Skip to main content
  1. Home
  2. Computing
  3. News

New browser exploit tracks even the most paranoid web users

Add as a preferred source on Google

When it comes to tracking your web browsing, webmaster have all sorts of options – many of which web users actively block. But what if a malicious website owner could turn security features against you?

A researcher proved it’s possible to do just that over the weekend.

Recommended Videos

Most web users are aware that sites use can use cookies or browser fingerprinting to track you – it’s why so many users make a habit of deleting cookies, scrambling their user agents, and taking advantage of Incognito Mode.

But in a presentation over the weekend security researcher Yan Zhu showed the world a new tracking method that gets around even the most paranoid user, by exploiting the certificates your browser uses to connect to secure sites.

Don’t believe me? Try Zhu’s site Sniffly out for yourself in Chrome or Firefox, and you’ll probably end up with an accurate list of sites you have and haven’t visited.

icymi, sniffing browser history using HSTS/CSP code + demo is up at https://t.co/iAxVPyOGzv. it's called that b/c i had a cold last week.

— yan (@bcrypt) October 26, 2015

To (dramatically) simplify what’s going on here, the exploit attempts to load various images from encrypted domains, then detects whether or not your browser can establish a secure connection with those sites. If it can connect, it’s because you have an  HSTS pin for the site – so there’s a good chance you’ve visited the site before.

It’s a simple way to get a quick list of which secure sites you have and haven’t visited. The information collected this way is less reliable, only relates to sites encrypted using HTTPS, and is less specific that other methods – the sites you’ve visited are revealed, not the individual pages. But it’s still noteworthy, because nothing like it’s been done before.

You can watch Zhu’s entire presentation, read the slides or check out Sniffly on GitHub, if you want a more complete breakdown of how the exploit works.

Justin Pot
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
What happens when AI detectors fail? Researchers say we must be trained to spot fake AI faces
Researchers say spotting AI faces may soon depend more on people than software
Zuckerberg Deepfake

Artificial intelligence has become remarkably good at creating fake human faces. So good, in fact, that the old tricks people relied on - counting fingers, spotting warped earrings, or looking for distorted backgrounds - are quickly becoming obsolete. According to a new study highlighted by the BBC, the next line of defence may not be a better AI detector at all. It might simply be a better-trained human.

Researchers from the University of Aberdeen, working alongside Australia's National University, found that people can dramatically improve their ability to distinguish AI-generated faces from real ones after a relatively short period of structured training. Instead of hunting for obvious visual glitches, participants were taught to recognise subtle patterns that modern image generators still struggle to replicate consistently.

Read more
Google’s new Magic Pointer Play Store listing reveals a Gemini shortcut built for Googlebooks
The unannounced app turns the cursor into a contextual AI tool for search, image creation, and shopping
Plant, Text, Business Card

Google has quietly published a new Play Store listing for Magic Pointer, an unannounced app built for Googlebooks. Updated on July 10, the app turns the cursor into a Gemini shortcut that can act on whatever a user selects on screen.

Magic Pointer can send an image to Lens, generate a related image, or surface a shopping action without forcing users to open a separate chatbot. Regular Android devices currently show as incompatible, so the listing offers an early preview rather than a broad release.

Read more
You can stop using AI, but this new report says you probably can’t escape it
A UK survey found that most people feel AI exposure is unavoidable, raising harder questions about consent, privacy, and whether opting out is still realistic
AI Chatbots

More people are trying to use less AI, but avoiding it altogether may already be impossible.

A survey of 2,055 UK adults found that 42% deliberately limit how much AI they use. Another 70% said avoiding AI exposure would be difficult or impossible, even when they actively wanted less of it.

Read more