Bug 22130 - Visited link hashing allows spoofing of link visited status
Summary: Visited link hashing allows spoofing of link visited status
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
Depends on:
Reported: 2008-11-07 15:17 PST by Brett Wilson (Google)
Modified: 2008-11-07 17:45 PST (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Brett Wilson (Google) 2008-11-07 15:17:38 PST
The new visited link code uses 32-bit hashes computed by StringImpl::hash, which is the only identifier used for a URL.

This is worse than a normal hash collision since the user can be tricked into thinking they've been to a page before. For example, if the user does a web search, they are likely to believe whether links are colored as visited or not. The user is also more likely to visit a site on a topic they've previously visited, and to trust sites that they've already been to more than new ones.

An attacker can create pages that hash to some popular page to trick the user in this way. For example, a simple brute-force search found this URL hashes to the same number as the google home page:
So will always be colored as visited as long as the user has visited Google.

The hash should be salted so that an attacker can not predict whether two URLs will hash to the same value for a user.
Comment 1 Eric Seidel (no email) 2008-11-07 15:23:01 PST