JavaScript in Netscape 2.0 shouldn't let me do this,
But it does

John LoVerso

Update 3/14

This is fixed in 2.01. Note that this will only track you when you look at the log file.
See Netscape's 2.01 security note on Java and JavaScript.

Update 3/18 But there is a new way that works in 2.01!

After you've visited a page, any JavaScript code loaded from it ought to get scrubbed out of your browser's memory. You wouldn't want that code to live on, snooping, spying, or stealing?

This is a simple example where I engage some JavaScript that runs in a (mostly) hidden window. This window persists, and hence, the JavaScript I wrote persists. From then on, it wakes up every second and sees what page you are viewing. If you've changed pages, it reports where you now are back to me via a CGI, which saves information like this:

Wed Feb 21 23:34:07 EST 1996
QUERY_STRING = result=3=
HTTP_USER_AGENT = Mozilla/2.0 (X11; I; SunOS 5.4 sun4m)  via proxy gateway  CERN-HTTPD/3.0 libwww/2.17
(The above example was from a test a friend did for me).

Once you click on the tracker link below, the tracker will start in another window, with a third window for reporting results. Note that these are large enough for you to see. If needed, they could be further masked and obscured. I.e., with "width=1,height=1" or other methods (some are described in John Tennyson's original report of security flaws in 2.0b3 JavaScript; see also my follow-up on how those bugs still exist in 2.0).

The tracker waits 5 seconds before starting. After that, it will continuously report on your browsing until you close those windows.

The first thing you'll notice after clicking on the link is that you'll be tossed back to this page. This is a normal trick of mine (it contains the JavaScript code history.back()); the point is to encourage you to continue browsing somewhere. You can either go to another page, or use your own Back button to back up to your home page.

Please note that this is a totally separate problem from one I recently reported in comp.lang.javascript and Netscape's dev-javascript newsgroups. The description of that problem is either in your news spool or you can get it from here. This describes a serious bug where JavaScript loaded for one page stayed resident in a browser pane after the source page had been exited. Since it is hard to invoke, it isn't easy to take advantage of this bug. But, discovering that bug led me to the approach I've taken for the tracker, which takes advantage of the fact that Netscape allows JavaScript in one window to snoop on another window.

BTW, as recently as the day I formulated this attack, an engineer at Netscape has this to say:

Subject: Re: Finding out a user's history?
Date: Wed, 21 Feb 1996 12:28:59 -0800

The copyhistory option was disabled in 2.0b6 to prevent your session history, with potentially secret keys or other URL query strings, from being stolen by malicious hidden scripts.

(ref Brendan Eich from netscape.devs-javascript).

Perhaps when Netscape releases 2.01 or 2.1, it should include a button to disable JavaScript, over and above the existing button disabling Java. If you think so too, why not write them and let them know? Otherwise, you don't know when you've loaded JavaScript code with some random page fetch, and you don't know what it's going to do when it starts running.

You can read the article I posted to the RISKS Forum on this problem. That is also available.

See my collection of other JavaScript problems.

Invoke the tracker.

View the last 60 lines of the log file

Remember: We're watching...

John Robert LoVerso

Last modified on .
This page accessed times.