[Webkit-unassigned] [Bug 22130] New: Visited link hashing allows spoofing of link visited status
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 7 15:17:38 PST 2008
https://bugs.webkit.org/show_bug.cgi?id=22130
Summary: Visited link hashing allows spoofing of link visited
status
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: brettw at chromium.org
CC: eric at webkit.org
The new visited link code uses 32-bit hashes computed by StringImpl::hash,
which is the only identifier used for a URL.
This is worse than a normal hash collision since the user can be tricked into
thinking they've been to a page before. For example, if the user does a web
search, they are likely to believe whether links are colored as visited or not.
The user is also more likely to visit a site on a topic they've previously
visited, and to trust sites that they've already been to more than new ones.
An attacker can create pages that hash to some popular page to trick the user
in this way. For example, a simple brute-force search found this URL hashes to
the same number as the google home page:
http://example.com/evil?axahtgic
So will always be colored as visited as long as the user has visited Google.
The hash should be salted so that an attacker can not predict whether two URLs
will hash to the same value for a user.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list