Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Method of Tracking UIP Hits?

Posted by ScuttleMonkey on from the ip's-on-the-table dept.

smurray writes "iMediaConnection has an interesting article on a new approach to web analysis. The author claims that he is describing 'new, cutting edge methodologies for identifying people, methodologies that -- at this point -- no web analytics product supports.' What's more interesting, the new technology doesn't seem to be privacy intrusive." Many companies seem unhappy with the accepted norms of tracking UIP results. Another approach to solving this problem was also previously covered on Slashdot.

2 of 174 comments (clear)

  1. Adjusting Macromedia Flash Settings by buro9 · · Score: 4, Informative

    Macromedia have a page that allows you to modify what sites can do on your computer in regards to Flash:
    http://www.macromedia.com/support/documentation/en /flashplayer/help/settings_manager02.html#118539

  2. Too much faith in humanity? by Moraelin · · Score: 4, Informative

    "I highly doubt anyone is THAT stupid to put THAT big of a security flaw into a system."

    Read the article, and the guy is proposing to build exactly that kind of a security flaw into the system.

    Flash can use, basically, some local shared storage on your hard drive. This isn't really designed as cookie storage, and doesn't have even the meager safeguards that cookies have. (E.g., being tied only to a domain.) It's really a space that _any_ flash applet can read and write, and currently noone (with half a clue) puts any important data there.

    This guy's idea? Basically, "I know, let's store cookies there, precisely _because_ any other flash applet, e.g., our own again from a different page, can read that back again."

    Caveat: so can everyone else. I could make a simple flash game that grabs everything stored there, just as you described, and sends it back to me. Including, yes, your session id (so, yes, I can take over your session in any site you were logged in, including any e-commerce sites or your bank) and anything else they stored there.

    Since it's used to track your movements through sites, depending how clueless that's programmed, I may (or may not) also be able gather all sorts of other information about you.

    So in a nutshell his miracle solution is to build _exactly_ that kind of a vulnerability (not to mention privacy leak) into the system.

    So, well, that's the problem with assuming that "noone could be THAT stupid". Invariably when I say that, someone kindly offers himself as living proof that I'm wrong. Soneone CAN be that stupid.

    --
    A polar bear is a cartesian bear after a coordinate transform.