22130 – Visited link hashing allows spoofing of link visited status

Bug 22130 - Visited link hashing allows spoofing of link visited status

Summary: Visited link hashing allows spoofing of link visited status

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Platform (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-11-07 15:17 PST by Brett Wilson (Google)
Modified:	2008-11-07 17:45 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brett Wilson (Google) 2008-11-07 15:17:38 PST

The new visited link code uses 32-bit hashes computed by StringImpl::hash, which is the only identifier used for a URL.

This is worse than a normal hash collision since the user can be tricked into thinking they've been to a page before. For example, if the user does a web search, they are likely to believe whether links are colored as visited or not. The user is also more likely to visit a site on a topic they've previously visited, and to trust sites that they've already been to more than new ones.

An attacker can create pages that hash to some popular page to trick the user in this way. For example, a simple brute-force search found this URL hashes to the same number as the google home page:
  http://example.com/evil?axahtgic
So will always be colored as visited as long as the user has visited Google.

The hash should be salted so that an attacker can not predict whether two URLs will hash to the same value for a user.

Comment 1 Eric Seidel (no email) 2008-11-07 15:23:01 PST

Nifty.