Very nice concept. You should also add the following CSS to the captcha letters:<p><pre><code> -webkit-touch-callout: none; -webkit-user-select: none; -khtml-user-select: none;
-moz-user-select: none; -ms-user-select: none; user-select: none;
</code></pre>
This will make it feel even more like a real captcha by making it impossible to select the text. (Right now you can select it to see the invisible letters)
Quite scarier than the TinSnail demo, but it must have a much lower bandwidth. The source only has three links and you will probably see all three if you have caching turned on. I guess if you're looking for one or two specific sites, it doesn't matter.
Brilliant. getComputedStyle used to give away the color of a link, so at some time this attack was trivial: you didn't need any user input, as a blue link meant :unvisited, and a purple one meant :visited.
Replacing getComputedStyle with user input ("is this letter black or transparent?") is definitely brilliant.
You might want to check out the research paper "I Still Know What You Visited Last Summer Leaking browsing history via user interaction and side channel attacks" ( <a href="http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010.pdf" rel="nofollow">http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010....</a> ). The paper describes several similar (if not the same) attacks.
What am I missing? I just got this pre-determined list of links: <a href="https://github.com/frantzmiccoli/visited-captcha-history/blob/master/js/linkslist.js" rel="nofollow">https://github.com/frantzmiccoli/visited-captcha-history/blo...</a><p>I was impressed when this list came up, but suspicious because I hadn't visited reddit or github yet today.
Interesting but this method is limited to the URLs that you list in the javascript (in this case linklist.js). More of a specific validation to see if the user has visited the links you provide rather than a total data scrape.<p>To full scrape the users history you would have to list every URL in existence.<p>Great proof of concept though.
The submitted title was "Show HN: Tricking the user to access his history using CSS and captchas". We finessed the pronoun issue in this case by just taking "his" out.