Slashdot Mirror

← Back to Stories (view on slashdot.org)

History Sniffing In the Wild

Posted by Soulskill on from the smells-fishy dept.

An anonymous reader writes "Kashmir Hill at Forbes documents a recent study by UCSD researchers showing that 'history sniffing' is being actively used by mainstream ad networks like Interclick as well as popular porn sites like YouPorn in order to track what other sites you visit. The vulnerability has been known for almost a decade, but this paper documents hundreds of commercial sites exploiting it today (PDF)."

26 of 96 comments (clear)

  1. YouPorn script by Amorymeltzer · · Score: 2

    The fact that they intentionally obfuscated the code means that they KNEW this would piss people off, and were hoping to just bore curious folk by presenting seemingly random characters.

    --
    I live in constant fear of the Coming of the Red Spiders.
    1. Re:YouPorn script by The+MAZZTer · · Score: 5, Informative

      Google obfuscates its JavaScript all the time, in order to keep page sizes low and load times fast (and perhaps to keep people from stealing their code).

    2. Re:YouPorn script by hairyfeet · · Score: 2

      Frankly I don't know why it would piss people off, as if you actually look at the list Youporn doesn't care if you went to..say Amazon or not. No, what they are looking for is to see if you have visited any of their "sister" sites, those they share a lot of links with. It makes sense to me if they are sharing referrals they would want to know which sites give them more hits and thus should be higher ranked VS those that give them less. And since with both Youporn and the sister sites they have everything categorized anyway it isn't like someone is suddenly gonna learn you like chubby dominatrix midgets from Lithuania, since on any of those sites a guy is gonna head to his favorite category like a heat seeking missile.

      What worries me more is ones that look at sites like Amazon. Just because I visit your site does NOT give you the right to see what presents I bought my family! Can anyone confirm that those of us with ABP and Noscript are safe (as we usually are) or if they have figured a way around it? I tried to read the PDF but it is too damned early and I haven't had my morning caffeine so trying to make heads or tails out of research papers is a little out of my league ATM.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    3. Re:YouPorn script by camperslo · · Score: 3, Interesting

      What about Firefox hidden history data?

      Looking at the information under Troubleshooting Information in the Firefox help menu, there's an entry beyond the expected "browser.history_expire_days", "browser.history_expire_days.mirror" that defaults to 180!
      How secure is that??

      Note that entering "about:config" in the address bar allows editing the config settings.

    4. Re:YouPorn script by rtfa-troll · · Score: 2

      If you managed to just read to the end of the article; and I'm really surprised you didn't before posting; or followed the asterisk like I did; you would find that they have rot-1 encryption that in no way changes the size of the links. It's straight forward ofuscation. In fact since they have to load the obfuscation code it takes more space.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  2. Went to http://startpanic.com/ by The+MAZZTer · · Score: 4, Informative

    ...using Chrome in incognito mode. It determined I had visited...

    ...startpanic.com

    So yeah, use incognito/private browsing mode.

    1. Re:Went to http://startpanic.com/ by i.am.delf · · Score: 2

      Hah I tried this in 9.0.597.0 without incognito and it detected... startpanic.com only

    2. Re:Went to http://startpanic.com/ by GNUALMAFUERTE · · Score: 4, Informative

      RTFA. Webkit-based browsers solved this a while ago, and Firefox did it in their latest release.

      As usual, only explorer is vulnerable. No comments on Opera. Anyone care to test it out?

      --
      WTF am I doing replying to an AC at 5 A.M on a Friday night?
    3. Re:Went to http://startpanic.com/ by NatasRevol · · Score: 2

      Safari without Private Browsing works fine too.

      --
      There are two types of people in the world: Those who crave closure
    4. Re:Went to http://startpanic.com/ by Kjella · · Score: 3, Informative

      Opera 10.63, definitively vunerable.

      --
      Live today, because you never know what tomorrow brings
  3. Plug the leak in Firefox by hansamurai · · Score: 5, Informative

    Open about:config

    Set layout.css.visited_links_enabled to false

    --
    Reviewing just the first hour of video games.
    1. Re:Plug the leak in Firefox by clickclickdrone · · Score: 2

      Or switch to private browsing mode first.

      --
      I want a list of atrocities done in your name - Recoil
    2. Re:Plug the leak in Firefox by The+MAZZTer · · Score: 4, Interesting

      You shouldn't even need to go that far, Mozilla plugged most of the leak. I'm not sure if this made it into 3.6 though... might want to wait for 4.0?

    3. Re:Plug the leak in Firefox by Jaysyn · · Score: 2

      Thank you.

      --
      There is a war going on for your mind.
    4. Re:Plug the leak in Firefox by choongiri · · Score: 2

      It didn't. 3.6.12 still has the leak.

  4. Re:History sniffing by camperdave · · Score: 2

    You should smell some of the "history" in the back of MY fridge.

    --
    When our name is on the back of your car, we're behind you all the way!
  5. HTML5 will fix it by alen · · Score: 4, Funny

    Steve Jobs told me that it's going to be super secure

  6. Javascript... by betterunixthanunix · · Score: 5, Insightful

    If I gave you some random code, did not tell you what exactly it did but asked you to run it, would you run it? That is basically what is happening when you browse with Javascript enabled -- you are allowing websites to run essentially arbitrary code on your computer.

    --
    Palm trees and 8
    1. Re:Javascript... by 0123456 · · Score: 3, Interesting

      And HTML differs from Javascript how? Or how about an image?

      Neither HTML or JPEG files are Turing-complete programming languages. Sure, your HTML or JPEG parser might have bugs that allow remote exploits, but that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_

    2. Re:Javascript... by clone52431 · · Score: 2

      Neither HTML or JPEG files are Turing-complete programming languages.

      It has nothing to do with Turing-completeness.

      Sure, your HTML or JPEG parser might have bugs that allow remote exploits

      And everything to do with that.

      that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_

      No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.

      --
      Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
    3. Re:Javascript... by 0123456 · · Score: 3, Interesting

      No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.

      Duh, we're not talking about remote exploits running arbitrary machine code on your system. We're talking about Javascript being a privacy-stealing monster _BY DESIGN_.

    4. Re:Javascript... by betterunixthanunix · · Score: 2

      It has nothing to do with Turing-completeness.

      That depends on what sort of attack you want to perform.

      It has a sandbox that it plays in. If JS code breaks out of that, its a bug

      Suppose you have a perfect sandbox, no bugs whatsoever. You can still perform the attack described in TFA, because Javascript is supposed to be able to do exactly what TFA describes. You could still have problems with XSS attacks (this is external to bugs in the Javascript interpreter). The API allows these things to happen, and a bug-free Javascript interpreter would still have to conform to the API.

      --
      Palm trees and 8
  7. Forbes shouldn't try to write about tech by Anonymous Coward · · Score: 5, Insightful

    If you're trying to explain how all these kinds of things work, you need to be more precise. And I say precise not to please geeks, but to help the layman audience understand what is really important.

    A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,”

    This should have been written as "a script stored on the site and offered to the browser, which the browser elects to download and run, runs on your computer and exploits a privacy leak..."

    It's not that summarizing it as "a script on the site" is wrong; it's technically correct in a pedantic[*] way, to say the script is on the site, since that does happen to be where it's stored. But we're not ever going to have a technically literate and informed public OR LEGISLATORS (and they are getting mentioned in this article; their knowledge or lack thereof is critical since they're threatening to pass laws related to this topic) if we continue to leave out the most important and fundamental aspect of how most privacy leaks happen.

    The same goes for the mention of cookies.

    The FTC has proposed the creation of a Do Not Track option for Web surfers, which would regulate history sniffing as well as ad networks placing cookies on your computer to keep track of you.

    Never in the history of the web, has any network placed a cookie on someone's computer. Just as above, that is a seemingly-convenient shorthand, but it actually obfuscates the truth to such an immense degree that anyone who tries to make decisions (I'm looking at you, lawmakers) will totally get all their policies wrong.

    Servers offer cookies. User agents place cookies on people's computers, completely voluntarily.

    [*] Pedantic. It might sound like I'm being the pedantic one here, but the essence of pedantry is to focus on irrelevant truths, such as defending the truth of a statement that a script is "on a site" because the master copy happens to be stored on the site. Such truths are a deception, because a script on a site has very little power. It's only when other computers choose to get and run that script, that the script starts to really do things.

    What I'm getting at is that for these client-side problems, we need to present and think about them as client-side problems.

  8. A simple fix by VernonNemitz · · Score: 3, Interesting

    In Firefox, even older versions (and perhaps some of the other browsers out there), you can change your "visited links" color (via Edit, Preferences, Appearance, Colors) to something other than purple. Then this script won't work. More, if you also change the "unvisited links" color, then even a modified script designed to tell the difference won't know which color is your "visited" color and which is your "unvisited" color.

    1. Re:A simple fix by clone52431 · · Score: 3, Informative

      More, if you also change the "unvisited links" color, then even a modified script designed to tell the difference won't know which color is your "visited" color and which is your "unvisited" color.

      Sure you can. Just check a link to the page you’re on, since you know it’s visited.

      Anyway changing those colours makes them clash with the rest of the stylesheet on a lot of websites.

      --
      Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
  9. Use multiple browsers by mbone · · Score: 3, Interesting

    My recommendation is to use multiple browsers.

    Say you use Firefox for your web searches.

    Then run Facebook on Safari (say)

    Anything google on Opera.

    Any porn on Chrome.

    Etc.

    There are a bunch of broswers out there - use them to silo off the nosey actors like Facebook, Google and Youporn.