[英]What unexpected things can I learn about a user from their browser?
I'm giving a class of high school students a demo of unexpected things a webpage can tell about them from their mobile - even if they're not signed in or anything. 我正在给一班高中生一个网页可以通过他们的手机告诉他们的意外事情的演示 - 即使他们没有登录或任何东西。 So far I have picked a couple of things most people would know about, like:
到目前为止,我已经选择了一些大多数人都知道的事情,比如:
Device OS 设备操作系统
Specific handset (unless you're on iPhone, then it's just iPhone) 特定的手机(除非你在iPhone上,然后它只是iPhone)
Language setting 语言设置
And a couple of more obscure things: 还有一些比较模糊的东西:
Carrier (hitting a remote service and returning JSONP since js is IP naive) 运营商(点击远程服务并返回JSONP,因为js是IP天真的)
Battery level / charge status (I didn't even know you could do this until today) 电池电量/充电状态(我甚至不知道你可以这样做直到今天)
Can you think of anything else cool / creepy in a similar vein that I can dig out of UA / Navigator / etc? Ucon / Navigator /等我能想到的其他任何酷/令人毛骨悚然的东西你能想到吗? Most of them are running Chrome under Android or iOS (which is lucky, not every browser supports the battery thing).
他们中的大多数都是在Android或iOS下运行Chrome(幸运的是,不是每个浏览器都支持电池的东西)。 The main event is about mobile safety and phishing so I'd like to stick to mobile phones.
主要活动是关于移动安全和网络钓鱼,所以我想坚持使用手机。
Quick edit: for clarity, I'm building out a site they will go to which will actually demo these features - so unfortunately they need to be implemented, at least in Chrome, vs planned / drafts. 快速编辑:为了清楚起见,我正在构建一个他们将去实际演示这些功能的网站 - 所以不幸的是,他们需要实施,至少在Chrome中,与计划/草稿相比。
From the phishing point of view, which I consider most important, there are several dangerous things: 从网络钓鱼的角度来看,我认为最重要的是,有几个危险的事情:
l
(lowercase L), 1
(one), I
(upper case I). l
(小写L), 1
(一), I
(大写I)。 There are also many unicode characters that look like normal alphabet. ο
. ο
创建一些像stackoverflow.com这样的域名。 JavaScript can alter URL after domain name . JavaScript可以在域名后更改URL 。 But I haven't seen hosting that would give users folder names in years.
但我还没有看到托管会给用户多年的文件夹名称。 Still, it's creepy to see URL change without reload:
但是,如果没有重新加载,看到URL更改是令人毛骨悚然的:
window.history.pushState("object or string", "Title", "/new-url");
<a>
href after mouse button was pressed on link, effectively changing the target URL. <a>
href,从而有效地更改目标URL。 But then again, you can also redirect browser using javascript... For this, the first thing I'd do is to check Window
and Document
on MDN. 为此,我要做的第一件事是检查MDN上的
Window
和Document
。 This is definitely gonna reveal some cool stuff that leaves battery power info just puny attempt to be scary: 这肯定会揭示一些很酷的东西,留下电池电量信息只是微不足道的尝试是可怕的:
Window.addEventListener("devicemotion", ...)
Window.addEventListener("devicemotion", ...)
Window.ondevicelight
- this one is very creepy but Firefox only Window.ondevicelight
- 这个非常令人毛骨悚然但只有Firefox Document: 文献:
document.referrer
- Wanna track your users? document.referrer
- 想跟踪您的用户? You can detect presence of ad-blocking addons by creating elements like: 您可以通过创建以下元素来检测广告拦截插件的存在:
<div id="advertisment" class="ad advertisment ads banner" style="pointer-events: none;position: absolute; opacity: 0;">NOTHING </div>
Then fetch .getBoundingClientRect()
and assert non-zero dimensions. 然后获取
.getBoundingClientRect()
并断言非零维度。
WebWorkers
allow you to spawn threads on client machine. WebWorkers
允许您在客户端计算机上生成线程。 You could use this for distributed processing or just to burn their battery . What about any of these... 这些怎么样......
The result of all of this is - Pushing data personalized marketing ie what your seeing, is targeted to you, as an individual (google does this a lot with their ad's) 所有这一切的结果是 - 推动数据个性化营销,即您所看到的,针对您的个人(谷歌对他们的广告做了很多)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.