HScan Redux
Inspired by Michal Zalewski recent Firefox bug hunt, I decided to give it a go and see what I can come up with. We all know how vulnerable Firefox and other browsers are. This is the reason why I am not particularly interested in finding specific browser bugs. However, when you are in hackmode things like this don’t really matter.
This vulnerability is not a reworked version of Jeremiah Grossman history hack. It is completely different and it should be treated as a new issue. The peculiar thing about this vulnerability is that it tells you which URLs you have attended during the current browser session (the last time you opened your browser). I am not sure how useful this is.
Keep in mind that attackers can abuse this vulnerability in order to extract valuable information about your browsing habits. They can also use this hack to precisely detect whether you are logged into your router management interface. They can use this hack to detect your router type and version as well. Based on this information, they might be able to compromise the integrity of your network.
The POC is located here. If all checks show up as NOT visited, then visit one of the listed URLs and retest again.
GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, 
comments
This is a very interesting approach of history stealing! I didn’t know about the about:cache-entry directive. I guess i will spend some time the next days to check what other about: directives are available and maybe exploitable…
Great find!
.mario about:cache is actually a protocol to access Firefox cache internal cache information. There are a few other about: directives. about:mozilla is fun.
Firefox 2.0.0.2 is also vulnerable
What about XHRing the URL about:cache?device=disk and parsing out all URLs from the response body via regex? Then you’d have a complete history theft - guess i have to test that tomorrow.
BTW, it’s .mario with an o…
sorry man, fixed it. I am almost certain that you cannot read about:cache with XMLHttpRequest.
Thanx ;) I did a little quick test and from what i acn say it is hard to impossible. I will give it a deeper look tomorrow.
I used it on a jquery featured site trying this:
Works on FF 1.5.0.9/WinXP. Good catch :)
It works on Mac OS 10.4.8 Firefox 2.0.0.1 too.
Does not work for Firefox 2.0.0.1 under Linux
Indeed. Does not work under gentoo linux, 2.0.0.1.
Doesn’t work for me, OS X, FF 2.0.0.1 but it’s probably SafeCache or SafeHistory blocking it.
http://safecache.com/
http://safehistory.com/
Don’t work in my Mozilla 1.7.7 :P (and in old version of Firefox).
Old version browsers rulez! :-) Want to save your history - use old school browsers.
No surprise, any version of the Mozilla browsers with NoScript installed is immune.
http://noscript.net