All geek questions in one place

What unexpected things can I learn about a user from my browser?

I give a class to schoolchildren a demonstration of unexpected things that a web page can tell about them from their mobile phone, even if they are not signed or something else. So far, I have selected a couple of things that many would know about, for example:

operating system

A specific handset (if you're not on an iPhone, then just an iPhone)

Language setting

And a few more obscure things:

Carrier (remote remote service and returning JSONP, since js is a naive IP)

Battery level / state of charge (I didn’t even know that you can do this until today)

Can you come up with something else cool / creepy in the same way that I can dig from UA / Navigator / etc? Most of them work under the control of Chrome under Android or iOS (which is lucky, not every browser supports the battery). The main event is mobile security and phishing, so I would like to stick with mobile phones.

Quick editing: for clarity, I create a site on which they will work, and will actually be a demonstration of these functions, so, unfortunately, they should be implemented, at least in Chrome, compared to the planned / draft ones.

+5
source share
3 answers

Geographical location should be indicated. Competent javascript library e.g. MaxMind or Google Analytics can be used to locate users.

+1
source

From the point of view of phishing, which I consider the most important, there are several dangerous things:

Phishing

  • Without add-ons, browsers will usually not warn you if there is another email in the address you visit. Although the URL scheme forbids zero-width characters and other Unicode mucks, you can still control l (lowercase L), 1 (one), I (uppercase I). There are also many Unicode characters that look like a regular alphabet. Maybe there is a blacklist for Unicode characters such as Greek letters. Check out this site to play . You can try to create some domain name, for example stackoverflow.com, with Greek ο .

  • JavaScript can change the URL after the domain name . But I did not see a hosting which would give users folder names in years. However, it is creepy to see a URL change without a reboot:

     window.history.pushState("object or string", "Title", "/new-url");
  • Not sure if this is applicable, but in recent years, HackADay.com has discovered a hack in which you can change the <a> href after clicking the link, effectively changing the destination URL. But then again, you can also redirect the browser using javascript ...

Personal data

  • For this, the first thing I would do is check Window and Document on MDN. This is definitely going to show some interesting things that leave battery power information just a frightening attempt to be scary:

    • Window:
      • Window.ondevicemotion - does what it offers. suppose you can also Window.addEventListener("devicemotion", ...)
      • Window.ondevicelight is very creepy, but only Firefox
      • Window.ondeviororientation is a much larger supported event for device movement . Want to get closer to the path that your user walks and draw on canvas? Or make an app that screams “Put the fuking handset down. *” Until they put it on the table?
      • There are also about a million methods for obtaining various screen properties. Some of them were used to guess the OS version, since different OSs have different menu bars having different parts of the screen.

    • Document

      • document.referrer - Want to track your users?

      • You can detect the presence of ad-blocking addons by creating elements such as:

         <div id="advertisment" class="ad advertisment ads banner" style="pointer-events: none;position: absolute; opacity: 0;">NOTHING </div>

        Then select .getBoundingClientRect() and set non-zero dimensions.

    • You can determine when a document is checked by firebug . (or you could in the past when Firebug actually added elements to the DOM to highlight nodes). These elements are invisible in Firebug, but Fire Mug events.
  • If the user confirms, audio and video can be recorded .
  • I once created a script that was able to transfer all the DOM mutations on the server, which allowed me to watch another user using the website in real time. But, unfortunately, I did not bring it to the state of production. But here is what I found about the firebug problem.
  • There are other tricks to check if debugging tools are running. Usually these are different hacks, try something google.
  • Ever wondered if your CORS users are running the localhost http host server? I mean, isn't it worth a try?
  • WebWorkers allows you to create threads on the client machine. You can use this for distributed processing or just burn your battery . Since this does not directly affect the GUI stream, they will not notice until it is too late. It also sounds like a great way to generate hash cracks and crack certificates.
  • You can change the copied text by possibly adding a cross-site script to it. A good trick is to offset your script with shitload spaces so that it does not appear in a typical text editor without text wrapping.
  • Using the Workplace Notification , you can pretend to be an antivirus, a Windows update ...
0
source

How about any of these ...

  • You can profile your interest base from your search history.
  • The frequency they visit and from which places.
  • Create a profile of the time on the day they visit.
  • Time spent on the site
  • Which pages do they spend most of their time on.
  • The profile is based on a hot area on page clicks or where the mouse cursor is.
  • You can customize typical user behavior.

The result of all this is Clicking on personalized marketing data, and that your vision is aimed at you as a person (Google does this with their ad)

-1
source

Source: https://habr.com/ru/post/1234009/

More articles:


All Articles