History Sniffing In the Wild 96
An anonymous reader writes "Kashmir Hill at Forbes documents a recent study by UCSD researchers showing that 'history sniffing' is being actively used by mainstream ad networks like Interclick as well as popular porn sites like YouPorn in order to track what other sites you visit. The vulnerability has been known for almost a decade, but this paper documents hundreds of commercial sites exploiting it today (PDF)."
YouPorn script (Score:2)
The fact that they intentionally obfuscated the code means that they KNEW this would piss people off, and were hoping to just bore curious folk by presenting seemingly random characters.
Re:YouPorn script (Score:5, Informative)
Google obfuscates its JavaScript all the time, in order to keep page sizes low and load times fast (and perhaps to keep people from stealing their code).
A simple fix (Score:4, Interesting)
Re: (Score:3, Informative)
More, if you also change the "unvisited links" color, then even a modified script designed to tell the difference won't know which color is your "visited" color and which is your "unvisited" color.
Sure you can. Just check a link to the page you’re on, since you know it’s visited.
Anyway changing those colours makes them clash with the rest of the stylesheet on a lot of websites.
Re: (Score:1)
Ummm, no, you don't necessarily know if a link is one you've visited already. That's why the purplization is useful to many people. You only know after you've clicked it a lot of the time. Massive, munged links to particular stories on sites like CNN, you could very well not know -- and some sites don't use any human-understandable words in those links anyway.
As for the style sheet, tough shit. I like the purple links telling me I've clicked it already. Somebody's lost the whole concept behind a linked
Re: (Score:1)
You completely missed my point. And I don’t think you know what history sniffing is, or how it works.
Re: (Score:2)
Anyway changing those colours makes them clash with the rest of the stylesheet on a lot of websites.
If that's so important to the website owner that it renders the site unusable, then it probably wasn't worth using anyway.
If someone has information worth imparting and data worth considering, then they've no need to use bells and whistles other than to show off their lack of confidence in their content. Contrariwise, someone with a valueless, "me too" website is likely to disguise it's lack of content with bells and whistles.
Does this make me a bad consumer? You bet! Just thank your lucky stars that you d
Re: (Score:2)
Re: (Score:1)
Would incrementing just one of the bytes in the RGB triplet by one help?
Re: (Score:2)
I was going to respond to your point by noting that Google is the world's largest internet company. Then I noticed that Youporn.com is apparently the 61st highest ranked internet site. I guess you can't exactly say that these guys are small time.
Re: (Score:2)
Re: (Score:2)
No, Google optimizes its JavaScript in order to reduce size and execution time. That just happens to make it quite hard to read. Think "compiling" JavaScript into a smaller, not-meant-for-humans form.
This is different, it's deliberate obfuscation designed to make the script hard to read, while doing nothing for performance. It's a simple version of source or executable obfuscation. A more elaborate example would be the stuff that Apple does to their iTunes DB hashing algorithm to lock users into iTunes and
Re: (Score:3)
Re: (Score:1)
My bet would be that they are simply looking not to give others any help in SEO rankings. This very simple cipher would make it so that any potential search engine wouldn't see a url to pornhub.com on their site.
That isn't obfuscation... (Score:2)
Compressing code into a near-unreadable terse format to reduce transmission bandwidth is not "obfuscation" it's "compression".
Obfuscation has, as a trademark, the addition of operations intended to obscure the function of the code. Compressed code doesn't particularly obscure the function, though it usually obscures the purpose of the coded operations.
Example: "++a;" is compressed and obscure to purpose as we don't know what _a_ represents nor why incrementing it by one is significant. This is compressed co
Re: (Score:2)
The proper term is minimize and their are plenty of tools out there which do beatification. For example the Y-Slow extension for the Firebug extension of Firefox (yes I know to many extensions :-( )
Re: (Score:2)
More likely they were trying to protect their wonderful proprietary code from their competitors.
Re: (Score:3)
Re: (Score:1)
That places a lot of trust in the website that I don't really have. "Oh sure, take a look at what sites I go to, just make sure it's only the ones I'm cool with, k?" If someone wants to let websites in on all or some of their history, they can go hog wild, but I should be able to keep mine private. I don't want places knowing what I bought on Amazon, and I don't want Amazon knowing what I look at.
Re:YouPorn script (Score:4, Interesting)
What about Firefox hidden history data?
Looking at the information under Troubleshooting Information in the Firefox help menu, there's an entry beyond the expected "browser.history_expire_days", "browser.history_expire_days.mirror" that defaults to 180!
How secure is that??
Note that entering "about:config" in the address bar allows editing the config settings.
Went to http://startpanic.com/ (Score:5, Informative)
...using Chrome in incognito mode. It determined I had visited...
...startpanic.com
So yeah, use incognito/private browsing mode.
Re: (Score:2)
Re: (Score:3)
Safari without Private Browsing works fine too.
Re: (Score:2)
Re:Went to http://startpanic.com/ (Score:4, Informative)
RTFA. Webkit-based browsers solved this a while ago, and Firefox did it in their latest release.
As usual, only explorer is vulnerable. No comments on Opera. Anyone care to test it out?
Re: (Score:1)
Opera 10.63 under a private tab on startpanic.com reports back with just startpanic.com.
Re:Went to http://startpanic.com/ (Score:4, Informative)
Opera 10.63, definitively vunerable.
Re: (Score:2)
Latest release? If you mean Firefox 3.6.12, it's still vulnerable. I just tested it & then fixed it thanks to a helpful commenter.
Re: (Score:1)
Sorry, I mean latest beta.
Re: (Score:1)
Meh... It doesn't appear to work in Firefox4, Chrome or Opera at all (in any mode).
It seems to only work in Firefox3 as long as you don't have NoScript, etc. Firefox3's private mode offers protection as well.
I didn't test IE.
Seems like the browser makers were already on top of this.
Re: (Score:1)
in html:
<a class='linktestgoogle' href='www.google.com'> </a>
in css:
.linktestgoogle {visibility: hidden;}
.linktestgoogle:visited { background-url: url('pagevisited.php?url=google'); }
(correcting for mistakes made in typing into this textarea)
Re: (Score:2)
Using Chrome 8 without incognito, i got... nothing.
It didn't even show me startpanic.com.
So maybe... don't use incognito?
Re: (Score:1)
What if you open a non-incognito (cognito?) window? Will it purple links you are currently viewing in your incognito window?
BTW, I'm pretty sure Pandora does this, too.
Re: (Score:2)
FF4 also solved this.
Yup (Score:1)
I had basically assumed (semi subconsciously) all along that websites I was visiting could have some idea of what other websites I had been to, or at least toyed with the thought.
I am unfazed, and not surprised. *shrug*
Re: (Score:2)
I was looking for a hotel in a $CITY once, so I used the best method I knew: Google it. Looked at a few hotel booking sites, booked a room, all done.
Then I was reading a news website with my ad-blocker disabled, and on the right side of the screen was an ad, "Hotels in $CITY". "What the frakk?", I thought, "how did they read my mind?".
It turns out it was a Google ad, and I was just on Google looking for a hotel in $CITY... so...
History sniffing (Score:2)
Re: (Score:3)
Plug the leak in Firefox (Score:5, Informative)
Open about:config
Set layout.css.visited_links_enabled to false
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re:Plug the leak in Firefox (Score:5, Interesting)
Re: (Score:3)
Re: (Score:2)
If it is fixed in v4, then we will have to wait for its stable/production release. :(
Re: (Score:2)
Except for the user agent switcher the few plug ins I use were compatible .
Re: (Score:3)
Thank you.
HTML5 will fix it (Score:5, Funny)
Steve Jobs told me that it's going to be super secure
Re: (Score:2)
And he was right.
This doesn't work in Safari 5.02. Even without private mode on.
Re: (Score:2)
Javascript... (Score:5, Insightful)
Re: (Score:2)
This is also what you do when installing and running any program for which you cannot view and understand the source code. And yet millions of computer users do this daily.
And millions of them don't even realise they're now part of a botnet and their computer is controlled by the Russian mob.
Re:Javascript... (Score:4, Interesting)
And HTML differs from Javascript how? Or how about an image?
Neither HTML or JPEG files are Turing-complete programming languages. Sure, your HTML or JPEG parser might have bugs that allow remote exploits, but that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_
Re: (Score:2)
Neither HTML or JPEG files are Turing-complete programming languages.
It has nothing to do with Turing-completeness.
Sure, your HTML or JPEG parser might have bugs that allow remote exploits
And everything to do with that.
that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_
No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.
Re:Javascript... (Score:4, Interesting)
No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.
Duh, we're not talking about remote exploits running arbitrary machine code on your system. We're talking about Javascript being a privacy-stealing monster _BY DESIGN_.
Re: (Score:3)
It has nothing to do with Turing-completeness.
That depends on what sort of attack you want to perform.
It has a sandbox that it plays in. If JS code breaks out of that, its a bug
Suppose you have a perfect sandbox, no bugs whatsoever. You can still perform the attack described in TFA, because Javascript is supposed to be able to do exactly what TFA describes. You could still have problems with XSS attacks (this is external to bugs in the Javascript interpreter). The API allows these things to happen, and a bug-free Javascript interpreter would still have to conform to the API.
Re: (Score:2)
No implementation of any programming language is complete as it would require an infinite tape (memory).
Re: (Score:2)
Re: (Score:1)
Then the implementation (compiler/interpreter running on that OS on that hardware) is still not Turing-complete.
Re: (Score:2)
So, let's say your Javascript program needs 1000TB of memory to complete some computation. That will not work on my laptop, since my laptop does not have that much physical memory available. You might construct a computer with that much memory, though (perhaps a very big computer,
Re: (Score:1)
It's generally acceptable to call general-purpose computers Turing complete, even though they're technically not, as they lack infinite memory. Strictly, they're simply linear bounded automata complete.
Re: (Score:2)
To sniff the history plain HTML/CSS is already enough, no need for Javascript. The trouble here is really the bi-directional communication with the server, not if the language is Turing-complete or not. Plugging holes in non-Turning languages is however of course a good bit easier.
Re: (Score:1)
good luck writing malicious C++ or python if you're not allowed to call any library functions
Am I allowed to use embedded assembly and make a few assumptions about the OS and architecture?
Re: (Score:1)
I was thinking more just use the OS system call functions, and overwriting all of the files in the %userprofile%\My documents folder with random data or something like that.
Re: (Score:1)
If you don't have any libraries to call, it's harmless. C++ and python are turing complete, but good luck writing malicious C++ or python if you're not allowed to call any library functions.
That's easily disproved: an eternal loop is malicious code.
Javascript can only access what the browser exposes to it, and the assumption (with rare exceptions such as history sniffing) is that the functionality that the browser exposes to it is harmless.
With javascript it's even worse. Unless the browser exposes document.*, it's going to be rather useless, and if exposed, you can easily create self-modifying recursive scripts that gobble up all resources; CPU, RAM and storage.
Re: (Score:2)
Stop the fear-mongering!
You are allowing websites to run arbitrary code in your browser sandbox.
The sandbox may be leaky -- which is what the article complains about -- but I read up-thread that both Webkit and Firefox have fixed this issue.
Re: (Score:2)
Firefox 3.6.12 is still vulnerable.
Re: (Score:2)
would you run it?
In a virtual machine. Which is how Javascript is supposed to be run. Just like VBScript was, and Java, PDF, and every other "safe" technology. The problem is that the temptation to make sandboxed scripting languages more powerful slowly erodes the security of the sandbox.
Re: (Score:1)
If I gave you some random code, did not tell you what exactly it did but asked you to run it, would you run it?
if it comes with free Pr0n? Hell yeah!
Re: (Score:2)
Wow, really? That's pretty scary. I guess no one has ever thought about the implications of that, or considered putting it in a sandbox so it can't do anything it wants to your computer. I think a strongly worded letter to the browser makers is in order!
Re: (Score:2)
It's also what happens every time you run "apt-get install foobar" or download a dpkg or msi or whatever. Unless you're telling me you personally review the source of every app you install, in which case I don't believe you - and it's irrelevant because you could also read all the JS delivered to your browser if you wanted.
Forbes shouldn't try to write about tech (Score:5, Insightful)
If you're trying to explain how all these kinds of things work, you need to be more precise. And I say precise not to please geeks, but to help the layman audience understand what is really important.
This should have been written as "a script stored on the site and offered to the browser, which the browser elects to download and run, runs on your computer and exploits a privacy leak..."
It's not that summarizing it as "a script on the site" is wrong; it's technically correct in a pedantic[*] way, to say the script is on the site, since that does happen to be where it's stored. But we're not ever going to have a technically literate and informed public OR LEGISLATORS (and they are getting mentioned in this article; their knowledge or lack thereof is critical since they're threatening to pass laws related to this topic) if we continue to leave out the most important and fundamental aspect of how most privacy leaks happen.
The same goes for the mention of cookies.
Never in the history of the web, has any network placed a cookie on someone's computer. Just as above, that is a seemingly-convenient shorthand, but it actually obfuscates the truth to such an immense degree that anyone who tries to make decisions (I'm looking at you, lawmakers) will totally get all their policies wrong.
Servers offer cookies. User agents place cookies on people's computers, completely voluntarily.
[*] Pedantic. It might sound like I'm being the pedantic one here, but the essence of pedantry is to focus on irrelevant truths, such as defending the truth of a statement that a script is "on a site" because the master copy happens to be stored on the site. Such truths are a deception, because a script on a site has very little power. It's only when other computers choose to get and run that script, that the script starts to really do things.
What I'm getting at is that for these client-side problems, we need to present and think about them as client-side problems.
Use multiple browsers (Score:4, Interesting)
My recommendation is to use multiple browsers.
Say you use Firefox for your web searches.
Then run Facebook on Safari (say)
Anything google on Opera.
Any porn on Chrome.
Etc.
There are a bunch of broswers out there - use them to silo off the nosey actors like Facebook, Google and Youporn.
Re: (Score:2)
This is what I've been doing for years.
Though I'd swap the Opera and Chrome recommendations.
Re: (Score:2)
Or use multiple profiles with the same browser, for example start firefox with:
-no-remote -ProfileManager
and then create different profiles for different websites.
You will have completely different sets of plugins, bookmarks, histories, settings, etc.
Some plugins, like flash, will share common settings because they store stuff outside of the firefox directories (~/.macromedia/ for example).
Answers in Genesis is also using this (Score:2)
As pointed out by PZ Myers http://scienceblogs.com/pharyngula/2010/12/another_reason_to_avoid_visiti.php [scienceblogs.com] // CREATIONIST GROUPIES
The comments in their javascript are kind of funny.In particular,