Click the Primes

How fast can you identify prime numbers? Try your hand at it in my first game!

Click the primes!

Once you’ve clicked all the prime numbers, hit the [DONE] button.

Your browsing history

But what’s going on here?

Let’s go back to the first page. Open the developer console and change the body background-color to blue:

A blue background gives away the trick

A bunch of prime numbers show up that had the same color as the background. They’re all prime.

Reading a user’s browsing history should not be possible from JS. And it isn’t, at least not without user interaction. But browsers do want to allow web pages to change the appearance of a link depending on whether you visited it or not. This has led to a wide variety of attacks.1

Click the primes! is an example of such an attack. It is particularly effective because there is a lot of room for URL testing, especially if the victim is unlikely to have visited a majority of them.

For example, testing 100 URLS:

Testing 100 URLs at the same time

In this case, one number is obscured by another, which could give a technologically savvy user a hint of what is going on. Another glaring such hint is the status bar, which will show the link target on hover.

Testing 100 URLs, behind the scenes

To mitigate false positives, which happen when the user tries to click on a visible number but accidentally clicked on a number obscuring it, a simple undo register is kept: if a user quickly re-clicks on approximately the same location, it is assumed that whatever was caught by the first click was an error. This is a crude way to fix “unvisited” link numbers passing on top of visible ones and capturing the click.

A better way to prevent these conflicts would be to disallow the numbers from ever overlapping, in the first place. This is definitely fixable, but it’s outside the scope of this article. Which, in the end, is about capturing the user’s history.

Give it a try!

Or leave a comment below: