The exploit--called a "timing attack"--allows an unethical Web site to play 20 questions (or more) with a person's browser and check whether the surfer has recently viewed any sites from a predetermined list.
An employer could use the technique on internal Web sites to see whether any employees have been visiting the competition's job listings. A Web portal could check whether a person has recently visited any of its sponsors.
"The attacks allow any Web site to determine whether or not each visitor has recently visited some other site" or set of sites, Edward Felten, a professor of computer science at Princeton University, and Michael Schneider, a graduate student, wrote in a paper published at a technical conference last month.
"The attacker can do this without the knowledge or consent of either the user or the other site," they wrote.
The attack takes advantage of the data caches used by browsers to speed access to recently visited Web sites.
Caching is a technique that stores copies of frequently accessed data in a nearby location, whether on a person's PC or on a server on the local area network. The ability to store recently viewed items significantly reduces the amount of data that has to move over the Internet.
How big a threat?
While the two researchers worry that the technique could be a threat to people's privacy, Richard Smith, chief technology officer of the nonprofit Privacy Foundation, said that the attack was more technically interesting than threatening.
"In theory, it might offer some problems for privacy," he said. "Time magazine could find out if you go to Newsweek and give you a better offer--seems unlikely, though.
"But it is interesting," he added. "It shows how subtle these things can be."
What worries Felten and Schneider is the technique's efficiency.
By measuring how long it takes for a person's browser to load in a page element--say, a graphic or a file--from another site, an attacker can determine if the element is in the person's cache. If so, that means the person recently visited that other site.
When a surfer visits A.com, his or her browser would download the applet and attempt to access the file from Z.com. If the file is in the cache, the browser can quickly access it. Otherwise, it has to pull down the file from the Web, and that takes longer.
The technique can quite accurately gauge whether a site has recently been accessed by any visitor.