What attacks are made possible by public release of my web history?

Your question might be more undefined than you realise. Any kind of data can be passed using URL parameters. Usernames, passwords, authentication tokens, settings, form data, or anything the web developer chooses. It's not always good practice to use URL parameters to for this, but it is always possible.

And it's entirely up to each individual web developer on each individual page (not just site) as to what might be exposed and when. So you might not be able to predict what might be exposed.

So, to answer your question, in the worst case, you could experience a complete and utter disclosure of any amount of personal data including credentials.

By request, I did a search for the practice of "passwords in URL parameters" and restricted results to this year. Here's one of the top hits:

https://answers.splunk.com/answers/622600/how-to-pass-username-and-password-as-a-parameter-v.html

That's a forum from Feb 2018 from a major, publicly traded company talking about how to do this.

Here is OWASP's official page on this vulnerability:

The parameter values for 'user', 'authz_token', and 'expire' will be exposed in the following locations when using HTTP or HTTPS:

Referer
Header
Web Logs
Shared Systems
Browser History
Browser Cache
Shoulder Surfing


Quite a bit actually:

  • Extortion based off content
  • Mapping systems that are not public
  • Sensitive parameters in certain requests
  • Personal information

Extortion

That search of yours that may be embarrassing and taken out of context. A WebMD search for a medical condition you don't want made known to co-workers for example. A search that was best done in incognito mode you forgot about.

Mapping systems that are not public

How about your works intranet site or that production web portal, well those names are going to pop up in your history now and if its something like Jenkins - thats a great candidate for a DNS rebind attack.

Sensitive parameters in certain requests

If you visit a site that just does the internet wrong and the parameter contains an API key, password, credential or just an account ID well that is captured and can be used now.

Personal information

I see you've been searching for holidays in March for 2 weeks - that would be a great time to break in to your house or impersonate you. Looking for an engagement ring well that sounds like something worth stealing. You did a google map from your address to another location?


One of the threats I'd like to mention that has not been named yet is de-anonymization.

The URIs in your history could leak information about your user accounts on different sites - for instance if you constantly check your own profile on social media sites. If you use some web services anonymously and others under your real name (Facebook, Twitter) an adversary can very easily de-anonymize and dox you. That can be especially damning for you if you appear on a platform anonymously and want it to stay that way (dating platforms, file sharing platforms, free speech platforms).

Data on the internet also has the tendency to be there for a long time, so this threat is very persistent.