have an offer coupon that you only want an anonymous user to see once. You may use cookies, but a user could delete their cookies if they are on to you. You can now check whether the user has been to that URL before through this hack if the user has not deleted their history

Espionage courtesy Javascript!!

More details available here

• http://www.merchantos.com/makebeta/tools/spyjax/
• http://www.stevenyork.com/tutorial/getting_browser_history_using_javascript
• http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/