Hiding Links In Plain Sight With Bookmark Knocking

Have you ever been looking for a screwdriver, USB stick, or your keys, only to find them right where you left them in plain sight? We have. As many prolific geocachers know, hiding things out in the open is a great way to make sure that people overlook them. 

[Jacob Strieb] has been researching various ways to password protect and hide browser bookmarks in plain sight. He calls his latest technique “Bookmark Knocking” and he’s made a demonstration available on his Github account.

Why hide bookmarks to begin with? A browser’s bookmark collection can give away the habits, interests, and needs of the person who put them there. Bookmarks to gifts, domestic abuse support websites, and other private destinations might be best kept away from prying eyes.

Inspired by port knocking — opening connections to specific network ports in sequence to gain access through a firewall — bookmark knocking requires clicking bookmarks in a specific order to open a link. When the bookmarks are accessed in the proper order, the third bookmark reveals a hidden site. It’s not only a novel approach to hiding things in plain sight, it’s very cool to use! 

We especially appreciate [Jacob]’s motivation: Helping those who are vulnerable to protect themselves in any way possible. It’s a solid reminder that technology can be elevated to a higher stature when put to a noble use. Be sure to check out the demonstration so you can try it for yourself!

If camouflaging data flips your bits, you may want to look at a neat way to embed data right into bash scripts, or conceal a WiFi enabled microcontroller in a USB cable. Do you have your own favorite “hidden in plain sight” hack? Be sure to let us know through the Tip Line.




21 thoughts on “Hiding Links In Plain Sight With Bookmark Knocking

    1. You have to do more than be observant, you have to investigate the bookmark properties to see the javascript. The way you could tell something is amiss is when you go to the bookmark and the little “bookmarked” star isn’t lit. However, this can easily happen when a pages moves and you get a redirect.

    2. Maybe for you. I just showed this to three family members and asked if they “noticed anything weird with these bookmarks” They didn’t

      Maybe if you are technical you would notice, but people see random gibberish in links all the time and have been trained not to worry about it

  1. I saw this on reddit some time ago, and even if I know that “saw lots negative comments on Reddit” is expected, those negative comments were warranted. The intended use case of this is not practical at all. Saving sensitive, life threatening information like this is not going to work. Security must be easy, practical, and not something that blows in your face if you forget one step, or locks you out forever. And on abuse cases, it have to come with “plausible deniability” by default, and this solution have above average complexity and no plausible explanation beyond “I’m hiding things.”

    There are lots of ways to securely bookmark something and it does not need to be that convoluted. Create an account on Google, entirely disconnected from your identity, put everything on Google Keep. Only log into this account using a private window. It won’t left many traces, and accessing Google services isn’t suspicious at all.

    “I saw you using Gmail yesterday” is not something that demands explanation. But an abuser that sees a ginormous bookmark will surely demand to know why this specific Wikipedia bookmark is so large.

    1. But the same dev have something way more interesting: URL Pages (https://jstrieb.github.io/urlpages/). They allow you to create an entire HTML page (CSS and Javascript included) and save it on the URL. I already have a script that opens my browser on scheduled meetings, so I use URL Pages to send notes to myself in the future using my script.

      That is more useful and usable.

      1. I have an html file, local to my computer, with my bookmarks on it. I set the browser home page to that local file, and can access it by opening any new tab.

        One page has the links to login pages, along with the E-mail used for the account. I copy the E-mail, click the login link, and paste the E-mail. (Still have to enter the password, but you can allow the browser password manager to remember that for you. I don’t, but it’s available.)

        To add a link, I use a text editor, copy/paste an existing link html, and change the text. Simple.

        Inter-page security is a thing now, and it’s difficult for one web page to find out information about a different page. Having all the links in a local file leverages that security.

        I’m not convinced that having several KB of css and javascript inside a link is reliable – seems like it would be subject to easy breakage and hard to debug.

    2. Glad I’m not the only one who thought this. Just because someone claims the work is for domestic abuse victims does not automatically make the work both high quality and of positive results. E.G. creating an app to allow people to upload photos of “missing persons” so that social media can help find them. Oh it can just as easily be used by abusers to track down those who got away, well my goals were admirable so damned by the consequences of my actions.

    3. Yeah. I’ve spent years (decades now) thinking about various kinds of Internet stealth. This is a DANGEROUS approach. Far better to store your links somewhere out on the Net and memorize just one than to have weird conspicuous gigantic bookmarks, some of them made of *JavaScript*. And, yes, the whole thing is brittle and a pain in the ass.

      And don’t forget the history. And the fact that if you’re dealing with domestic abusers, they often install spyware that will create a separate unclearable history just for them. And and and.

      There is software that can help with these threats, but this is not it. I know you guys like to be positive, but please don’t amplify stuff like this.

    4. The claims that “bookmark knocking” or LinkLock will offer protection in case of intimate partner abuse feel really sketchy and are likely to get somebody hurt/killed. Many abusers are very tech (and security) savvy, and this doesn’t meet the bar as a safe tool, it leaves far too much to be easily discovered. Expect abusers to regularly check bookmarks (along with browser history, search history, etc.) .

      Also, this: > “I saw you using Gmail yesterday” is not something that demands explanation.
      This isn’t going to true in most abuse cases. If an abuser was allowing any unsupervised email use, it’s highly likely that they will audit the activity afterwards. The victims communications are going to be a big point on contention and constantly under scrutiny.

      For a good source of info on this topic, please read:
      “Stories from survivors: Privacy & security practices when coping with intimate partner abuse”
      by Tara Matthews / Sunny Consolvo (2017)

      I’ve been really impressed with Sunny Consolvo’s work, I’ve used that as justification requested changes in products (include ones I’ve worked on). If you are building a product with end users (specially consumer/tech/comms products) you should read the above paper.

      I’m grateful to Jacob for bring up the topic of intimate partner abuse, the more people talking about this the better. But he should read the above paper and maybe remove claims of protection from domestic abuse.

      1. If you actually read the post, it clearly says that this is not a one-size-fits all solution for domestic abuse protection. It’s not a magic bullet. It is supposed to be one small thing that can help

        1. Maybe it can help if the abuser is fairly computer illiterate…. (still, it leaves a trail that isn’t hard to find, so will be a bit of risk)

          and if the abuser is tech savvy, this small thing may cause a lot of harm to the user…

          (And yes, I read the post, I read the article, I followed the links and read those pages…. Did you read the paper on survivors’ stories? It will give a better understanding of the problem than the post can give.)

        2. Its a valid review of the post when reading the whole thing. That disclaimed is essentially excusing a car review by saying ‘it may drive terribly and be terribly dangerous while perating it, but its good other than that.’

      2. In general, I’ve seen projects that are well intentioned, but they are based on what someone thinks is useful, rather than first talking to those affected, and building on that.

        So a fancy shopping cart for the homeless might be useful for some, but my friend Helen existed by trying to look like she had a home. So no cart, no bags of stuff. There were things she wanted (like a big screen tv) and things she needed, but a big thing she needed was to have power. And listening to her gave her power.

        (She hinted at abuse, I was never sure if that was the reason for her homelessness, or if it happened when she was trying to find someone she could stay with. But it is a risk that some women face when they leave an abusive situation. Or rather, that fear may keep some from making that big step.)

      3. I just read the paper you linked, and it totally matches this? To quote the article:

        “Some types of privacy and security options that were particularly useful to survivors were those that enabled them to safely and privately use alternate devices (e.g., using private browsing on someone else’s device), effectively control their digital traces (e.g., delete content), and maintain ambiguity and/or plausible deniability in their use of technology”

        This does exactly that by providing plausible deniability, and beyond using it on victims’ own devices they could also use it if they need to bookmark stuff at work and don’t want anyone to see. And as far as usability goes, it’s literally enter fake links and a real one. I read the code and it uses secure AES encryption. I don’t see how you could have a problem with any of this just because the bookmarks look a little weird when used?

  2. There are a bunch of comments that say this isnt’ good enough to protect people from abuse, but it never claims to be? The original post clearly explains that it is a fun technical proof of concept and that it shouldn’t be used for anything serious.

    What am I missing that these other commenters are seeing?

    1. I think the section titled “For Abuse Victims” makes it appear the author is asking victims of intimate partner abuse to consider using this software to hide bookmarks. It’s a fairly ambiguous section (very judge-for-yourself use guidelines), so I expect some people will see it “never claims to be” and some will see it as “promoting the use case”.

      I feel there is risk to that use case, I imagine others do as well.

      Was that useful?

      1. This is hilariously stupid. You’re reading what you want to read in it. That section is obviously so that people consider better options for serious situations. The OP repeatedly says that too. Some people just need to find a problem in everything

        1. The OP attempts to make a ‘proof of concept’ without proving the concept use case at all. Its not original and the ideas he presents are dangerous as proposed. This is like having a proof of concept home heating device advising people to douse themselves in gasoline, collect the runoff in a small dish and light that on fire. Yes it may function but its a bad idea in a number of ways.

          1. The proof of concept is for a tech demo, not for a solution to abuse. That is shown as just one reason someone encyrpting things isn’t always enough.

            I disagree strongly that the proof of concept is not proven.

        2. Conversely, some people can’t understand or see the threats because they lack the appropriate experience and background, but they don’t realize they own lack the ability so will claim “others are seeing problems in everything” while they miss obvious problems.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.