Who am I: A mind reader (don't forget to view source) (opens in new tab)

(tinsnail.neocities.org)

583 pointsalloyed12y ago168 comments

168 comments

142 comments · 65 top-level

keerthiko12y ago· 10 in thread

I could probably post a similar gizmo on HN with a results static page that says

Your interests are: (some subset of) Programming Science Technology Games <random other thing: Sports, TV, childcare, etc>

With literally no scripting, and everyone would find it "reasonably accurate" :D

espadrine12y ago

> Your interests are: (some subset of) Programming Science Technology Games <random other thing: Sports, TV, childcare, etc>

Me being me, I clicked on random grey squares. I got exactly that.

There is a selection bias from the choice of URLs it provides.

ralfd12y ago

Haha, tried it out and you are right.

I an a bit disappointed by the results anyway. Something like gender guess, sexual orientation, age range and political leaning would have been more impressive than the programming/movies graph.

Conlectus12y ago

That's because you probably clicked in roughly the same area. The squares are grouped on the page by interest.

Somebody else clicked all of the squares, and art was #1, with painting #3.

mdup12y ago

At first, I thought the OP had done exactly that!

lugg12y ago

Also successfully trolled. And I also thought something similar after trying to trick it a couple of times. Wasn't until I read the comments it all made sense - i was using work chrome profile none of my actual interests showed up just my professional ones.

jradd12y ago

Same thing here. I happen to be very interested in neuroscience as well, so when I read “don't forget to view source,” I assumed it would feature a bibliographic citation or something. doh…

kej12y ago

That would be sort of a specialized version of the Forer effect: http://en.wikipedia.org/wiki/Forer_effect

staccatomeasure12y ago

fwiw, my results were very wrong

wobbleblob12y ago

It uses a list of sites, the ones that are in your browser history are red squares. The results may be wrong for you if you cleared your browser history, or if you share your browser with someone else, or if you habitually visit sites you don't like.

1 more reply

kephra12y ago

The selected sites are very biased towards things you can do in front of a computers.

So this nice "Who am I?" trick only shows an intersection of my interest with those of the author. e.g. its completely missing my 3 main hobbies, as sailing, sewing and vaping had not been on his list of selected sites.

1 more reply

jostmey12y ago· 8 in thread

It was eerily accurate on me.

1. science 2. technology 3. programming

laurent12345612y ago

They could do the same game, but hard-code the results, and be right for 95% of the audience here :)

icebraining12y ago

Actually, they don't seem to diverge much. I've tried randomly clicking on grey squares on different areas and it always gave me similar results (programming, gaming, technology, engineering).

d2312y ago

I actually was going to come to the comments, assuming they had done that before remembering that I was supposed to view the source.

nikatwork12y ago

Hmm, I was: 1. technology 2. programming 3. history 4. politics 5. design 6. architecture

And it was dead-right.

1 more reply

xerophtye12y ago

Pretty inaccurate for me. It game minimum value to books and writing, and i love them both. I just dont open enough links about them (i read the books! Not their sites!)

indralukmana12y ago

same with me, my first reaction is

WHAT KIND OF SORCERY IS THIS!?

1.Technology 2.Gaming 3.Programming

xor-ed-wolf12y ago

Did you ever heard of cold reading?

1 more reply

notastartup12y ago

guess I sure do love them movies from torrents.

1. technology

2. movies

3. books

4. programming

5. science

6. politics

7. gaming

irises_come12y ago· 6 in thread

Hm. Do you really need interaction at all?

Can't you just :visited { margin/pos/whatever }, then probe the dom on that or related elems to extract the juice? Or have browser vendors thought of this?

gburt12y ago

This is a very old attack that has numerous security measures to prevent you from doing that now.

irises_come12y ago

I presumed as much. But if you can covertly jimmy the UI and parse the user's interaction, you can more or less get at the history like that anyway.

I don't see any secure way to handle this besides disallowing :visited styling entirely.

2 more replies

bilalq12y ago

Interesting. Could this maybe be bypassed by looking at computed CSS values of an element?

2 more replies

tim33312y ago

There's a new-ish hack recently out - "using requestAnimationFrame to time browser operations" http://arstechnica.com/security/2014/06/theyre-ba-ack-browse...

siddboots12y ago

I remember there being a long string of attacks related to hooks of this kind, but as far as I know it is no longer a problem at all.

It's a good example of just how difficult browser security is.

borkabrak12y ago

The page itself can't tell what color the squares(links) are rendered as to the user. That's what the clicking is for. Mwaahaha...

balls18712y ago· 6 in thread

I thought the a:visited exploit was addressed.

neoveller12y ago

I spent an unfortunate chunk of time trying to auto-click all the red square via jquery in chrome console. After a lot of reading and experimenting, I can verify that the exploit is thoroughly addressed (so far), and I cannot achieve my goal because of it :(.

The most promising workaround would be to find a JS screenshot tool that doesn't rely on the DOM, and then run some client-side image analysis to get the index values of the red squares, and then go from there to click the things. Well played, exploit fixers, well played.

Geee12y ago

You could access the webcam and zoom/enhance the reflection in the eyes to get the screenshot.

1 more reply

ma2rten12y ago

I don't think there actually is a way to take screenshots, w/o relying on the dom.

thegeomaster12y ago

It was. The site can't know by itself what links are visited. It asks you to click on the visited (red) links, thereby giving it data.

cynwoody12y ago

That's why you have to click. Before the a:visited exploit was patched, a simple loop with GetComputedStyle would have sufficed. If you do that in a modern browser, all the squares come back color gray. The content script only gets to see the style attributes as they would be in the unvisited state.

leorocky12y ago

The browser wont let the page get at the data, that is what was fixed, but you can still show visited differently to the user, and if you make only the visited visible and get the user to interact that information is revealed.

danbruc12y ago· 5 in thread

Obvious question - how was the list of URLs compiled? Some are really specific like YouTube channels. On the other hand there are only 15 categories and there are probably a lot of people that would not get a single match or only something very generic like Wikipedia.

Conlectus12y ago

Creator here. The links were gathered by searching feedlys feed suggestions for different topics.

yzzxy12y ago

The coolest way would be cold, hard natural selection from Alexa top sites, possibly with weighting placed to relevant sites at the introduction of the dataset. Perhaps I will fork.

iopq12y ago

Your interests are: Google, Facebook, Youtube, Yahoo

1 more reply

tomblomfield12y ago

fivethirtyeight.com appears about a dozen times for me?

Conlectus12y ago

Links appear multiple times if they are relevant to multiple interests. Clicks are only counted once.

lrichardson12y ago· 4 in thread

Question:

I know that the `:visited` exploit is handled by the browsers so that you can't figure out by javascript what is going on...

but what if you used just CSS to figure it out? For instance, what if you generated the CSS which had a unique image it requested via the `background-image` property, stored the data on the server, then just requested the data from the server after the fact?

Do the browsers prohibit the usage of url-based css properties on CSS selectors with `:visited` or something? Does anyone have a link/reference to how the exploits were patched up?

RussianCow12y ago

Yes, they prohibit anything that might be used for this purpose.[0] So the CSS allowed for :visited selectors is limited to a small subset.

[0]: https://hacks.mozilla.org/2010/03/privacy-related-changes-co...

lrichardson12y ago

Great. Thanks for the link.

megablast12y ago

Could your draw the screen, then save that as a screenshot, and analyse the image?

andybak12y ago

Just what I was thinking. Can't you render the DOM to a canvas and then access the pixels in that?

1 more reply

mbrubeck12y ago· 3 in thread

Here's the same exploit disguised as a game, to make it less obvious that it's tricking the user into interacting with it: http://lcamtuf.coredump.cx/yahh/

Documentation of the game proof-of-concept: http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashio...

Fuxy12y ago

Cool. That is a neat trick/exploit never heard of it before.

Thx. for the links.

dzhiurgis12y ago

My first idea was clickjacking and social networks, but that probably is impossible.

maaarghk12y ago

That's really good, and a very informative forum post!

Conlectus12y ago· 3 in thread

Original creator here. I'm super surprised to see this posted here.

I can answer any questions people have.

analog3112y ago

For those of us who don't know Javascript, I'll just ask in broad terms: What is it, how's it work, what's it do?

amjd12y ago

It's a neat little hack to predict your interests among various categories.

The hundreds of grey boxes that you see are actually links to sites belonging to different categories like programming, science etc. and the red ones are those that you have visited (based on your browser history). The basic idea here is of using the CSS selector a:visited to highlight visited links in red, and by clicking the red boxes the users themselves reveal the sites they have visited. The website then uses this information to draw a pretty pie chart showing which categories the user is interested in.

2 more replies

lurkinggrue12y ago

I'm not incognito mode but it didn't work for me.

Kinda weird.

krat0sprakhar12y ago· 3 in thread

If nothing else, I did get a good list of Programming and Engineering websites :D - http://pastebin.com/zrQ7EBnP

schme12y ago

This is OT, trivial and a bit silly: How did you intend the json file? I tried with sublime but couldn't find anything to solve it. Didn't start an IDE for this.

bombtrack12y ago

There's several JSON formatter packages that can be installed via Package Control: cmd + shift + P, select "install package", then search for "json". I'm not sure which one I have installed, but doing cmd + shift + P in a proper context and typing "json" should give you an option for "Indent JSON" or similar.

Otherwise, there's always sites like http://pro.jsonlint.com/

ianamartin12y ago

I know, right? 10,000-ish ways to waste time at work.

mataug12y ago· 3 in thread

This is quite clever. By the way now I've got a nice list of blogs/websites that I should probably read for various topics.

amjd12y ago

That's what I was thinking too. Here's a prettified list of the sites used: https://gist.github.com/amjd/acc5e108bfb2f29f050c

lugg12y ago

Thanks so much. Been looking for an up to date blog roll like this for a while.

rdrey12y ago

I was also thinking of using it as a bookmarks site. :)

corford12y ago· 3 in thread

No red squares here. Am I doing it wrong?

mjfl12y ago

I don't have any either. I think it's because I've turned off internet history on Firefox.

mbrutsch12y ago

Yep. I took me a few minutes to figure out why it wasn't working for me...

vezzy-fnord12y ago

You likely have layout.css.visited_links_enabled (or the equivalent boolean on your browser) set to false.

joev_12y ago· 2 in thread

Heh. I clicked a few before I realized what was going on (looking at the status bar shows the link, which somewhat gives it away). You could prevent this by adding mouseover/out and onclick logic that removed the :href on hover and just colored itself red.

asadlionpk12y ago

but i guess then it won't be red on hover.

martin-adams12y ago

But in that case, you can add CSS to make it red on hover.

lewisflude12y ago· 2 in thread

This was really accurate to me. It seems they're using a:visited on several domains to create the "red square" effect.

cynwoody12y ago

Yes.

And the only reason you have to click the red squares is to let it know which ones are red. If you try to look up the color of a square using GetComputedStyle, it always comes back gray. That was the resolution of privacy Bug 147777† (":visited support allows queries into global history").

†https://bugzilla.mozilla.org/show_bug.cgi?id=147777

pbhjpbhj12y ago

What about if you make a screen capture from the page and use coordinates to read back the colours and correlate with the URLs? Seems a possibility based on http://stackoverflow.com/questions/9250505/how-to-upload-a-s....

1 more reply

krrishd12y ago· 2 in thread

If you open the console and run this script, it'll click every single square, giving a list of the most common types of sites in the array being used:

     for(i=0;i<$$('a').length;i++) {
       $$('a')[i].click()
     }

PurplePanda12y ago

I had to change it to start at i=1 to avoid clicking on the link to github and leaving the page

krrishd12y ago

Ah, that makes sense, I wrote and ran the script before he open sourced it.

Xeroday12y ago· 2 in thread

Was on incognito and wondering why I didn't see any red squares...

mataug12y ago

That is, I am guessing, because there aren't any re-marketing cookies,history and other markers when you open the page in incognito

ZoF12y ago

No, it was because incognito tabs don't have access to browser history.

This web-app's functionality is based entirely on browser history and has nothing to do with 're-marketing cookies' or other 'markers'.

Not to mention that the parent commenter clearly understood this fact.

neya12y ago· 2 in thread

This is mind-blowing, mine was pretty accurate! I know I can view the source code, but is this/similar code available from GitHub or somewhere for us to use in our own weekend projects? (:

Conlectus12y ago

I hope to clean up the code and post it to GitHub tomorrow.

neya12y ago

Thank you very much, that is very nice of you! ^^

Conlectus12y ago· 2 in thread

For anyone interested in the source, I started hosting it on GitHub at https://github.com/Conlectus/WhoAmI.

deeteecee12y ago

do you plan to put the graph into the source anytime soon? i was curious at looking through the code.

Conlectus12y ago

I just added the graph to the source.

infused12y ago· 2 in thread

I get the same three red boxes in Chrome every time, and none in Firefox or Safari. I get three categories at the end, with no links or anything. What am I doing wrong?

hngiszmo12y ago

It shows you squares for a bunch of websites. Those you visited before in that browser are red. By clicking them, you tell the site that they are red, thus that you visited them. Each site belongs to a category and thus it comes to its conclusion.

ZoF12y ago

What do you mean? These red boxes are links to sites you've visited in the past, they aren't showing up in Firefox or Safari because you don't have any of those sites in your browser history.

This works by showing you a grid, each box represents a website, to which the creator has ascribed a category(tech/gaming/etc...)

If you've visited one of those sites the box will appear red, and by clicking on the box you let the site know that it is something you've visited in the past and therefore likely one of your interests.

zongitsrinzler12y ago· 2 in thread

This can be done without any user interaction (and most likely has done to you without you knowing it). Check this link for 101: https://stackoverflow.com/questions/1584850/is-it-possible-t...

fzaninotto12y ago

Here is a white paper of another exploit without user interaction, which is still working on most browsers. It's called "Pixel-perfect timing attack".

https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-T...

The related bug on the Chrome tracker was closed with a "won't fix".

pests12y ago

Note that is from 5 years ago. Modern browsers have put up defenses. Others have linked to sources throughout the thread/

3rd312y ago· 1 in thread

Couldn't one simply make a display:none on normal links and display:block on :visited, then stack them all on top each other with position:absolute and catch mouse events from each element via JS?

heycam12y ago

Browsers have a very limited set of properties that they allow in :visited rules, and display isn't one of them.

1 more reply

joosters12y ago· 1 in thread

In Firefox, you can go to about:config and set layout.css_visited_links_enabled to 'false'. This page, and others that hack the visited links styles, will no longer work.

joshvm12y ago

Note that in Firefox only a few visual hacks will work nowadays. This means that sites can still change the local style of visited links to fit in with their colour schemes. BUT, you can't trawl someone's history by exploiting :visited any more.

And also note that this will remove all :visited styling, included the usual blue->purple. Just a heads up for people changing this variable because they think their privacy is being invaded.

https://hacks.mozilla.org/2010/03/privacy-related-changes-co...

zatkin12y ago· 1 in thread

What's more interesting is that someone spun off Geocities and called it Neocities.

yayitswei12y ago

Here's the original discussion on HN: https://news.ycombinator.com/item?id=5957850

Gonzih12y ago· 1 in thread

I remember few years ago this concept was demonstrated as an way to get user website history from the browser. This is big privacy hole. And sadly nothing changed. Which is sad.

pgl12y ago

In a way it is, but only really through tricks like this one. Browsers can no longer access the properties of :visited, but they can affect how visited links are displayed.

tjoff12y ago· 1 in thread

Should explain itself better. All I get is a bunch of grey boxes (no red ones) and if I click done I get "Your interests are:"

Conlectus12y ago

Thanks for the suggestion! I made it so that it explains itself if you don't click any red boxes.

rburhum12y ago· 1 in thread

Nothing was red for me

borkabrak12y ago

You cleared your browser history recently?

mundanevoice12y ago· 1 in thread

Wao, reading my browser history while I am playing a stupid game. Elegant. :)

Stratoscope12y ago

Not quite. See discussion above. You gave it your history by clicking the red dots and not clicking the others.

shurcooL12y ago

Reminds me of that hunter2 password thing. http://www.bash.org/?244321

Basically, the website doesn't know which of the squares are red, that depends on your browser state. By clicking the red squares, you're feeding it data.

The interesting observation I made out of this is that navigating there in an incognito window prevents any links from being considered as visited. That's good to know.

biot12y ago

Here's a related Mozilla bug report from 2002 regarding the link visited issue: https://bugzilla.mozilla.org/show_bug.cgi?id=147777

tomasien12y ago

This just solved a huge problem I've been struggling with. This is beautiful - I don't actually want to know the information I've been trying to access, but it will make the experience better for the user. I now realize I don't HAVE to know - the browser knows, and that's all that matters. I just have to teach the browser what to do.

collinjackson12y ago

Here's a paper about this technique: http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010....

SahAssar12y ago

I remember reading about the old CSS history hack (an automated variation of the same theme), which worked until FF4 and IE9.

It's quite interesting to see how such a seemingly simple feature (a:visited) can completely override user privacy if not accounted for.

MrJagil12y ago

Interesting.

At first I thought it would deduct information about me by analysing which squares I'd choose in what order and through other metrics like pacing.

cornholio12y ago

"Could not determine interests. (Pssst, If you did not get any red squares, try visiting without being in Private or Incognito mode)"

Indeed I am unhackable.

abritishguy12y ago

I had a very similar idea a while back, except I was measuring onAnimationFrame times with a carefully crafted CSS stylesheet to determine which links were being painted as :visited automatically and completely hidden from the user.

Accuracy varied a lot between computers but in ideal circumstances (only browser running) it would have ~90% accuracy on each of 25 links I was testing against - the test took about 8 secs to run though.

Interestingly it never worked particularly well in chrome - chrome seemed to stop painting :visited elements after a certain amount which prevented it from working.

KoalaOnesie12y ago

I swear to god I only clicked one link to Salon and I didn't even mean it. STOP JUDGING ME

gamerDude12y ago

Hahaha. I was giving it the benefit of the doubt before viewing source, and so I was wondering what happens when I push gray instead of red. :P That is probably why I got some weird interests in my results.

stargazer-312y ago

On my second try, determined to find out how it works, I drew a random smiley shape in grey box area. Painting was added to the list! Was so disappointed to find out it was a coincidence.

oneeyedpigeon12y ago

From the number of squares, I thought it might end up doing something even more 'clever' i.e. generate a square for each of the most recent n URLs from feeds of m news sites, then analyse, for example, words in headlines of those articles to determine what I'm interested in. Lots of potential for data analysis once you have someone's browser history.

Conlectus12y ago

Once again, creator here.

I just pushed an update that added more topics and graphs. I have had reported problems after the update. Can anyone confirm?

Fa773NM0nK12y ago

I was in Fx Private Browsing. I spent about fifteen minutes trying to figure out why I had no red square!

ben0x53912y ago

Doesn't work for me because I disabled :visited last time this sort of thing got discussed. :V

Gracana12y ago

This is really clever. One interesting use for this would be to target ads at people who visit certain sites, or to customize your site's landing page to direct visitors toward areas they might be interested in.

milankragujevic12y ago

I made an automated version, check it out here: http://projects.milankragujevic.com/jspy/

homakov12y ago

There are much more effective tricks to use in production. You can leak user's FB token for some huge client, and you get his email/name/bio.

cvburgess12y ago

This was exactly backwards for me... maybe I read it upside down? I jest, but the concept is cool, just needs to be refined I'm sure.

homakov12y ago

Oh also it's easy to check if you're logged in on Service1 using CSP. No user interaction, same results

arkj12y ago

Maybe this link just saved my life!!! The clue for the clueless is in their forgotten yesterday.

asadlionpk12y ago

Improvement: You can make the gray boxes light enough (same as bg) so only Red are visible.

addisaden12y ago

the trick with a:visited is really awesome :D

see on github: https://github.com/Conlectus/WhoAmI/blob/master/css/main.css

GUNHED_15812y ago

Some people are just too genius or protective of their privacy to enjoy this! :)

oakaz12y ago

Results are good except that I have no gaming sites in my history actually

enscr12y ago

It's a shame I had only 4 red blocks. I should diversify :)

Fun experiment !

udayadds12y ago

Can we use this for filtering hacker news articles?

dalek2point312y ago

can someone post a screenshot of what happens once you click all the red boxes? I have too many of them and dont want to do it ...

maerF0x012y ago

Haha, should have been pr0n sites :P

melipone12y ago

How are the categories obtained?

lurkinggrue12y ago

It didn't work for me.

oeN12y ago

funny, perfect result!! and the concept is so simple, well done!

periferral12y ago

I am <blank>???

Daggett12y ago

This is pure genius.

aps-sids12y ago

I had opened link in Private (incognito) window. #fail

closetnerd12y ago

Hmm, clever.

iopq12y ago

piratebay is not movies

zenjzen12y ago

nice.

aligajani12y ago

I just read the source code, uses caches.

j / k navigate · click thread line to collapse

168 comments

142 comments · 65 top-level

keerthiko12y ago· 10 in thread

I could probably post a similar gizmo on HN with a results static page that says

Your interests are: (some subset of) Programming Science Technology Games <random other thing: Sports, TV, childcare, etc>

With literally no scripting, and everyone would find it "reasonably accurate" :D

espadrine12y ago

> Your interests are: (some subset of) Programming Science Technology Games <random other thing: Sports, TV, childcare, etc>

Me being me, I clicked on random grey squares. I got exactly that.

There is a selection bias from the choice of URLs it provides.

ralfd12y ago

Haha, tried it out and you are right.

I an a bit disappointed by the results anyway. Something like gender guess, sexual orientation, age range and political leaning would have been more impressive than the programming/movies graph.

Conlectus12y ago

That's because you probably clicked in roughly the same area. The squares are grouped on the page by interest.

Somebody else clicked all of the squares, and art was #1, with painting #3.

mdup12y ago

At first, I thought the OP had done exactly that!

lugg12y ago

jradd12y ago

Same thing here. I happen to be very interested in neuroscience as well, so when I read “don't forget to view source,” I assumed it would feature a bibliographic citation or something. doh…

kej12y ago

That would be sort of a specialized version of the Forer effect: http://en.wikipedia.org/wiki/Forer_effect

staccatomeasure12y ago

fwiw, my results were very wrong

wobbleblob12y ago

1 more reply

kephra12y ago

The selected sites are very biased towards things you can do in front of a computers.

1 more reply

jostmey12y ago· 8 in thread

It was eerily accurate on me.

1. science 2. technology 3. programming

laurent12345612y ago

They could do the same game, but hard-code the results, and be right for 95% of the audience here :)

icebraining12y ago

Actually, they don't seem to diverge much. I've tried randomly clicking on grey squares on different areas and it always gave me similar results (programming, gaming, technology, engineering).

d2312y ago

I actually was going to come to the comments, assuming they had done that before remembering that I was supposed to view the source.

nikatwork12y ago

Hmm, I was: 1. technology 2. programming 3. history 4. politics 5. design 6. architecture

And it was dead-right.

1 more reply

xerophtye12y ago

Pretty inaccurate for me. It game minimum value to books and writing, and i love them both. I just dont open enough links about them (i read the books! Not their sites!)

indralukmana12y ago

same with me, my first reaction is

WHAT KIND OF SORCERY IS THIS!?

1.Technology 2.Gaming 3.Programming

xor-ed-wolf12y ago

Did you ever heard of cold reading?

1 more reply

notastartup12y ago

guess I sure do love them movies from torrents.

1. technology

2. movies

3. books

4. programming

5. science

6. politics

7. gaming

irises_come12y ago· 6 in thread

Hm. Do you really need interaction at all?

Can't you just :visited { margin/pos/whatever }, then probe the dom on that or related elems to extract the juice? Or have browser vendors thought of this?

gburt12y ago

This is a very old attack that has numerous security measures to prevent you from doing that now.

irises_come12y ago

I presumed as much. But if you can covertly jimmy the UI and parse the user's interaction, you can more or less get at the history like that anyway.

I don't see any secure way to handle this besides disallowing :visited styling entirely.

2 more replies

bilalq12y ago

Interesting. Could this maybe be bypassed by looking at computed CSS values of an element?

2 more replies

tim33312y ago

There's a new-ish hack recently out - "using requestAnimationFrame to time browser operations" http://arstechnica.com/security/2014/06/theyre-ba-ack-browse...

siddboots12y ago

I remember there being a long string of attacks related to hooks of this kind, but as far as I know it is no longer a problem at all.

It's a good example of just how difficult browser security is.

borkabrak12y ago

The page itself can't tell what color the squares(links) are rendered as to the user. That's what the clicking is for. Mwaahaha...

balls18712y ago· 6 in thread

I thought the a:visited exploit was addressed.

neoveller12y ago

Geee12y ago

You could access the webcam and zoom/enhance the reflection in the eyes to get the screenshot.

1 more reply

ma2rten12y ago

I don't think there actually is a way to take screenshots, w/o relying on the dom.

thegeomaster12y ago

It was. The site can't know by itself what links are visited. It asks you to click on the visited (red) links, thereby giving it data.

cynwoody12y ago

leorocky12y ago

danbruc12y ago· 5 in thread

Conlectus12y ago

Creator here. The links were gathered by searching feedlys feed suggestions for different topics.

yzzxy12y ago

The coolest way would be cold, hard natural selection from Alexa top sites, possibly with weighting placed to relevant sites at the introduction of the dataset. Perhaps I will fork.

iopq12y ago

Your interests are: Google, Facebook, Youtube, Yahoo

1 more reply

tomblomfield12y ago

fivethirtyeight.com appears about a dozen times for me?

Conlectus12y ago

Links appear multiple times if they are relevant to multiple interests. Clicks are only counted once.

lrichardson12y ago· 4 in thread

Question:

I know that the `:visited` exploit is handled by the browsers so that you can't figure out by javascript what is going on...

Do the browsers prohibit the usage of url-based css properties on CSS selectors with `:visited` or something? Does anyone have a link/reference to how the exploits were patched up?

RussianCow12y ago

Yes, they prohibit anything that might be used for this purpose.[0] So the CSS allowed for :visited selectors is limited to a small subset.

[0]: https://hacks.mozilla.org/2010/03/privacy-related-changes-co...

lrichardson12y ago

Great. Thanks for the link.

megablast12y ago

Could your draw the screen, then save that as a screenshot, and analyse the image?

andybak12y ago

Just what I was thinking. Can't you render the DOM to a canvas and then access the pixels in that?

1 more reply

mbrubeck12y ago· 3 in thread

Here's the same exploit disguised as a game, to make it less obvious that it's tricking the user into interacting with it: http://lcamtuf.coredump.cx/yahh/

Documentation of the game proof-of-concept: http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashio...

Fuxy12y ago

Cool. That is a neat trick/exploit never heard of it before.

Thx. for the links.

dzhiurgis12y ago

My first idea was clickjacking and social networks, but that probably is impossible.

maaarghk12y ago

That's really good, and a very informative forum post!

Conlectus12y ago· 3 in thread

Original creator here. I'm super surprised to see this posted here.

I can answer any questions people have.

analog3112y ago

For those of us who don't know Javascript, I'll just ask in broad terms: What is it, how's it work, what's it do?

amjd12y ago

It's a neat little hack to predict your interests among various categories.

2 more replies

lurkinggrue12y ago

I'm not incognito mode but it didn't work for me.

Kinda weird.

krat0sprakhar12y ago· 3 in thread

If nothing else, I did get a good list of Programming and Engineering websites :D - http://pastebin.com/zrQ7EBnP

schme12y ago

This is OT, trivial and a bit silly: How did you intend the json file? I tried with sublime but couldn't find anything to solve it. Didn't start an IDE for this.

bombtrack12y ago

Otherwise, there's always sites like http://pro.jsonlint.com/

ianamartin12y ago

I know, right? 10,000-ish ways to waste time at work.

mataug12y ago· 3 in thread

This is quite clever. By the way now I've got a nice list of blogs/websites that I should probably read for various topics.

amjd12y ago

That's what I was thinking too. Here's a prettified list of the sites used: https://gist.github.com/amjd/acc5e108bfb2f29f050c

lugg12y ago

Thanks so much. Been looking for an up to date blog roll like this for a while.

rdrey12y ago

I was also thinking of using it as a bookmarks site. :)

corford12y ago· 3 in thread

No red squares here. Am I doing it wrong?

mjfl12y ago

I don't have any either. I think it's because I've turned off internet history on Firefox.

mbrutsch12y ago

Yep. I took me a few minutes to figure out why it wasn't working for me...

vezzy-fnord12y ago

You likely have layout.css.visited_links_enabled (or the equivalent boolean on your browser) set to false.

joev_12y ago· 2 in thread

asadlionpk12y ago

but i guess then it won't be red on hover.

martin-adams12y ago

But in that case, you can add CSS to make it red on hover.

lewisflude12y ago· 2 in thread

This was really accurate to me. It seems they're using a:visited on several domains to create the "red square" effect.

cynwoody12y ago

Yes.

†https://bugzilla.mozilla.org/show_bug.cgi?id=147777

pbhjpbhj12y ago

1 more reply

krrishd12y ago· 2 in thread

If you open the console and run this script, it'll click every single square, giving a list of the most common types of sites in the array being used:

     for(i=0;i<$$('a').length;i++) {
       $$('a')[i].click()
     }

PurplePanda12y ago

I had to change it to start at i=1 to avoid clicking on the link to github and leaving the page

krrishd12y ago

Ah, that makes sense, I wrote and ran the script before he open sourced it.

Xeroday12y ago· 2 in thread

Was on incognito and wondering why I didn't see any red squares...

mataug12y ago

That is, I am guessing, because there aren't any re-marketing cookies,history and other markers when you open the page in incognito

ZoF12y ago

No, it was because incognito tabs don't have access to browser history.

This web-app's functionality is based entirely on browser history and has nothing to do with 're-marketing cookies' or other 'markers'.

Not to mention that the parent commenter clearly understood this fact.

neya12y ago· 2 in thread

This is mind-blowing, mine was pretty accurate! I know I can view the source code, but is this/similar code available from GitHub or somewhere for us to use in our own weekend projects? (:

Conlectus12y ago

I hope to clean up the code and post it to GitHub tomorrow.

neya12y ago

Thank you very much, that is very nice of you! ^^

Conlectus12y ago· 2 in thread

For anyone interested in the source, I started hosting it on GitHub at https://github.com/Conlectus/WhoAmI.

deeteecee12y ago

do you plan to put the graph into the source anytime soon? i was curious at looking through the code.

Conlectus12y ago

I just added the graph to the source.

infused12y ago· 2 in thread

I get the same three red boxes in Chrome every time, and none in Firefox or Safari. I get three categories at the end, with no links or anything. What am I doing wrong?

hngiszmo12y ago

ZoF12y ago

What do you mean? These red boxes are links to sites you've visited in the past, they aren't showing up in Firefox or Safari because you don't have any of those sites in your browser history.

This works by showing you a grid, each box represents a website, to which the creator has ascribed a category(tech/gaming/etc...)

zongitsrinzler12y ago· 2 in thread

This can be done without any user interaction (and most likely has done to you without you knowing it). Check this link for 101: https://stackoverflow.com/questions/1584850/is-it-possible-t...

fzaninotto12y ago

Here is a white paper of another exploit without user interaction, which is still working on most browsers. It's called "Pixel-perfect timing attack".

https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-T...

The related bug on the Chrome tracker was closed with a "won't fix".

pests12y ago

Note that is from 5 years ago. Modern browsers have put up defenses. Others have linked to sources throughout the thread/

3rd312y ago· 1 in thread

Couldn't one simply make a display:none on normal links and display:block on :visited, then stack them all on top each other with position:absolute and catch mouse events from each element via JS?

heycam12y ago

Browsers have a very limited set of properties that they allow in :visited rules, and display isn't one of them.

1 more reply

joosters12y ago· 1 in thread

In Firefox, you can go to about:config and set layout.css_visited_links_enabled to 'false'. This page, and others that hack the visited links styles, will no longer work.

joshvm12y ago

And also note that this will remove all :visited styling, included the usual blue->purple. Just a heads up for people changing this variable because they think their privacy is being invaded.

https://hacks.mozilla.org/2010/03/privacy-related-changes-co...

zatkin12y ago· 1 in thread

What's more interesting is that someone spun off Geocities and called it Neocities.

yayitswei12y ago

Here's the original discussion on HN: https://news.ycombinator.com/item?id=5957850

Gonzih12y ago· 1 in thread

I remember few years ago this concept was demonstrated as an way to get user website history from the browser. This is big privacy hole. And sadly nothing changed. Which is sad.

pgl12y ago

In a way it is, but only really through tricks like this one. Browsers can no longer access the properties of :visited, but they can affect how visited links are displayed.

tjoff12y ago· 1 in thread

Should explain itself better. All I get is a bunch of grey boxes (no red ones) and if I click done I get "Your interests are:"

Conlectus12y ago

Thanks for the suggestion! I made it so that it explains itself if you don't click any red boxes.

rburhum12y ago· 1 in thread

Nothing was red for me

borkabrak12y ago

You cleared your browser history recently?

mundanevoice12y ago· 1 in thread

Wao, reading my browser history while I am playing a stupid game. Elegant. :)

Stratoscope12y ago

Not quite. See discussion above. You gave it your history by clicking the red dots and not clicking the others.

shurcooL12y ago

Reminds me of that hunter2 password thing. http://www.bash.org/?244321

Basically, the website doesn't know which of the squares are red, that depends on your browser state. By clicking the red squares, you're feeding it data.

The interesting observation I made out of this is that navigating there in an incognito window prevents any links from being considered as visited. That's good to know.

biot12y ago

Here's a related Mozilla bug report from 2002 regarding the link visited issue: https://bugzilla.mozilla.org/show_bug.cgi?id=147777

tomasien12y ago

collinjackson12y ago

Here's a paper about this technique: http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010....

SahAssar12y ago

I remember reading about the old CSS history hack (an automated variation of the same theme), which worked until FF4 and IE9.

It's quite interesting to see how such a seemingly simple feature (a:visited) can completely override user privacy if not accounted for.

MrJagil12y ago

Interesting.

At first I thought it would deduct information about me by analysing which squares I'd choose in what order and through other metrics like pacing.

cornholio12y ago

"Could not determine interests. (Pssst, If you did not get any red squares, try visiting without being in Private or Incognito mode)"

Indeed I am unhackable.

abritishguy12y ago

Interestingly it never worked particularly well in chrome - chrome seemed to stop painting :visited elements after a certain amount which prevented it from working.

KoalaOnesie12y ago

I swear to god I only clicked one link to Salon and I didn't even mean it. STOP JUDGING ME

gamerDude12y ago

stargazer-312y ago

On my second try, determined to find out how it works, I drew a random smiley shape in grey box area. Painting was added to the list! Was so disappointed to find out it was a coincidence.

oneeyedpigeon12y ago

Conlectus12y ago

Once again, creator here.

I just pushed an update that added more topics and graphs. I have had reported problems after the update. Can anyone confirm?

Fa773NM0nK12y ago

I was in Fx Private Browsing. I spent about fifteen minutes trying to figure out why I had no red square!

ben0x53912y ago

Doesn't work for me because I disabled :visited last time this sort of thing got discussed. :V

Gracana12y ago

milankragujevic12y ago

I made an automated version, check it out here: http://projects.milankragujevic.com/jspy/

homakov12y ago

There are much more effective tricks to use in production. You can leak user's FB token for some huge client, and you get his email/name/bio.

cvburgess12y ago

This was exactly backwards for me... maybe I read it upside down? I jest, but the concept is cool, just needs to be refined I'm sure.

homakov12y ago

Oh also it's easy to check if you're logged in on Service1 using CSP. No user interaction, same results

arkj12y ago

Maybe this link just saved my life!!! The clue for the clueless is in their forgotten yesterday.

asadlionpk12y ago

Improvement: You can make the gray boxes light enough (same as bg) so only Red are visible.

addisaden12y ago

the trick with a:visited is really awesome :D

see on github: https://github.com/Conlectus/WhoAmI/blob/master/css/main.css

GUNHED_15812y ago

Some people are just too genius or protective of their privacy to enjoy this! :)

oakaz12y ago

Results are good except that I have no gaming sites in my history actually

enscr12y ago

It's a shame I had only 4 red blocks. I should diversify :)

Fun experiment !

udayadds12y ago

Can we use this for filtering hacker news articles?

dalek2point312y ago

can someone post a screenshot of what happens once you click all the red boxes? I have too many of them and dont want to do it ...

maerF0x012y ago

Haha, should have been pr0n sites :P

melipone12y ago

How are the categories obtained?

lurkinggrue12y ago

It didn't work for me.

oeN12y ago

funny, perfect result!! and the concept is so simple, well done!

periferral12y ago

I am <blank>???

Daggett12y ago

This is pure genius.

aps-sids12y ago

I had opened link in Private (incognito) window. #fail

closetnerd12y ago

Hmm, clever.

iopq12y ago

piratebay is not movies

zenjzen12y ago

nice.

aligajani12y ago

I just read the source code, uses caches.

j / k navigate · click thread line to collapse