Web Application Security

Introducing the “I Know…” series

The “I Know…” series builds upon earlier work where I revealed relatively simple tricks [malicious] websites can use to coax a browser into revealing information that it probably should not. For example, I demonstrated how a website might learn what websites you’ve visited, how they can steal a browser’s auto-complete data, what sites you are logged in to, surreptitiously activate a computer’s video camera and microphone, list out what Firefox Add-Ons are installed, what you’ve previously watched on YouTube, who is listed in your Gmail contact list, etc. In every case, the only thing a would-be victim must do is visit the wrong website. Firewalls, anti-virus software, anti-phishing scam black lists, and even patching your browser was not going to help.

Fortunately, if you are using one of today’s latest and greatest browsers (Chrome, Firefox, Internet Explorer, Safari, etc.), these tricks, these attack techniques, mostly don’t work anymore. The unfortunate part is that they were by no means the only way to accomplish these feats. In the following sections I’ll be discussing many, many more attack techniques — tricks that reveal a person’s name, work place, physical location, online habits, what websites they log in to, the technology specifics about their computer and browser, and more. The fact is, unless you’ve taken a number of very particular precautions, essentially every website you visit has the ability to quickly acquire all the aforementioned information.


I’ll expose why the common assumption that people are relatively anonymous, that their online activities are private, as they surf the Web is wrong — from a personal security and privacy standpoint, dangerously wrong. Imagine if a young teen is pregnant, and hasn’t yet informed her parents. As she surfs the Web for information about her situation, websites glean this personal information about her condition, and begin mailing maternity content directly to her home. Imagine a divorcee trying to hide from her hostile ex-husband and her real-world address is revealed with nothing more than a link click. Imagine if somehow your religious, political, and adult entertainment preferences were discovered by a local congregation, employer, and friends.

As you read, what you should find interesting (and concerning) is that a large percentage of the techniques I’ll be leveraging are NOT new — they’ve already been publicly documented. On their own, each technique’s impact may not be terribly severe, which probably explains why they remain unaddressed. However, when these disparate techniques are wired together, they paint a highly problematic and largely misunderstood narrative that is the actual state of Web [browser] security.

From here we’ll progress slowly, building up our exploitation pyramid one blog post section at a time.


I Know…