Bug 22130

Summary: Visited link hashing allows spoofing of link visited status
Product: WebKit Reporter: Brett Wilson (Google) <brettw>
Component: PlatformAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: darin, eric
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Description Brett Wilson (Google) 2008-11-07 15:17:38 PST
The new visited link code uses 32-bit hashes computed by StringImpl::hash, which is the only identifier used for a URL.

This is worse than a normal hash collision since the user can be tricked into thinking they've been to a page before. For example, if the user does a web search, they are likely to believe whether links are colored as visited or not. The user is also more likely to visit a site on a topic they've previously visited, and to trust sites that they've already been to more than new ones.

An attacker can create pages that hash to some popular page to trick the user in this way. For example, a simple brute-force search found this URL hashes to the same number as the google home page:
  http://example.com/evil?axahtgic
So will always be colored as visited as long as the user has visited Google.

The hash should be salted so that an attacker can not predict whether two URLs will hash to the same value for a user.
Comment 1 Eric Seidel (no email) 2008-11-07 15:23:01 PST
Nifty.