History Sniffing In the Wild

An anonymous reader writes "Kashmir Hill at Forbes documents a recent study by UCSD researchers showing that 'history sniffing' is being actively used by mainstream ad networks like Interclick as well as popular porn sites like YouPorn in order to track what other sites you visit. The vulnerability has been known for almost a decade, but this paper documents hundreds of commercial sites exploiting it today (PDF)."

YouPorn script

[Amorymeltzer]

The fact that they intentionally obfuscated the code means that they KNEW this would piss people off, and were hoping to just bore curious folk by presenting seemingly random characters.

Re:YouPorn script

[The+MAZZTer]

Google obfuscates its JavaScript all the time, in order to keep page sizes low and load times fast (and perhaps to keep people from stealing their code).

Re:YouPorn script

Google doesn't use ROT13 like these guys though...

Re:YouPorn script

[John+Hasler]

More likely they were trying to protect their wonderful proprietary code from their competitors.

Re:YouPorn script

[ObsessiveMathsFreak]

I was going to respond to your point by noting that Google is the world's largest internet company. Then I noticed that Youporn.com is apparently the 61st highest ranked internet site. I guess you can't exactly say that these guys are small time.

Re:YouPorn script

There's no such thing as random characters. They all mean something.

Re:YouPorn script

[hairyfeet]

Frankly I don't know why it would piss people off, as if you actually look at the list Youporn doesn't care if you went to..say Amazon or not. No, what they are looking for is to see if you have visited any of their "sister" sites, those they share a lot of links with. It makes sense to me if they are sharing referrals they would want to know which sites give them more hits and thus should be higher ranked VS those that give them less. And since with both Youporn and the sister sites they have everything categorized anyway it isn't like someone is suddenly gonna learn you like chubby dominatrix midgets from Lithuania, since on any of those sites a guy is gonna head to his favorite category like a heat seeking missile.

What worries me more is ones that look at sites like Amazon. Just because I visit your site does NOT give you the right to see what presents I bought my family! Can anyone confirm that those of us with ABP and Noscript are safe (as we usually are) or if they have figured a way around it? I tried to read the PDF but it is too damned early and I haven't had my morning caffeine so trying to make heads or tails out of research papers is a little out of my league ATM.

Re:YouPorn script

[camperslo]

What about Firefox hidden history data?

Looking at the information under Troubleshooting Information in the Firefox help menu, there's an entry beyond the expected "browser.history_expire_days", "browser.history_expire_days.mirror" that defaults to 180!
How secure is that??

Note that entering "about:config" in the address bar allows editing the config settings.

Re:YouPorn script

[Clueless+Moron]

That's nice, but this particular obfuscation makes the script bigger and slower

Re:YouPorn script

[Amorymeltzer]

That places a lot of trust in the website that I don't really have. "Oh sure, take a look at what sites I go to, just make sure it's only the ones I'm cool with, k?" If someone wants to let websites in on all or some of their history, they can go hog wild, but I should be able to keep mine private. I don't want places knowing what I bought on Amazon, and I don't want Amazon knowing what I look at.

Re:YouPorn script

Can anyone confirm that those of us with ABP and Noscript are safe (as we usually are) or if they have figured a way around it?

Yes, there is an easy two step solution.
Step 1: Make sure your site requires javascript to perform the functions that are desired by the user.
Step 2: Use that same javascript to test the links and preform other tracking deeds.

Re:YouPorn script

[marcansoft]

No, Google optimizes its JavaScript in order to reduce size and execution time. That just happens to make it quite hard to read. Think "compiling" JavaScript into a smaller, not-meant-for-humans form.

This is different, it's deliberate obfuscation designed to make the script hard to read, while doing nothing for performance. It's a simple version of source or executable obfuscation. A more elaborate example would be the stuff that Apple does to their iTunes DB hashing algorithm to lock users into iTunes and stop people from interoperating with their devices from Linux (which also makes the code hilariously slow and bloated, but extremely hard to read).

Re:YouPorn script

[rtfa-troll]

If you managed to just read to the end of the article; and I'm really surprised you didn't before posting; or followed the asterisk like I did; you would find that they have rot-1 encryption that in no way changes the size of the links. It's straight forward ofuscation. In fact since they have to load the obfuscation code it takes more space.

Re:YouPorn script

[after.fallout.34t98e]

My bet would be that they are simply looking not to give others any help in SEO rankings. This very simple cipher would make it so that any potential search engine wouldn't see a url to pornhub.com on their site.

Re:YouPorn script

What about Firefox hidden history data?

Looking at the information under Troubleshooting Information in the Firefox help menu, there's an entry beyond the expected "browser.history_expire_days", "browser.history_expire_days.mirror" that defaults to 180!
How secure is that??

Note that entering "about:config" in the address bar allows editing the config settings.

So what should the settings be? 0? 1? -1?

Re:YouPorn script

[Lennie]

The proper term is minimize and their are plenty of tools out there which do beatification. For example the Y-Slow extension for the Firebug extension of Firefox (yes I know to many extensions :-( )

Went to http://startpanic.com/

[The+MAZZTer]

...using Chrome in incognito mode. It determined I had visited...

...startpanic.com

So yeah, use incognito/private browsing mode.

Re:Went to http://startpanic.com/

[i.am.delf]

Hah I tried this in 9.0.597.0 without incognito and it detected... startpanic.com only

Re:Went to http://startpanic.com/

Works for Safari in Private Browsing mode, too.

Re:Went to http://startpanic.com/

[The+MAZZTer]

Oh! So it does! Maybe the Chrome team fixed this like Firefox has.

Re:Went to http://startpanic.com/

[GNUALMAFUERTE]

RTFA. Webkit-based browsers solved this a while ago, and Firefox did it in their latest release.

As usual, only explorer is vulnerable. No comments on Opera. Anyone care to test it out?

Re:Went to http://startpanic.com/

Meh... It doesn't appear to work in Firefox4, Chrome or Opera at all (in any mode).

It seems to only work in Firefox3 as long as you don't have NoScript, etc. Firefox3's private mode offers protection as well.

I didn't test IE.

Seems like the browser makers were already on top of this.

Re:Went to http://startpanic.com/

I went without incognito mode, and with several tabs open. it still picked up nothing.

Re:Went to http://startpanic.com/

[NatasRevol]

Safari without Private Browsing works fine too.

Re:Went to http://startpanic.com/

Opera 10.63 under a private tab on startpanic.com reports back with just startpanic.com.

Re:Went to http://startpanic.com/

[Kjella]

Opera 10.63, definitively vunerable.

Re:Went to http://startpanic.com/

[Jaysyn]

Latest release? If you mean Firefox 3.6.12, it's still vulnerable. I just tested it & then fixed it thanks to a helpful commenter.

Re:Went to http://startpanic.com/

[GNUALMAFUERTE]

Sorry, I mean latest beta.

Re:Went to http://startpanic.com/

[Facegarden]

Using Chrome 8 without incognito, i got... nothing.

It didn't even show me startpanic.com.

So maybe... don't use incognito?

Re:Went to http://startpanic.com/

[after.fallout.34t98e]

The way to do it without javascript (so that it would work in Firefox 3 as well with NoScript enabled) was to do it purely with css:

in html:

<a class='linktestgoogle' href='www.google.com'>&nbsp;</a>

in css:
.linktestgoogle {visibility: hidden;}
.linktestgoogle:visited { background-url: url('pagevisited.php?url=google'); }

(correcting for mistakes made in typing into this textarea)

Re:Went to http://startpanic.com/

[Impy+the+Impiuos+Imp]

What if you open a non-incognito (cognito?) window? Will it purple links you are currently viewing in your incognito window?

BTW, I'm pretty sure Pandora does this, too.

Re:Went to http://startpanic.com/

[Lennie]

FF4 also solved this.

Yup

I had basically assumed (semi subconsciously) all along that websites I was visiting could have some idea of what other websites I had been to, or at least toyed with the thought.
I am unfazed, and not surprised. *shrug*

Re:Yup

[netsharc]

I was looking for a hotel in a $CITY once, so I used the best method I knew: Google it. Looked at a few hotel booking sites, booked a room, all done.

Then I was reading a news website with my ad-blocker disabled, and on the right side of the screen was an ad, "Hotels in $CITY". "What the frakk?", I thought, "how did they read my mind?".

It turns out it was a Google ad, and I was just on Google looking for a hotel in $CITY... so...

It's not the sniffing I mind,

it's all the spitting. WTF is up with that?

History sniffing

[digitaldc]

I tried it and it reeks of mildew, stale dust particles and mold spores.

Re:History sniffing

[camperdave]

You should smell some of the "history" in the back of MY fridge.

Plug the leak in Firefox

[hansamurai]

Open about:config

Set layout.css.visited_links_enabled to false

Re:Plug the leak in Firefox

[jgtg32a]

Very nice

Re:Plug the leak in Firefox

[assemblerex]

Kudos

Re:Plug the leak in Firefox

[clickclickdrone]

Or switch to private browsing mode first.

Re:Plug the leak in Firefox

[The+MAZZTer]

You shouldn't even need to go that far, Mozilla plugged most of the leak. I'm not sure if this made it into 3.6 though... might want to wait for 4.0?

Re:Plug the leak in Firefox

[Jaysyn]

Thank you.

Re:Plug the leak in Firefox

[choongiri]

It didn't. 3.6.12 still has the leak.

Re:Plug the leak in Firefox

[antdude]

If it is fixed in v4, then we will have to wait for its stable/production release. :(

Re:Plug the leak in Firefox

[Teun]

I've been running 4.0b for over a month now without noticing any show stopper problems.

Except for the user agent switcher the few plug ins I use were compatible .

HTML5 will fix it

[alen]

Steve Jobs told me that it's going to be super secure

Re:HTML5 will fix it

Steve Jobs told me that it's going to be super secure

It's magical, revolutionary!

Re:HTML5 will fix it

[NatasRevol]

And he was right.

This doesn't work in Safari 5.02. Even without private mode on.

Re:HTML5 will fix it

[dogzilla]

According to TFA this doesn't work at all in Steve Job's browser. Or the iOS browsers. Or Chrome. All of which use webkit. So your snide comment turns out to be more or less true. How 'bout them apples?

Re:HTML5 will fix it

Oh brother.

Javascript...

[betterunixthanunix]

If I gave you some random code, did not tell you what exactly it did but asked you to run it, would you run it? That is basically what is happening when you browse with Javascript enabled -- you are allowing websites to run essentially arbitrary code on your computer.

Re:Javascript...

This is also what you do when installing and running any program for which you cannot view and understand the source code. And yet millions of computer users do this daily.

Re:Javascript...

[0123456]

This is also what you do when installing and running any program for which you cannot view and understand the source code. And yet millions of computer users do this daily.

And millions of them don't even realise they're now part of a botnet and their computer is controlled by the Russian mob.

Re:Javascript...

And HTML differs from Javascript how? Or how about an image? It's all interpreted communication that results in something an end-user thinks they desire. All you can do is hope that the sandbox they play in keeps the rest of your computer safe.

Re:Javascript...

I thought that was part of the default install on XP?

Re:Javascript...

[0123456]

And HTML differs from Javascript how? Or how about an image?

Neither HTML or JPEG files are Turing-complete programming languages. Sure, your HTML or JPEG parser might have bugs that allow remote exploits, but that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_

Re:Javascript...

[clone52431]

Neither HTML or JPEG files are Turing-complete programming languages.

It has nothing to do with Turing-completeness.

Sure, your HTML or JPEG parser might have bugs that allow remote exploits

And everything to do with that.

that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_

No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.

Re:Javascript...

[gtall]

No implementation of any programming language is complete as it would require an infinite tape (memory).

Re:Javascript...

If you don't have any libraries to call, it's harmless. C++ and python are turing complete, but good luck writing malicious C++ or python if you're not allowed to call any library functions. Javascript can only access what the browser exposes to it, and the assumption (with rare exceptions such as history sniffing) is that the functionality that the browser exposes to it is harmless.

Re:Javascript...

[clone52431]

good luck writing malicious C++ or python if you're not allowed to call any library functions

Am I allowed to use embedded assembly and make a few assumptions about the OS and architecture?

Re:Javascript...

[he-sk]

Stop the fear-mongering!

You are allowing websites to run arbitrary code in your browser sandbox.

The sandbox may be leaky -- which is what the article complains about -- but I read up-thread that both Webkit and Firefox have fixed this issue.

Re:Javascript...

[0123456]

No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.

Duh, we're not talking about remote exploits running arbitrary machine code on your system. We're talking about Javascript being a privacy-stealing monster _BY DESIGN_.

Re:Javascript...

Haha, I thought about that, but adding more restrictions would make it sound less dramatic ;)

In my opinion, embedded assembly isn't actually C++, but that's semantics. I think that to do damage, you'd still have to call a library function (fill the registers and manipulate the stack pointer). If we assume the operating system will let you clobber the memory regions occupied by other programs, you can obviously cause harm that way...

Re:Javascript...

[betterunixthanunix]

It has nothing to do with Turing-completeness.

That depends on what sort of attack you want to perform.

It has a sandbox that it plays in. If JS code breaks out of that, its a bug

Suppose you have a perfect sandbox, no bugs whatsoever. You can still perform the attack described in TFA, because Javascript is supposed to be able to do exactly what TFA describes. You could still have problems with XSS attacks (this is external to bugs in the Javascript interpreter). The API allows these things to happen, and a bug-free Javascript interpreter would still have to conform to the API.

Re:Javascript...

[betterunixthanunix]

Unless, of course, the compiler/interpreter does not place any bounds on memory, and relies instead on the OS to enforce those sorts of restrictions (i.e. by terminating your program when you try to allocate more memory than is available). A language being Turing complete is purely a theoretical concept; it has nothing to do with what sort of machine the language is actually used on.

Re:Javascript...

[clone52431]

I was thinking more just use the OS system call functions, and overwriting all of the files in the %userprofile%\My documents folder with random data or something like that.

Re:Javascript...

[clone52431]

Then the implementation (compiler/interpreter running on that OS on that hardware) is still not Turing-complete.

Re:Javascript...

Yeah but what about if I gave you random code?

Re:Javascript...

[betterunixthanunix]

The language still is, and that is what really matters. No Turing machine can actually use its entire tape; the infinite nature of the tape only means that the machine can use an unbounded, but still finite, amount of memory.

So, let's say your Javascript program needs 1000TB of memory to complete some computation. That will not work on my laptop, since my laptop does not have that much physical memory available. You might construct a computer with that much memory, though (perhaps a very big computer, but that is irrelevant) and then the same program will run.

Re:Javascript...

[arth1]

If you don't have any libraries to call, it's harmless. C++ and python are turing complete, but good luck writing malicious C++ or python if you're not allowed to call any library functions.

That's easily disproved: an eternal loop is malicious code.

Javascript can only access what the browser exposes to it, and the assumption (with rare exceptions such as history sniffing) is that the functionality that the browser exposes to it is harmless.

With javascript it's even worse. Unless the browser exposes document.*, it's going to be rather useless, and if exposed, you can easily create self-modifying recursive scripts that gobble up all resources; CPU, RAM and storage.

Re:Javascript...

[blueg3]

It's generally acceptable to call general-purpose computers Turing complete, even though they're technically not, as they lack infinite memory. Strictly, they're simply linear bounded automata complete.

Re:Javascript...

[Jaysyn]

Firefox 3.6.12 is still vulnerable.

Re:Javascript...

[MobyDisk]

would you run it?

In a virtual machine. Which is how Javascript is supposed to be run. Just like VBScript was, and Java, PDF, and every other "safe" technology. The problem is that the temptation to make sandboxed scripting languages more powerful slowly erodes the security of the sandbox.

Re:Javascript...

[grumbel]

To sniff the history plain HTML/CSS is already enough, no need for Javascript. The trouble here is really the bi-directional communication with the server, not if the language is Turing-complete or not. Plugging holes in non-Turning languages is however of course a good bit easier.

Re:Javascript...

You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.

"sudo kill -9 $$"

"Aaaagh... gurgle... thud."

(And the captcha for this post is "shutdown" - how does Slashdot do that?)

Re:Javascript...

[Storebj0rn]

If I gave you some random code, did not tell you what exactly it did but asked you to run it, would you run it?

if it comes with free Pr0n? Hell yeah!

Re:Javascript...

[catbutt]

when you browse with Javascript enabled -- you are allowing websites to run essentially arbitrary code on your computer.

Wow, really? That's pretty scary. I guess no one has ever thought about the implications of that, or considered putting it in a sandbox so it can't do anything it wants to your computer. I think a strongly worded letter to the browser makers is in order!

Re:Javascript...

[radish]

It's also what happens every time you run "apt-get install foobar" or download a dpkg or msi or whatever. Unless you're telling me you personally review the source of every app you install, in which case I don't believe you - and it's irrelevant because you could also read all the JS delivered to your browser if you wanted.

Forbes shouldn't try to write about tech

If you're trying to explain how all these kinds of things work, you need to be more precise. And I say precise not to please geeks, but to help the layman audience understand what is really important.

A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,”

This should have been written as "a script stored on the site and offered to the browser, which the browser elects to download and run, runs on your computer and exploits a privacy leak..."

It's not that summarizing it as "a script on the site" is wrong; it's technically correct in a pedantic[*] way, to say the script is on the site, since that does happen to be where it's stored. But we're not ever going to have a technically literate and informed public OR LEGISLATORS (and they are getting mentioned in this article; their knowledge or lack thereof is critical since they're threatening to pass laws related to this topic) if we continue to leave out the most important and fundamental aspect of how most privacy leaks happen.

The same goes for the mention of cookies.

The FTC has proposed the creation of a Do Not Track option for Web surfers, which would regulate history sniffing as well as ad networks placing cookies on your computer to keep track of you.

Never in the history of the web, has any network placed a cookie on someone's computer. Just as above, that is a seemingly-convenient shorthand, but it actually obfuscates the truth to such an immense degree that anyone who tries to make decisions (I'm looking at you, lawmakers) will totally get all their policies wrong.

Servers offer cookies. User agents place cookies on people's computers, completely voluntarily.

[*] Pedantic. It might sound like I'm being the pedantic one here, but the essence of pedantry is to focus on irrelevant truths, such as defending the truth of a statement that a script is "on a site" because the master copy happens to be stored on the site. Such truths are a deception, because a script on a site has very little power. It's only when other computers choose to get and run that script, that the script starts to really do things.

What I'm getting at is that for these client-side problems, we need to present and think about them as client-side problems.

A simple fix

[VernonNemitz]

In Firefox, even older versions (and perhaps some of the other browsers out there), you can change your "visited links" color (via Edit, Preferences, Appearance, Colors) to something other than purple. Then this script won't work. More, if you also change the "unvisited links" color, then even a modified script designed to tell the difference won't know which color is your "visited" color and which is your "unvisited" color.

Re:A simple fix

[clone52431]

More, if you also change the "unvisited links" color, then even a modified script designed to tell the difference won't know which color is your "visited" color and which is your "unvisited" color.

Sure you can. Just check a link to the page you’re on, since you know it’s visited.

Anyway changing those colours makes them clash with the rest of the stylesheet on a lot of websites.

Re:A simple fix

about:config
layout.css.visited_links_enabled => false

Done and done

Re:A simple fix

[phiz187]

I agree, and even if you just changed the color by one hexadecimal value, it should frustrate the script, but not change the appearance much to the end user. BUT, I'm not sure if the script can just read what your "visited links color" is and use the color dynamically. We are both presuming that the script has hardcoded the "visited links" color. I don't know if that assumption is true.

Re:A simple fix

[Impy+the+Impiuos+Imp]

Ummm, no, you don't necessarily know if a link is one you've visited already. That's why the purplization is useful to many people. You only know after you've clicked it a lot of the time. Massive, munged links to particular stories on sites like CNN, you could very well not know -- and some sites don't use any human-understandable words in those links anyway.

As for the style sheet, tough shit. I like the purple links telling me I've clicked it already. Somebody's lost the whole concept behind a linked hypersystem if they think some dork's color preferences should win out over the larger-scale picture of the purpose of hyperlinking. The only issue is when background colors might make the purple links hard to see, but again, a good browser should compensate for that anyway.

Re:A simple fix

[clone52431]

You completely missed my point. And I don’t think you know what history sniffing is, or how it works.

Re:A simple fix

[Obsi]

Would incrementing just one of the bytes in the RGB triplet by one help?

Re:A simple fix

So..

unvisited returns all the links I've never visited on the internet?

Re:A simple fix

[RockDoctor]

Anyway changing those colours makes them clash with the rest of the stylesheet on a lot of websites.

If that's so important to the website owner that it renders the site unusable, then it probably wasn't worth using anyway.

If someone has information worth imparting and data worth considering, then they've no need to use bells and whistles other than to show off their lack of confidence in their content. Contrariwise, someone with a valueless, "me too" website is likely to disguise it's lack of content with bells and whistles.

Does this make me a bad consumer? You bet! Just thank your lucky stars that you don't have the thankless and likely unprofitable task of trying to sell to me.

Use multiple browsers

[mbone]

My recommendation is to use multiple browsers.

Say you use Firefox for your web searches.

Then run Facebook on Safari (say)

Anything google on Opera.

Any porn on Chrome.

Etc.

There are a bunch of broswers out there - use them to silo off the nosey actors like Facebook, Google and Youporn.

Re:Use multiple browsers

[adnonsense]

This is what I've been doing for years.

Though I'd swap the Opera and Chrome recommendations.

Re:Use multiple browsers

[Jah-Wren+Ryel]

Or use multiple profiles with the same browser, for example start firefox with:

-no-remote -ProfileManager

and then create different profiles for different websites.

You will have completely different sets of plugins, bookmarks, histories, settings, etc.
Some plugins, like flash, will share common settings because they store stuff outside of the firefox directories (~/.macromedia/ for example).

Re:Use multiple browsers

Hey, I already do that!
* netflix on Firefox/Windows
* everything else on Firefox/Linux

But it's mostly because you STILL can't run netflix on Linux.

AC

More options for IE users

See http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/csshistoryprobing.aspx

Answers in Genesis is also using this

[wk633]

As pointed out by PZ Myers http://scienceblogs.com/pharyngula/2010/12/another_reason_to_avoid_visiti.php
The comments in their javascript are kind of funny.In particular, // CREATIONIST GROUPIES

That isn't obfuscation...

[IBitOBear]

Compressing code into a near-unreadable terse format to reduce transmission bandwidth is not "obfuscation" it's "compression".

Obfuscation has, as a trademark, the addition of operations intended to obscure the function of the code. Compressed code doesn't particularly obscure the function, though it usually obscures the purpose of the coded operations.

Example: "++a;" is compressed and obscure to purpose as we don't know what _a_ represents nor why incrementing it by one is significant. This is compressed code.

Example: "aeradewd=1; /* long body of code */ aeradewd = ~aeradewd; /*long body of code */ wierakex --= aeradewd;" is obfuscated code, while it is no more clear that _a_ and _wierakex_ are analogous, deliberate gymnastics have been undertaken to "hide" the fact that _wierakex_ is being incremented by one. This is obfuscated code.

Obfuscated code is usually less efficient, but it doesn't have to be. in the obfuscated case, if the incrementor factor had been constant, and the ~ operator had been used to initialize second constant instead of altering a variable, then the compiler would have seen the final "--= -1" and converted that into an increment operation.

So "poor programming practices" and frankly old-school variable and function names (possibly as the result of a global search-and-replace of good names for terse ones) is unfriendly to your eyes, but falls far short of the verb "to (deliberately) obfuscate". When done to reduce network consumption and improve page load times, you are in the realm of completely legitimate action. At that point you might as well complain that compilation is an act of obfuscation undertaken just to inconvenience you.