[Webkit-unassigned] [Bug 22130] New: Visited link hashing allows spoofing of link visited status

Fri Nov 7 15:17:38 PST 2008

https://bugs.webkit.org/show_bug.cgi?id=22130

           Summary: Visited link hashing allows spoofing of link visited
                    status
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: brettw at chromium.org
                CC: eric at webkit.org

The new visited link code uses 32-bit hashes computed by StringImpl::hash,
which is the only identifier used for a URL.

This is worse than a normal hash collision since the user can be tricked into
thinking they've been to a page before. For example, if the user does a web
search, they are likely to believe whether links are colored as visited or not.
The user is also more likely to visit a site on a topic they've previously
visited, and to trust sites that they've already been to more than new ones.

An attacker can create pages that hash to some popular page to trick the user
in this way. For example, a simple brute-force search found this URL hashes to
the same number as the google home page:
  http://example.com/evil?axahtgic
So will always be colored as visited as long as the user has visited Google.

The hash should be salted so that an attacker can not predict whether two URLs
will hash to the same value for a user.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.