Forgot your password?
typodupeerror
Privacy The Internet Your Rights Online

History Sniffing In the Wild 96

Posted by Soulskill
from the smells-fishy dept.
An anonymous reader writes "Kashmir Hill at Forbes documents a recent study by UCSD researchers showing that 'history sniffing' is being actively used by mainstream ad networks like Interclick as well as popular porn sites like YouPorn in order to track what other sites you visit. The vulnerability has been known for almost a decade, but this paper documents hundreds of commercial sites exploiting it today (PDF)."
This discussion has been archived. No new comments can be posted.

History Sniffing In the Wild

Comments Filter:
  • The fact that they intentionally obfuscated the code means that they KNEW this would piss people off, and were hoping to just bore curious folk by presenting seemingly random characters.

    • Re:YouPorn script (Score:5, Informative)

      by The MAZZTer (911996) <megazzt@gmai[ ]om ['l.c' in gap]> on Friday December 03, 2010 @11:19AM (#34431044) Homepage

      Google obfuscates its JavaScript all the time, in order to keep page sizes low and load times fast (and perhaps to keep people from stealing their code).

      • I was going to respond to your point by noting that Google is the world's largest internet company. Then I noticed that Youporn.com is apparently the 61st highest ranked internet site. I guess you can't exactly say that these guys are small time.

      • That's nice, but this particular obfuscation makes the script bigger and slower
      • No, Google optimizes its JavaScript in order to reduce size and execution time. That just happens to make it quite hard to read. Think "compiling" JavaScript into a smaller, not-meant-for-humans form.

        This is different, it's deliberate obfuscation designed to make the script hard to read, while doing nothing for performance. It's a simple version of source or executable obfuscation. A more elaborate example would be the stuff that Apple does to their iTunes DB hashing algorithm to lock users into iTunes and

      • If you managed to just read to the end of the article; and I'm really surprised you didn't before posting; or followed the asterisk like I did; you would find that they have rot-1 encryption that in no way changes the size of the links. It's straight forward ofuscation. In fact since they have to load the obfuscation code it takes more space.
        • My bet would be that they are simply looking not to give others any help in SEO rankings. This very simple cipher would make it so that any potential search engine wouldn't see a url to pornhub.com on their site.

      • Compressing code into a near-unreadable terse format to reduce transmission bandwidth is not "obfuscation" it's "compression".

        Obfuscation has, as a trademark, the addition of operations intended to obscure the function of the code. Compressed code doesn't particularly obscure the function, though it usually obscures the purpose of the coded operations.

        Example: "++a;" is compressed and obscure to purpose as we don't know what _a_ represents nor why incrementing it by one is significant. This is compressed co

      • by Lennie (16154)

        The proper term is minimize and their are plenty of tools out there which do beatification. For example the Y-Slow extension for the Firebug extension of Firefox (yes I know to many extensions :-( )

    • More likely they were trying to protect their wonderful proprietary code from their competitors.

    • by hairyfeet (841228)

      Frankly I don't know why it would piss people off, as if you actually look at the list Youporn doesn't care if you went to..say Amazon or not. No, what they are looking for is to see if you have visited any of their "sister" sites, those they share a lot of links with. It makes sense to me if they are sharing referrals they would want to know which sites give them more hits and thus should be higher ranked VS those that give them less. And since with both Youporn and the sister sites they have everything ca

      • That places a lot of trust in the website that I don't really have. "Oh sure, take a look at what sites I go to, just make sure it's only the ones I'm cool with, k?" If someone wants to let websites in on all or some of their history, they can go hog wild, but I should be able to keep mine private. I don't want places knowing what I bought on Amazon, and I don't want Amazon knowing what I look at.

    • Re:YouPorn script (Score:4, Interesting)

      by camperslo (704715) on Friday December 03, 2010 @12:42PM (#34432356)

      What about Firefox hidden history data?

      Looking at the information under Troubleshooting Information in the Firefox help menu, there's an entry beyond the expected "browser.history_expire_days", "browser.history_expire_days.mirror" that defaults to 180!
      How secure is that??

      Note that entering "about:config" in the address bar allows editing the config settings.

  • by The MAZZTer (911996) <megazzt@gmai[ ]om ['l.c' in gap]> on Friday December 03, 2010 @11:12AM (#34430964) Homepage

    ...using Chrome in incognito mode. It determined I had visited...

    ...startpanic.com

    So yeah, use incognito/private browsing mode.

  • by Anonymous Coward

    I had basically assumed (semi subconsciously) all along that websites I was visiting could have some idea of what other websites I had been to, or at least toyed with the thought.
    I am unfazed, and not surprised. *shrug*

    • by netsharc (195805)

      I was looking for a hotel in a $CITY once, so I used the best method I knew: Google it. Looked at a few hotel booking sites, booked a room, all done.

      Then I was reading a news website with my ad-blocker disabled, and on the right side of the screen was an ad, "Hotels in $CITY". "What the frakk?", I thought, "how did they read my mind?".

      It turns out it was a Google ad, and I was just on Google looking for a hotel in $CITY... so...

  • I tried it and it reeks of mildew, stale dust particles and mold spores.
  • by hansamurai (907719) <hansamurai@gmail.com> on Friday December 03, 2010 @11:14AM (#34430992) Homepage Journal

    Open about:config

    Set layout.css.visited_links_enabled to false

  • by alen (225700) on Friday December 03, 2010 @11:21AM (#34431082)

    Steve Jobs told me that it's going to be super secure

    • And he was right.

      This doesn't work in Safari 5.02. Even without private mode on.

    • by dogzilla (83896)
      According to TFA this doesn't work at all in Steve Job's browser. Or the iOS browsers. Or Chrome. All of which use webkit. So your snide comment turns out to be more or less true. How 'bout them apples?
  • Javascript... (Score:5, Insightful)

    by betterunixthanunix (980855) on Friday December 03, 2010 @11:35AM (#34431254)
    If I gave you some random code, did not tell you what exactly it did but asked you to run it, would you run it? That is basically what is happening when you browse with Javascript enabled -- you are allowing websites to run essentially arbitrary code on your computer.
    • by he-sk (103163)

      Stop the fear-mongering!

      You are allowing websites to run arbitrary code in your browser sandbox.

      The sandbox may be leaky -- which is what the article complains about -- but I read up-thread that both Webkit and Firefox have fixed this issue.

    • by MobyDisk (75490)

      would you run it?

      In a virtual machine. Which is how Javascript is supposed to be run. Just like VBScript was, and Java, PDF, and every other "safe" technology. The problem is that the temptation to make sandboxed scripting languages more powerful slowly erodes the security of the sandbox.

    • If I gave you some random code, did not tell you what exactly it did but asked you to run it, would you run it?

      if it comes with free Pr0n? Hell yeah!

    • by catbutt (469582)

      when you browse with Javascript enabled -- you are allowing websites to run essentially arbitrary code on your computer.

      Wow, really? That's pretty scary. I guess no one has ever thought about the implications of that, or considered putting it in a sandbox so it can't do anything it wants to your computer. I think a strongly worded letter to the browser makers is in order!

    • by radish (98371)

      It's also what happens every time you run "apt-get install foobar" or download a dpkg or msi or whatever. Unless you're telling me you personally review the source of every app you install, in which case I don't believe you - and it's irrelevant because you could also read all the JS delivered to your browser if you wanted.

  • by Anonymous Coward on Friday December 03, 2010 @11:57AM (#34431542)

    If you're trying to explain how all these kinds of things work, you need to be more precise. And I say precise not to please geeks, but to help the layman audience understand what is really important.

    A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,”

    This should have been written as "a script stored on the site and offered to the browser, which the browser elects to download and run, runs on your computer and exploits a privacy leak..."

    It's not that summarizing it as "a script on the site" is wrong; it's technically correct in a pedantic[*] way, to say the script is on the site, since that does happen to be where it's stored. But we're not ever going to have a technically literate and informed public OR LEGISLATORS (and they are getting mentioned in this article; their knowledge or lack thereof is critical since they're threatening to pass laws related to this topic) if we continue to leave out the most important and fundamental aspect of how most privacy leaks happen.

    The same goes for the mention of cookies.

    The FTC has proposed the creation of a Do Not Track option for Web surfers, which would regulate history sniffing as well as ad networks placing cookies on your computer to keep track of you.

    Never in the history of the web, has any network placed a cookie on someone's computer. Just as above, that is a seemingly-convenient shorthand, but it actually obfuscates the truth to such an immense degree that anyone who tries to make decisions (I'm looking at you, lawmakers) will totally get all their policies wrong.

    Servers offer cookies. User agents place cookies on people's computers, completely voluntarily.

    [*] Pedantic. It might sound like I'm being the pedantic one here, but the essence of pedantry is to focus on irrelevant truths, such as defending the truth of a statement that a script is "on a site" because the master copy happens to be stored on the site. Such truths are a deception, because a script on a site has very little power. It's only when other computers choose to get and run that script, that the script starts to really do things.

    What I'm getting at is that for these client-side problems, we need to present and think about them as client-side problems.

  • by mbone (558574) on Friday December 03, 2010 @12:28PM (#34432048)

    My recommendation is to use multiple browsers.

    Say you use Firefox for your web searches.

    Then run Facebook on Safari (say)

    Anything google on Opera.

    Any porn on Chrome.

    Etc.

    There are a bunch of broswers out there - use them to silo off the nosey actors like Facebook, Google and Youporn.

    • This is what I've been doing for years.

      Though I'd swap the Opera and Chrome recommendations.

    • Or use multiple profiles with the same browser, for example start firefox with:

      -no-remote -ProfileManager

      and then create different profiles for different websites.

      You will have completely different sets of plugins, bookmarks, histories, settings, etc.
      Some plugins, like flash, will share common settings because they store stuff outside of the firefox directories (~/.macromedia/ for example).

  • As pointed out by PZ Myers http://scienceblogs.com/pharyngula/2010/12/another_reason_to_avoid_visiti.php [scienceblogs.com]
    The comments in their javascript are kind of funny.In particular, // CREATIONIST GROUPIES

Mommy, what happens to your files when you die?

Working...