Interactive History Sniffing with Dynamically-Generated QR Codes and CSS Difference Blending

In a user-assisted history sniffing attack, first introduced by Weinberg, Chen, Jayaraman, and Jackson, a web site user can be tricked into revealing portions of their browsing history by performing an interactive task, like solving a CAPTCHA puzzle, that is dynamically generated based on the sites they have recently visited. Unlike automated history sniffing attacks, which often can probe 1000s of sites in a user’s browsing history, such user-assisted attacks have typically been limited to probing a much smaller number of sites.In this paper, we introduce a new user-assisted history sniffing attack based on malicious QR codes. These dynamically-generated QR codes allow a malicious site to probe thousands of links from a victim user’s browsing history. Generating these malicious QR codes based on the user’s history turns out to be challenging due to the required error-correcting properties. To overcome this issue, we show how to use a recent browser feature, CSS difference blending, to simulate an exclusive-OR of the dots in a QR code and correctly generate the error-correcting bits. This method of dynamically generating a valid QR code based on private user data may be of independent interest. Our results provide further evidence that the history sniffing defenses recently proposed by Smith, Disselkoen, Narayan, Brown, and Stefan should be seriously considered by browser vendors.