Author Topic: Start Panicking! ... and polishing those tin foil hats. (Read 21130 times)

nosh · « **on:** April 25, 2009, 05:36 AM »

Start Panic! is a site that shows you your browsing history. It won't be a great revelation for the real tech-heads on board but was quite an eye-opener for me. The site seems to do what it does using JavaScript - I'm off to take a serious look at NoScript.

40hz · « **Reply #1 on:** April 25, 2009, 07:01 AM »

I'm off to take a serious look at NoScript.
-nosh (April 25, 2009, 05:36 AM)

Good. "Make it so."

(Seriously. Don't surf without it.

)

nosh · « **Reply #2 on:** April 25, 2009, 04:40 PM »

I installed it - then got annoyed with the extra housekeeping involved - and uninstalled it.

tomos · « **Reply #3 on:** April 25, 2009, 04:45 PM »

well
I just had a look - it showed 113 sites I had visited - I may be wrong but I think it didnt pick up on sites I had visited via Opera(?) (Disclaimer - I swear I wasnt trying to hide those sites

but if that is the case, then Opera could be a good bet for more privacy...*)

I installed it - then got annoyed with the extra housekeeping involved - and uninstalled it.
-nosh (April 25, 2009, 04:40 PM)

noscript? gotta admit I disabled it a short while after installing it ...

* EDIT/ *
no, doesn't seem to pick up on Opera surfing - mind you it's showing a lot of stuff I looked at an age ago and some pages I look at regularly, but I dont see anything there I've looked at this evening for example (FF is my default browser btw)

MilesAhead · « **Reply #4 on:** April 25, 2009, 04:59 PM »

I installed it - then got annoyed with the extra housekeeping involved - and uninstalled it. (see attachment in previous post)
-nosh (April 25, 2009, 04:40 PM)

I use NoScript, but for me it's not enabling facets of a site on the first visit, but the Updates every other day. Between it and FlashGot, if you have any script launching the default browser, if that's Firefox, you can't count on it launching unimpeded. Can't they release updates on every Tuesday like when Wimpy pays his tab?

I hope Sandboxie get it going with the W7 32 bit support. It's easier just to run Sandboxed then "Enable Scripts Globally Dangerous"

MilesAhead · « **Reply #5 on:** April 25, 2009, 05:09 PM »

well
I just had a look - it showed 113 sites I had visited - I may be wrong but I think it didnt pick up on sites I had visited via Opera(?) (Disclaimer - I swear I wasnt trying to hide those sites but if that is the case, then Opera could be a good bet for more privacy...*)
-tomos (April 25, 2009, 04:45 PM)

If you use a secure form-filler-outer-thingy then disregard, but with Opera, if you like to use the Wand, which I do, you have to watch out as the [Personal Info] section in opera6.ini is in clear text. As in your name address phone number, if you entered that in. If I intend to use the Wand, I run a little AutoIt script I wrote that decrypts it, runs Opera and waits, then encrypts it again. Not bulletproof by any means, but better than leaving the stuff in the clear in a known location.

kartal · « **Reply #6 on:** April 25, 2009, 05:10 PM »

I think if you are a real tech head you would never even let this site to tell you where you have been, they are using a trick to get you browsing history?

fenixproductions · « **Reply #7 on:** April 25, 2009, 05:22 PM »

Being sarcastic, I wonder how many wakoopa users signed their petition

housetier · « **Reply #8 on:** April 25, 2009, 06:45 PM »

I use noscript all the time. I also have whitelisted a few sites (gmail, DC, c-base); most of the time I do not need to enable JS for a site. But if I need to enable it, I only do so temporarily.

In my case, startpanic.com did not reveal much (only itself) in my history. This could be because I use noscript or because I do not keep a history anymore: found out I didn't really need as I either know the urls or have them bookmarked.

MilesAhead · « **Reply #9 on:** April 25, 2009, 07:53 PM »

Hmmmmmmmmmm I have a "double back" bookmarklet so that I don't have to click twice to go back 2 pages. It has this script
javascript:N=history.length;if(N==2){history.go(-1)}else{history.go(-2)}

goes back 2 pages if it can, if not then 1.. but I'm wondering if JS returns the result and maybe it intercepts it so that your browser doesn't actually change pages but gets the url? Maybe it's more sophisticated than that though. $:-\$

Jimdoria · « **Reply #10 on:** April 25, 2009, 11:02 PM »

I'm not sure I get this. So they show you stuff from your history and your bookmarks? So what? That doesn't mean THEY, or anyone else, is able to see your history.

JavaScript runs in the browser, and has access to the same info the browser does. The program runs in YOUR browser, gets information from YOUR browser and shows it TO YOU. How exactly is this a security breach?

Seems like this is just a trick based on people's ignorance of how this stuff is supposed to work. I didn't trace through the code, but I don't see anything really amiss here.

Start panic indeed. That's all they're trying to do. Or maybe that and collect some e-mail addresses.

kartal · « **Reply #11 on:** April 25, 2009, 11:07 PM »

I do not think there is any shame in not knowing how this stuff works. Calling it ignorance makes it like people delibaretely choose to be stupid or ignore facts. People are people and they may not know how it works, you can always educate people about how all this stuff works.

Seems like this is just a trick based on people's ignorance of how this stuff is supposed to work
-Jimdoria (April 25, 2009, 11:02 PM)

MilesAhead · « **Reply #12 on:** April 26, 2009, 12:14 AM »

Reminds me of those graphic buttons people used in their sigs back in the days when a lot of people used Netscape for everything, web, mail, news.
You press the button and it tells you your email address, ip address etc..

nosh · « **Reply #13 on:** April 26, 2009, 01:19 AM »

Reminds me of those graphic buttons people used in their sigs back in the days when a lot of people used Netscape for everything, web, mail, news.
You press the button and it tells you your email address, ip address etc..
-MilesAhead (April 26, 2009, 12:14 AM)

Yes, but doesn't the server have access to that info in those cases? If a script can be run to dynamically generate info and display it for the user, can't it also relay it back to the server?

PS: The site also offers to check a friend's

history and tell you about it. I sent it to myself & ran the script and sure enough it sent me a link to the (already generated) results.

PPS: I could be way off the mark but I _think_ it's done using this hack.

rgdot · « **Reply #14 on:** April 26, 2009, 01:38 AM »

I admit I only galnced at the site, if they are not saying how they achieved their supposed goal then I'll pass. Tend to agree with kartal

I think if you are a real tech head you would never even let this site to tell you where you have been, they are using a trick to get you browsing history?

and Jimdoria is likely right

JavaScript runs in the browser, and has access to the same info the browser does. The program runs in YOUR browser, gets information from YOUR browser and shows it TO YOU. How exactly is this a security breach?

Ultimately though one can trick browser to read and/or intercept info but that's hardly anything new and up to browser and web app makers to patch holes

Ehtyar · « **Reply #15 on:** April 26, 2009, 03:31 AM »

I also use NoScript, but permitted this website to see what all the fuss was about. It did indeed correctly identify roughly 20 websites I had recently visited. It did so over about 2 minutes of full CPU usage and constant web requests.

I have to say I'm a little disappointed with regard to how easily many people dismissed this. Even if this was achieved through JavaScript, did no one notice the constant content requests? Those were actually AJAX requests. startpanic.com saw every URL their javascript found. Here is one such request:

Ehtyar.

f0dder · « **Reply #16 on:** April 26, 2009, 06:48 AM »

Word, Ehtyar.

kartal · « **Reply #17 on:** April 26, 2009, 11:46 AM »

I block everything(cookies, scripts, flash cookies etc) a server might request or wants to serve. If I am desperate to see a website I open it in kmeleon, and I use kmeleon just for those purposes.

MilesAhead · « **Reply #18 on:** April 26, 2009, 11:48 AM »

Reminds me of those graphic buttons people used in their sigs back in the days when a lot of people used Netscape for everything, web, mail, news.
You press the button and it tells you your email address, ip address etc..
-MilesAhead (April 26, 2009, 12:14 AM)

Yes, but doesn't the server have access to that info in those cases? If a script can be run to dynamically generate info and display it for the user, can't it also relay it back to the server?

PS: The site also offers to check a friend's history and tell you about it. I sent it to myself & ran the script and sure enough it sent me a link to the (already generated) results.

PPS: I could be way off the mark but I _think_ it's done using this hack.

-nosh (April 26, 2009, 01:19 AM)

It can get the IP address because you download the graphic(the reason email programs block images) and there are even detectors for Firefox that look for "invisible pixels" (I forget the name it gives to them) that use the same trick but you don't see them. How they get the email address was likely the fact that everything was in Netscape, which had plugin calls and no security back then.

Another thing they like to do in these sig graphics is do a DNS lookup on your IP to get the server name, which due to the brilliance of many ISPs, often has geographic info in the name. (Your IP is given some dynamic name with the ISP server handling your traffic like xyzbostonsvr125.isp.com or something) Makes it feel like they are zeroing in on you.

(I'm no networking guru so someone else may be able to tell how it's done exactly. When I first played around with JavaScript I did everything with client side, figuring it's more secure if you don't run anything on the server. Later I see people saying, no client side is insecure because it can be modified before it's run.. so run everything on the server because you can keep people from changing the code... sometimes I wonder if it's the flavor of the month... client side is probably back in fashion for all I know)

Jimdoria · « **Reply #19 on:** April 26, 2009, 12:15 PM »

@kartal
Ignorance is not a pejorative term. It is synonymous with uneducated, and of course there's no shame in not knowing something, especially something that's obscure. I am totally ignorant about how to write programs in LISP. This doesn't mean I'm stupid (unable or unwilling to learn) nor that I'll always be ignorant of this subject (although I think I probably will.)

@nosh
The "view a friend's history" thing is some social engineering/sleight of hand. They don't offer to let you peek into other people's browsers. They offer to let you send YOUR OWN browser history to a friend. When you do this, you are giving your browser permission to send the information it has collected to startpanic.com, which seems to me further evidence that they are not collecting this info behind the scenes.

BUT - once you send your browser history off somewhere - THROUGH THEM - they then have access to the information you provided them. They can then store it and show it to your friends, should they request it. If they can trick your friends into sending them this info as well, then they can store it and show it to you.

But there's still nothing technically sneaky going on here. Your browser collected some information, then offered to let you send that information on to a third party. If you do this, the third party (startpanic.com) is collecting information with your permission, since you had to actively do something to send it to them.

Once they have your browser history, you might claim that they shouldn't store it and show it to other people, but they did kind of tell you that's what they were going to do, although not in so many words.

@rgdot
Yes, there are hacks that may trick the browser into leaking information. But such a thing isn't needed to do what this site is doing. In fact they seem to be using a very mainstream JavaScript library. If this is a hack, I'd say it's purely a social engineering one.

nosh · « **Reply #20 on:** April 26, 2009, 12:39 PM »

AFAIK, the server you connect to knows your IP (from the HTTP header) whether the site has any graphics or not.

The pixel hack would only come into play for email or if a third party wanted to monitor a site s/he didn't manage - eg: monitoring a forum's activity by inserting an image hosted on your own site into a post or sig.

The email address might be got using the cached auto-fill info.

Jimdoria,
From a purely technical POV, are you saying that it's not possible to get the info startpanic gathers using JS, unless a user actively triggers off the process by clicking a button? Isn't JS loaded & run automatically with a page unless you're blocking it?

Edit:
Spyjax - Your browser history is not private!
http://www.merchanto...kebeta/tools/spyjax/

MilesAhead · « **Reply #21 on:** April 26, 2009, 01:21 PM »

AFAIK, the server you connect to knows your IP (from the HTTP header) whether the site has any graphics or not. The pixel hack would only come into play for email or if a third party wanted to monitor a site s/he didn't manage - eg: monitoring a forum's activity by inserting an image hosted on your own site into a post or sig.

-nosh (April 26, 2009, 12:39 PM)

If you look at my post I specified a sig graphic. Joe normal user on a board shows you your IP when you read his post because you downloaded the graphic in the sig. I believe I said that a couple of times.

edit: the pixel thing I was referring to was stat-gathering. Don't know why they need sneaky pixels but maybe it's something that works on all sites if the page server doesn't block it. Who knows?

https://addons.mozil...S/firefox/addon/5414

nosh · « **Reply #22 on:** April 26, 2009, 01:48 PM »

My bad. I thought you were referring to the site being discussed. Sorry about the confusion.

rgdot · « **Reply #23 on:** April 26, 2009, 02:27 PM »

@Jimdoria If it requires user interaction to be launched to do what it does, yes social engineering of some sort I would say. Not sure what you mean by mainstream Javascript, many of those hacks that leak info exist in 'normal' code that make the trick possible.

MilesAhead · « **Reply #24 on:** April 26, 2009, 03:48 PM »

My bad. I thought you were referring to the site being discussed. Sorry about the confusion.
-nosh (April 26, 2009, 01:48 PM)

No biggy.

Now that you mention it though, the guy with the graphic sig probably has his own site hosting it, so his server software can tell him the IP and dynamically makes a button graphic with the IP numbers or something. Learn something every day.