Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sites Guilty of Hijacking History

Posted by CmdrTaco on from the break-out-the-foil-hats dept.

Gunkerty Jeb writes "A recent study launched by the UC San Diego Department of Computer Science to determine the scope of privacy-violating information flows at popular websites shows that popular Web 2.0 applications such as mashups, aggregators, and sophisticated ad targeting are teeming with various kinds of privacy-violating flows. Ultimately the researchers determined that such attacks are not being adequately defended against."

58 comments

  1. Less Than One Percent is Teeming? by eldavojohn · · Score: 4, Interesting

    ... shows that popular Web 2.0 applications such as mashups, aggregators, and sophisticated ad targeting are teeming with various kinds of privacy-violating flows.

    So they inspect the top 50,000 sites and 485 have some level of inferring browser history data? I'm not so sure I see the abundance noted in the summary. Less than one percent is teeming? And only one of those sites is ranked in the top 100 by Alexa?

    I'm not saying we shouldn't worry about this or we should ignore it but come on.

    Just face it, websites often operate on razor thin margins. They live and die by the clicking of advertisements on their pages. Now they've found a way to sell private information that could be mildly useful to the right bidder. And it turns out it mostly adult websites that stream video doing this. You might have cause for being upset but anyone familiar with business models of seedy websites should not be surprised.

    I have always used Google Chrome's incognito browser when I go to seedy sites. It's simply not going to be a priority for the masses but for people who are annoyed or angry, it's the best way to deal with this sort of thing. If some major non-adult site were doing this, I think they would be setting themselves up for embarrassment, I'm glad somebody's doing these checks.

    --
    My work here is dung.
    1. Re:Less Than One Percent is Teeming? by Moraelin · · Score: 4, Funny

      Well, it being used by adult sites is the worst case scenario right there.

      I mean, one day I could be doing my porn surfi^H^H^H^H^H research on some innocent topic like "anal bdsm gangbang" and next, BAM, a popup comes and says "Mr Moraelin, our mining your history has determined that you've been repeatedly on EA's The Sims 3 site, at least once on the registration site of Hello Kitty Online, in at least one thread named Barbie Horse Adventures Review, and have ordered an iPhone for Christmas. Other users who visited those sites, also visited our gay site, and our guide to coming out of the closet."

      --
      A polar bear is a cartesian bear after a coordinate transform.
    2. Re:Less Than One Percent is Teeming? by Reziac · · Score: 3, Informative

      Much more interesting and enlightening, the entire report:

      http://cseweb.ucsd.edu/users/lerner/papers/ccs10-jsc.pdf

      --
      ~REZ~ #43301. Who'd fake being me anyway?
  2. Wait... by biryokumaru · · Score: 4, Funny

    I thought that was the whole point of Web 2.0: directly connecting you to people who want to sell you junk you don't need based vaguely on what your interests might be.

    Heck, Netflix recommended Rocky and Bullwinkle based on my interest in Yojimbo, and they were spot on... doesn't get much more Web 2.0 than that.

    --
    When you're afraid to download music illegally in your own home, then the terrorists have won!
    1. Re:Wait... by Pojut · · Score: 1

      Yay! Another Yojimbo fan! I am constantly amazed by the number of Kurosawa fans I know that haven't seen it...

      --
      Living With a Nerd
    2. Re:Wait... by TheRaven64 · · Score: 1

      Pretty much every film I've watched on the LoveFilm watch online thing ends by telling me that Pulp Fiction and The Shawshank Redemption are 'films like this'. After seeing that recommendation, I think I'd quite like to see a film that actually is like both of those...

      --
      I am TheRaven on Soylent News
    3. Re:Wait... by camperdave · · Score: 2

      I just looked it up on IMDB: A crafty ronin comes to a town divided by two criminal gangs and decides to play them against each other to free the town. Sounds like a rehash of "A Fistful of Dollars" to me. :-)

      --
      When our name is on the back of your car, we're behind you all the way!
    4. Re:Wait... by Pojut · · Score: 1

      All the classic samurai movies are Westerns with Swords® :)

      --
      Living With a Nerd
    5. Re:Wait... by biryokumaru · · Score: 1

      Ya, Kurosawa is a pretty bad hack, it's true. Check out The Hidden Fortress, it's practically a scene-for-scene rip off of the first Star Wars.

      --
      When you're afraid to download music illegally in your own home, then the terrorists have won!
    6. Re:Wait... by eudas · · Score: 1

      I'm sure you already know this, but...

      Yojimbo (1961)
      http://www.imdb.com/title/tt0055630/

      A Fistful of Dollars (1964)
      http://www.imdb.com/title/tt0058461/

      Last Man Standing (I) (1996)
      http://www.imdb.com/title/tt0116830/

      And while we're on the topic, Sanjuro is also a great flick. "It is a sequel to Kurosawa's previous film Yojimbo, with Mifune reprising his role as a wandering ronin."
      http://www.imdb.com/title/tt0056443/

      --
      Blessed is he who expects the worst, for he shall not be disappointed.
    7. Re:Wait... by Anonymous Coward · · Score: 1

      Whoosh

    8. Re:Wait... by Ihmhi · · Score: 1

      And while we're on the topic, Sanjuro is also a great flick.

      Or as it's known in America, "Jimbo 3".

      .

      .

      .

      (Disclaimer: Only Japanese language speakers will get this joke.)

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    9. Re:Wait... by c6gunner · · Score: 1

      Uh. Ok, I want to point out that 1958 comes before 1977, but there's a teeny voice in my head saying "maybe he's being sarcastic ..."

    10. Re:Wait... by biryokumaru · · Score: 1

      I wonder if the order of the films Fistful of Dollars and Yojimbo might tip you off...

      --
      When you're afraid to download music illegally in your own home, then the terrorists have won!
    11. Re:Wait... by hairyfeet · · Score: 1

      Man they just don't make good westerns like that anymore! My favorite bit has to be in "The Good, The Bad, and The Ugly" where a gunslinger catches Tuco in the bath, and gives him this long spiel about how Tuco killed his brother, when right in the middle of it Tuco shoots him through the bubbles thanks to the gun on a rope he carries around he neck and says "If you are gonna shoot, shoot. Don't talk." Classic!

      As for TFA, while I agree that such behavior should be discouraged from the looks of TFA it is much ado about nothing. The sites aren't checking your whole browsing history, but whether you have visited sites they link with, probably to figure out which sites should get better page layout. For example Youporn checks for Pornhub and Tube8. I suppose they could solve this without checking history by having a pop up questionnaire, but I have a feeling those looking for lesbian gangbangs might not be too happy getting asked 20 questions before they get their porn fix.

      Funny that I don't see "MyFreePaySite" (not gonna link, because that is the site I point my "must have teh prons!" customers to and I don't want it slashdotted) on there, because I figure they had to have another line to make money besides the selling of toys and the ultra HD feeds. Oh well, that site gives my customers over 10,000 free complete porn vids and only asks for an email address to send their password to (which they don't even spam, I was surprised) so my "must have teh prons!" customers are happy and I don't have to clean malware from their machines, which makes ME happy! ;-)

      --
      ACs don't waste your time replying, your posts are never seen by me.
    12. Re:Wait... by Philomage · · Score: 1

      The wikipedia article on Kurosawa is a fascinating read; you should try it sometime.

      Turns out that most of western culture's "filmmaking" is just inspired selection of the right sources to rip off.

      Magnificent Seven = Seven Samuraii

      Fistful of Dollars = Yojimbo (=Dashell Hammett's The Glass Key and Red Harvest)

      Star Wars = The Hidden Fortress

      Just culture building on culture coming before it: this is why copyright needs to be reined back

  3. CmdrTaco ... by jginspace · · Score: 0, Troll

    ... privacy-violating flows.

    CmdrTaco: Do you EVER read any submission before publishing?

    1. Re:CmdrTaco ... by Anonymous Coward · · Score: 1

      It's not Taco's fault that privacy violations tend to get much worse every 28 days.

    2. Re:CmdrTaco ... by gstoddart · · Score: 4, Informative

      CmdrTaco: Do you EVER read any submission before publishing?

      Before you piss and moan ...

      This study comes as a result of the increasing complexity of JavaScript web applications propagating privacy-violating information flows. ‘Privacy-violating information flows’ is a general term which can be subcategorized into four areas of nefarious activity: cookie stealing, location hijacking, history sniffing, and behavior tracking. Their goal was to draw attention to the prevalence of history sniffing at high traffic sites.

      Trying reading TFA before you whine too loudly, those words are a direct quote, and, apparently not a typo.

      Not saying that sometimes the editors shouldn't proof read more, but it's important to actually know the difference.

      --
      Lost at C:>. Found at C.
    3. Re:CmdrTaco ... by jginspace · · Score: 1

      Ah ... UCSD ... sounds like this might be what you're referencing: http://cseweb.ucsd.edu/~hovav/papers/jjls10.html could be interesting if linked up with the stuff Microsoft are developing (Slashdot story from couple of days ago).

    4. Re:CmdrTaco ... by Anonymous Coward · · Score: 0

      CmdrTaco: Do you EVER read any submission before publishing?

      That CmdrTaco dude needs to read Slashdot now and then.

    5. Re:CmdrTaco ... by jginspace · · Score: 1

      Yep: Seems like 'privacy-violating flows' = 'history sniffing' ... common reference is Youporn.

  4. Lets see... by leuk_he · · Score: 0

    Did you watch porn?

    1. Re:Lets see... by John+Hasler · · Score: 1

      Evidently I'd have to enable Javascript to find out.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:Lets see... by leuk_he · · Score: 1

      I did not post the link without javascript again did i?

    3. Re:Lets see... by gstoddart · · Score: 1

      Evidently I'd have to enable Javascript to find out.

      From Facebook, Digg, and the linked site no less.

      Man, I love noscript.

      --
      Lost at C:>. Found at C.
    4. Re:Lets see... by windcask · · Score: 1

      I'd make a comment about Lynx, but odds are you're not going to be watching much porn in that anyway.

  5. Sometimes the cross site ad placement by scourfish · · Score: 1

    makes me laugh more than frightens me. It's always amusing to go to some popup-riddled website to look up the lyrics to a song, and off in the corner of all of the irrelevant-to-my-tastes "mp3 ringtone justin bieber ringtones here click here to guess your crush" ads is a singular "32-bit RISC based microcontrollers from Atmel" advertisement.

  6. And who's surprised by this? by Anonymous Coward · · Score: 1

    For-profit websites using questionable tactics to gather information to better target their advertisements. Film at 11.

    1. Re:And who's surprised by this? by tacktick · · Score: 1

      Yeah exactly. Wake me up when you find "conclusive evidence" that adult websites that try to foist spyware onto your machine are also tracking and scrabbing for every little crumb of data on you that they can sell. Adblockplus/Ghostery+Noscript+Private browsing mode = Win

  7. "Sites guilty of hijacking history"? by TyTheBold · · Score: 2

    Have we finally found out where in the world/time/on earth is Carmen Sandiego?

    1. Re:"Sites guilty of hijacking history"? by noidentity · · Score: 1

      And what the hell is "hi-jacking"? Is that some new Web 2.0 term for something?

    2. Re:"Sites guilty of hijacking history"? by Monkeedude1212 · · Score: 1

      My first thought was of browser hi-jacking, like when you get a nasty piece of Malware that turns all your redirects your google search links to their advertisements.

      I would think - that "History Hijacking" would mean gaining control over whats in your history - which seems ultimately useless unless you were aiming to embarass someone on false pretenses...

      They really shouldn't use the word "hijacking" out of its real context. Just "reading information" does not constitute hijacking. Even stealing doesn't constitute Hijacking.

    3. Re:"Sites guilty of hijacking history"? by noidentity · · Score: 1

      They really shouldn't use the word "hijacking" out of its real context.

      The headline didn't even use that word; it used "hi-jacking" (note the hyphen). I was asking what that meant. I've never seen that term before.

    4. Re:"Sites guilty of hijacking history"? by scorp1us · · Score: 1

      Agreed. The hyphenation in our advanced concepts of today require hyphenations, but are hi-jacking spellings of already established compound words. Hijack does not need a hyphen. But neither is it a compound word.

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    5. Re:"Sites guilty of hijacking history"? by plover · · Score: 1

      The headline didn't even use that word; it used "hi-jacking" (note the hyphen). I was asking what that meant. I've never seen that term before.

      It's just editorial hi-jinks, no doubt.

      --
      John
    6. Re:"Sites guilty of hijacking history"? by CapOblivious2010 · · Score: 1

      I thought maybe some site was pointing a gun at a historian, and forcing him to write about how wonderful Castro has been for Cuba or something.

  8. Are people retarded? by the_raptor · · Score: 4, Insightful

    How do people think that all these "web 2.0" social media sites make money? They do it by selling tracking data about you to research companies and the like.

    It is like super market "loyalty" cards. They aren't primarily handing those out to keep customers loyal they are doing it to gather information about buying habits.

    TANSTAAFL: If you can't figure out the cost of something you are probably being played.

    --

    ========
    CINC, 4th Penguin Legion
  9. Website to Check if You're a Victim? by SeriouslyNoClue · · Score: 0
    I would be so insanely upset if I found out a site I visited did this to me!

    they inspect the top 50,000 sites and 485 have some level of inferring browser history data

    Is there a list of which ones were violators? They should be pariahs. Does anyone know if there's a website I can visit that will send each of the links I've visited in the past and check it against this list of 485 violators? That would be really easy and helpful to the victims and myself!

    1. Re:Website to Check if You're a Victim? by clone52431 · · Score: 2

      As far as history sniffing is concerned, just recently we heard about history sniffing by “mainstream ad networks” and YouPorn (...accompanied by a great disturbance in the Force, as if millions of anon suddenly cried out in terror and were suddenly silenced). Also, [PDF] “documents hundreds of commercial sites exploiting it”.

      To learn whether you’re vulnerable (and how exactly this works), http://startpanic.com/.

      There are a few ways to immunize Firefox against this sort of attack:

      Clearing your history is obviously effective, whether that means clearing it entirely or just deleting particular sites from the history. If a site isn’t in the history, it can’t be detected. You could also use an addon to clean up your history, e.g.
      History Deleter – Deletes browsing history by keywords and/or date (on browser close)
      HistoryBlock – Blocks specified sites from history, recently closed tabs, and the download manager

      Also, disabling the visited link styling will also prevent history sniffing, but you won’t be able to tell if links have been visited by their visual style any more. To disable it, go to about:config, paste layout.css.visited_links_enabled into the search bar, and change its value to false.

      --
      Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
    2. Re:Website to Check if You're a Victim? by gstoddart · · Score: 1

      Does anyone know if there's a website I can visit that will send each of the links I've visited in the past and check it against this list of 485 violators? That would be really easy and helpful to the victims and myself!

      See, now that's funny. :-P

      Yes, we should all send our entire browsing history to yet another company so they can verify if we might have given away private data.

      You, sir, need a newsletter. ;-)

      --
      Lost at C:>. Found at C.
  10. old news to some but now spreading by oWj9*7!7dsggh7 · · Score: 2
    For many Slashdot readers, this is old news. But the interesting thing is how awareness of web-privacy issues has hit the mainstream. The Wall Street Journal (whose news pages typically have at least half a dozen trackers on them) has been running a whole series on simple tools to avoid being tracked online.

    I think the place of the Internet in society is entering a new phase.

  11. Said it before, I'll say it again by Pojut · · Score: 4, Insightful

    If a site offers up ads on subjects I'm interested in, I have no problem leaving them unblocked. I learn about products I care about, the site gets ad revenue, and the company gets word-of-mouth. Everyone wins.

    So long as sites show me ads relevant to their own subject, I have no problem with them (excluding fly-over ads or ads with sound...those are NEVER ok.)

    --
    Living With a Nerd
    1. Re:Said it before, I'll say it again by erroneus · · Score: 1

      That is a pretty short-sighted point of view. Let me point out that ads these days are far more offensive and far more aggressive than animated GIFs. They come laced with javascript and flash and all sorts of things that can be made to do all sorts of bad things. It also turns out that a great many people get their PCs compromised through ad servers rather than through sites hosting the content you are there for.

      I block ads for security purposes and so should everyone else until they stop putting this crap in ads.

  12. Read the paper... by crabel · · Score: 2

    The article is not particularly good, this one is better: http://www.switched.com/2010/12/02/bug-gathers-your-browsing-history-youporn-perez-hilton/ You can find the original study here: http://cseweb.ucsd.edu/users/lerner/papers/ccs10-jsc.pdf It is quite interesting, especially the list of sites is on page 9...

  13. Plugins for history/cookie poisoning? by OpenGLFan · · Score: 4, Interesting

    Back in the dark ages (1997 or so), there was a school of thought that advocated cookie poisoning, not just removal. Anybody know of any firefox plugins that actively randomize your history or cookies? Throwing wrenches into databases is the next best thing to naming your kid Little Bobby Tables.

    1. Re:Plugins for history/cookie poisoning? by inode_buddha · · Score: 1

      In a related way, I've long wondered if its possible to script some history poisoning. Let them read my history all they want. Eventually, some ad company will get all excited about the new "goatse" phenomenon, and go to see what it is. Hence, every time I start Firefox, I want the whole history replaced with goatse.
      As it is, my hosts file and noscript makes it all go away.

      --
      C|N>K
  14. Getting sick of /. being a blog advertiser... by Anonymous Coward · · Score: 0

    Since the referenced article was nothing more than a blog with no references to the original material...here is a link to get you started...

    http://www.jacobsschool.ucsd.edu/news/news_releases/release.sfe?id=1027

  15. Reminds me by Moraelin · · Score: 2

    Reminds me of a couple of months back when amazon.de, supposedly based on my previous purchases and pages visited, recommended me 3 new games for very little girls. And I mean really dress-up Barbie stuff. I'm still wondering exactly what has my alter-ego been looking at on Amazon.

    --
    A polar bear is a cartesian bear after a coordinate transform.
    1. Re:Reminds me by Anonymous Coward · · Score: 0

      If you have a daughter, then you are used to this.

    2. Re:Reminds me by Moraelin · · Score: 1

      If you have a daughter, then you are used to this.

      I don't. That's the problem. I resolved I must buy more manly games, you know, Sweaty Guys Wrestling and Full-Contact Cock-Punching Extreme Edition to change Amazon's opinion of my tastes. Granted, now it probably thinks I'm gay, but it's a start ;)

      --
      A polar bear is a cartesian bear after a coordinate transform.
    3. Re:Reminds me by drinkypoo · · Score: 1

      You have been looking for cock-punching and barbie. Amazon decides to show you material on catholicism.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  16. it's 2010, people... don't run random scripts! by Anonymous Coward · · Score: 0

    Given that there is such a story in the news every few days, anyone who hasn't been living under a rock knows the kind of problems that come from running unsolicited scripts. Both direct privacy violating problems, and indirect ones such as breaking out of sandboxes through buffer overruns in PDF readers or whatever.

    Why would any sane person run non-trusted scripts, in 2010? You bank site, sure. But that's not what we're talking about here. We're talking about scripts that violate privacy and potentially jack your machine. We hear of problem after problem after problem... yet people keep running them. Are they just insane, or what?

    If every time I walk into Joe's Diner I get hit in the face with a bat, pretty soon I learn to go eat at Sue's Diner where I don't get hit in the face. Bitching about getting hit but continuing to go to Joe's every day... I just don't know what to say.

    1. Re:it's 2010, people... don't run random scripts! by plover · · Score: 1

      That's the problem with Web 2.0. Everything's a script, from pull down menus to "Reply" buttons on blogs. Which of those is random? Which is malicious? Which shouldn't I run?

      It's easy to sort out the third-party scripts, and block all but domain originated scripts from the sites you visit. I don't care if CrazyEgg can't tell where I clicked, or if google-adsense fails to rack up another hit, or alexa doesn't count me in the Top 100. But I kind of need the internal site navigation stuff, and a lot of sites use scripts for sorting, comparison shopping, etc. The scripts in TFA are originating at the domain, and are not being served up as external scripts that are ordinarily blocked by noscript, ghostery, etc.

      I suspect these can be blocked with a greasemonkey script that redefines document.defaultView.getComputedStyle() and causes it to throw an exception or something (I can't think of a legitimate use of getComputedStyle that I'd care about.) But what about the invisible attacks I still don't know about yet? I guess I'll block them as they come.

      --
      John
  17. "To Hi-Jack" by Anonymous Coward · · Score: 0

    I challenge anyone to define the verb "to hi-jack" in a manner that is consistent with this article's usage, and yet also somewhat consistent with prior usages (we can relax this constraint a bit -- we'll have to, or else you have no chance!), and also not so generic that it essentially only means "to do something that someone doesn't like."

    When you try to over-dramaticize things by abusing words, you rob them of their meaning.

  18. History Hijacked? by lymond01 · · Score: 1

    "Sites Guilty of Hi-Jacking History"

    I thought this was going to be a much more interesting listing of sites that have blatantly changed the facts to suit their needs. whitehouse.gov, foxnews.com, cnn.com, msnbc.com, prettymuchanyfinanciallendinginstitution.com, etc

    1. Re:History Hijacked? by neminem · · Score: 1

      And here I thought maybe the Daleks made a site. They're *always* hijacking history.