History Sniffing In the Wild

An anonymous reader writes "Kashmir Hill at Forbes documents a recent study by UCSD researchers showing that 'history sniffing' is being actively used by mainstream ad networks like Interclick as well as popular porn sites like YouPorn in order to track what other sites you visit. The vulnerability has been known for almost a decade, but this paper documents hundreds of commercial sites exploiting it today (PDF)."

YouPorn script

[Amorymeltzer]

The fact that they intentionally obfuscated the code means that they KNEW this would piss people off, and were hoping to just bore curious folk by presenting seemingly random characters.

Re:YouPorn script

[The MAZZTer]

Google obfuscates its JavaScript all the time, in order to keep page sizes low and load times fast (and perhaps to keep people from stealing their code).

A simple fix

[VernonNemitz]

In Firefox, even older versions (and perhaps some of the other browsers out there), you can change your "visited links" color (via Edit, Preferences, Appearance, Colors) to something other than purple. Then this script won't work. More, if you also change the "unvisited links" color, then even a modified script designed to tell the difference won't know which color is your "visited" color and which is your "unvisited" color.

Re:

[clone52431]

More, if you also change the "unvisited links" color, then even a modified script designed to tell the difference won't know which color is your "visited" color and which is your "unvisited" color.

Sure you can. Just check a link to the page you’re on, since you know it’s visited.

Anyway changing those colours makes them clash with the rest of the stylesheet on a lot of websites.

Re:

[Impy the Impiuos Imp]

Ummm, no, you don't necessarily know if a link is one you've visited already. That's why the purplization is useful to many people. You only know after you've clicked it a lot of the time. Massive, munged links to particular stories on sites like CNN, you could very well not know -- and some sites don't use any human-understandable words in those links anyway.

As for the style sheet, tough shit. I like the purple links telling me I've clicked it already. Somebody's lost the whole concept behind a linked

Re:

[clone52431]

You completely missed my point. And I don’t think you know what history sniffing is, or how it works.

Re:

[RockDoctor]

Anyway changing those colours makes them clash with the rest of the stylesheet on a lot of websites.

If that's so important to the website owner that it renders the site unusable, then it probably wasn't worth using anyway.

If someone has information worth imparting and data worth considering, then they've no need to use bells and whistles other than to show off their lack of confidence in their content. Contrariwise, someone with a valueless, "me too" website is likely to disguise it's lack of content with bells and whistles.

Does this make me a bad consumer? You bet! Just thank your lucky stars that you d

Re:

[phiz187]

I agree, and even if you just changed the color by one hexadecimal value, it should frustrate the script, but not change the appearance much to the end user. BUT, I'm not sure if the script can just read what your "visited links color" is and use the color dynamically. We are both presuming that the script has hardcoded the "visited links" color. I don't know if that assumption is true.

Re:

[Obsi]

Would incrementing just one of the bytes in the RGB triplet by one help?

Re:

[ObsessiveMathsFreak]

I was going to respond to your point by noting that Google is the world's largest internet company. Then I noticed that Youporn.com is apparently the 61st highest ranked internet site. I guess you can't exactly say that these guys are small time.

Re:

[Clueless Moron]

That's nice, but this particular obfuscation makes the script bigger and slower

Re:

[marcansoft]

No, Google optimizes its JavaScript in order to reduce size and execution time. That just happens to make it quite hard to read. Think "compiling" JavaScript into a smaller, not-meant-for-humans form.

This is different, it's deliberate obfuscation designed to make the script hard to read, while doing nothing for performance. It's a simple version of source or executable obfuscation. A more elaborate example would be the stuff that Apple does to their iTunes DB hashing algorithm to lock users into iTunes and

Re:

[rtfa-troll]

If you managed to just read to the end of the article; and I'm really surprised you didn't before posting; or followed the asterisk like I did; you would find that they have rot-1 encryption that in no way changes the size of the links. It's straight forward ofuscation. In fact since they have to load the obfuscation code it takes more space.

Re:

[after.fallout.34t98e]

My bet would be that they are simply looking not to give others any help in SEO rankings. This very simple cipher would make it so that any potential search engine wouldn't see a url to pornhub.com on their site.

That isn't obfuscation...

[IBitOBear]

Compressing code into a near-unreadable terse format to reduce transmission bandwidth is not "obfuscation" it's "compression".

Obfuscation has, as a trademark, the addition of operations intended to obscure the function of the code. Compressed code doesn't particularly obscure the function, though it usually obscures the purpose of the coded operations.

Example: "++a;" is compressed and obscure to purpose as we don't know what _a_ represents nor why incrementing it by one is significant. This is compressed co

Re:

[Lennie]

The proper term is minimize and their are plenty of tools out there which do beatification. For example the Y-Slow extension for the Firebug extension of Firefox (yes I know to many extensions :-( )

Re:

[John Hasler]

More likely they were trying to protect their wonderful proprietary code from their competitors.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Amorymeltzer]

That places a lot of trust in the website that I don't really have. "Oh sure, take a look at what sites I go to, just make sure it's only the ones I'm cool with, k?" If someone wants to let websites in on all or some of their history, they can go hog wild, but I should be able to keep mine private. I don't want places knowing what I bought on Amazon, and I don't want Amazon knowing what I look at.

Re:YouPorn script

[camperslo]

What about Firefox hidden history data?

Looking at the information under Troubleshooting Information in the Firefox help menu, there's an entry beyond the expected "browser.history_expire_days", "browser.history_expire_days.mirror" that defaults to 180!
How secure is that??

Note that entering "about:config" in the address bar allows editing the config settings.

Went to http://startpanic.com/

[The MAZZTer]

...using Chrome in incognito mode. It determined I had visited...

...startpanic.com

So yeah, use incognito/private browsing mode.

Re:

[i.am.delf]

Hah I tried this in 9.0.597.0 without incognito and it detected... startpanic.com only

Re:

[NatasRevol]

Safari without Private Browsing works fine too.

Re:

[The MAZZTer]

Oh! So it does! Maybe the Chrome team fixed this like Firefox has.

Re:Went to http://startpanic.com/

[GNUALMAFUERTE]

RTFA. Webkit-based browsers solved this a while ago, and Firefox did it in their latest release.

As usual, only explorer is vulnerable. No comments on Opera. Anyone care to test it out?

Re:

[Anonymous Coward]

Opera 10.63 under a private tab on startpanic.com reports back with just startpanic.com.

Re:Went to http://startpanic.com/

[Kjella]

Opera 10.63, definitively vunerable.

Re:

[Jaysyn]

Latest release? If you mean Firefox 3.6.12, it's still vulnerable. I just tested it & then fixed it thanks to a helpful commenter.

Re:

[GNUALMAFUERTE]

Sorry, I mean latest beta.

Re:

[Anonymous Coward]

Meh... It doesn't appear to work in Firefox4, Chrome or Opera at all (in any mode).

It seems to only work in Firefox3 as long as you don't have NoScript, etc. Firefox3's private mode offers protection as well.

I didn't test IE.

Seems like the browser makers were already on top of this.

Re:

[after.fallout.34t98e]

The way to do it without javascript (so that it would work in Firefox 3 as well with NoScript enabled) was to do it purely with css:

in html:

<a class='linktestgoogle' href='www.google.com'>&nbsp;</a>

in css:
.linktestgoogle {visibility: hidden;}
.linktestgoogle:visited { background-url: url('pagevisited.php?url=google'); }

(correcting for mistakes made in typing into this textarea)

Re:

[Facegarden]

Using Chrome 8 without incognito, i got... nothing.

It didn't even show me startpanic.com.

So maybe... don't use incognito?

Re:

[Impy the Impiuos Imp]

What if you open a non-incognito (cognito?) window? Will it purple links you are currently viewing in your incognito window?

BTW, I'm pretty sure Pandora does this, too.

Re:

[Lennie]

FF4 also solved this.

Yup

[Anonymous Coward]

I had basically assumed (semi subconsciously) all along that websites I was visiting could have some idea of what other websites I had been to, or at least toyed with the thought.
I am unfazed, and not surprised. *shrug*

Re:

[netsharc]

I was looking for a hotel in a $CITY once, so I used the best method I knew: Google it. Looked at a few hotel booking sites, booked a room, all done.

Then I was reading a news website with my ad-blocker disabled, and on the right side of the screen was an ad, "Hotels in $CITY". "What the frakk?", I thought, "how did they read my mind?".

It turns out it was a Google ad, and I was just on Google looking for a hotel in $CITY... so...

History sniffing

[digitaldc]

I tried it and it reeks of mildew, stale dust particles and mold spores.

Re:

[camperdave]

You should smell some of the "history" in the back of MY fridge.

Plug the leak in Firefox

[hansamurai]

Open about:config

Set layout.css.visited_links_enabled to false

Re:

[jgtg32a]

Very nice

Re:

[assemblerex]

Kudos

Re:

[clickclickdrone]

Or switch to private browsing mode first.

Re:Plug the leak in Firefox

[The MAZZTer]

You shouldn't even need to go that far, Mozilla plugged most of the leak [mozilla.com]. I'm not sure if this made it into 3.6 though... might want to wait for 4.0?

Re:

[choongiri]

It didn't. 3.6.12 still has the leak.

Re:

[antdude]

If it is fixed in v4, then we will have to wait for its stable/production release. :(

Re:

[Teun]

I've been running 4.0b for over a month now without noticing any show stopper problems.

Except for the user agent switcher the few plug ins I use were compatible .

Re:

[Jaysyn]

Thank you.

HTML5 will fix it

[alen]

Steve Jobs told me that it's going to be super secure

Re:

[NatasRevol]

And he was right.

This doesn't work in Safari 5.02. Even without private mode on.

Re:

[dogzilla]

According to TFA this doesn't work at all in Steve Job's browser. Or the iOS browsers. Or Chrome. All of which use webkit. So your snide comment turns out to be more or less true. How 'bout them apples?

Javascript...

[betterunixthanunix]

If I gave you some random code, did not tell you what exactly it did but asked you to run it, would you run it? That is basically what is happening when you browse with Javascript enabled -- you are allowing websites to run essentially arbitrary code on your computer.

Re:

[0123456]

This is also what you do when installing and running any program for which you cannot view and understand the source code. And yet millions of computer users do this daily.

And millions of them don't even realise they're now part of a botnet and their computer is controlled by the Russian mob.

Re:Javascript...

[0123456]

And HTML differs from Javascript how? Or how about an image?

Neither HTML or JPEG files are Turing-complete programming languages. Sure, your HTML or JPEG parser might have bugs that allow remote exploits, but that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_

Re:

[clone52431]

Neither HTML or JPEG files are Turing-complete programming languages.

It has nothing to do with Turing-completeness.

Sure, your HTML or JPEG parser might have bugs that allow remote exploits

And everything to do with that.

that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_

No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.

Re:Javascript...

[0123456]

No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.

Duh, we're not talking about remote exploits running arbitrary machine code on your system. We're talking about Javascript being a privacy-stealing monster _BY DESIGN_.

Re:

[betterunixthanunix]

It has nothing to do with Turing-completeness.

That depends on what sort of attack you want to perform.

It has a sandbox that it plays in. If JS code breaks out of that, its a bug

Suppose you have a perfect sandbox, no bugs whatsoever. You can still perform the attack described in TFA, because Javascript is supposed to be able to do exactly what TFA describes. You could still have problems with XSS attacks (this is external to bugs in the Javascript interpreter). The API allows these things to happen, and a bug-free Javascript interpreter would still have to conform to the API.

Re:

[gtall]

No implementation of any programming language is complete as it would require an infinite tape (memory).

Re:

[betterunixthanunix]

Unless, of course, the compiler/interpreter does not place any bounds on memory, and relies instead on the OS to enforce those sorts of restrictions (i.e. by terminating your program when you try to allocate more memory than is available). A language being Turing complete is purely a theoretical concept; it has nothing to do with what sort of machine the language is actually used on.

Re:

[clone52431]

Then the implementation (compiler/interpreter running on that OS on that hardware) is still not Turing-complete.

Re:

[betterunixthanunix]

The language still is, and that is what really matters. No Turing machine can actually use its entire tape; the infinite nature of the tape only means that the machine can use an unbounded, but still finite, amount of memory.

So, let's say your Javascript program needs 1000TB of memory to complete some computation. That will not work on my laptop, since my laptop does not have that much physical memory available. You might construct a computer with that much memory, though (perhaps a very big computer,

Re:

[blueg3]

It's generally acceptable to call general-purpose computers Turing complete, even though they're technically not, as they lack infinite memory. Strictly, they're simply linear bounded automata complete.

Re:

[grumbel]

To sniff the history plain HTML/CSS is already enough, no need for Javascript. The trouble here is really the bi-directional communication with the server, not if the language is Turing-complete or not. Plugging holes in non-Turning languages is however of course a good bit easier.

Re:

[clone52431]

good luck writing malicious C++ or python if you're not allowed to call any library functions

Am I allowed to use embedded assembly and make a few assumptions about the OS and architecture?

Re:

[clone52431]

I was thinking more just use the OS system call functions, and overwriting all of the files in the %userprofile%\My documents folder with random data or something like that.

Re:

[arth1]

If you don't have any libraries to call, it's harmless. C++ and python are turing complete, but good luck writing malicious C++ or python if you're not allowed to call any library functions.

That's easily disproved: an eternal loop is malicious code.

Javascript can only access what the browser exposes to it, and the assumption (with rare exceptions such as history sniffing) is that the functionality that the browser exposes to it is harmless.

With javascript it's even worse. Unless the browser exposes document.*, it's going to be rather useless, and if exposed, you can easily create self-modifying recursive scripts that gobble up all resources; CPU, RAM and storage.

Re:

[he-sk]

Stop the fear-mongering!

You are allowing websites to run arbitrary code in your browser sandbox.

The sandbox may be leaky -- which is what the article complains about -- but I read up-thread that both Webkit and Firefox have fixed this issue.

Re:

[Jaysyn]

Firefox 3.6.12 is still vulnerable.

Re:

[MobyDisk]

would you run it?

In a virtual machine. Which is how Javascript is supposed to be run. Just like VBScript was, and Java, PDF, and every other "safe" technology. The problem is that the temptation to make sandboxed scripting languages more powerful slowly erodes the security of the sandbox.

Re:

[Storebj0rn]

If I gave you some random code, did not tell you what exactly it did but asked you to run it, would you run it?

if it comes with free Pr0n? Hell yeah!

Re:

[catbutt]

when you browse with Javascript enabled -- you are allowing websites to run essentially arbitrary code on your computer.

Wow, really? That's pretty scary. I guess no one has ever thought about the implications of that, or considered putting it in a sandbox so it can't do anything it wants to your computer. I think a strongly worded letter to the browser makers is in order!

Re:

[radish]

It's also what happens every time you run "apt-get install foobar" or download a dpkg or msi or whatever. Unless you're telling me you personally review the source of every app you install, in which case I don't believe you - and it's irrelevant because you could also read all the JS delivered to your browser if you wanted.

Forbes shouldn't try to write about tech

[Anonymous Coward]

If you're trying to explain how all these kinds of things work, you need to be more precise. And I say precise not to please geeks, but to help the layman audience understand what is really important.

A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,”

This should have been written as "a script stored on the site and offered to the browser, which the browser elects to download and run, runs on your computer and exploits a privacy leak..."

It's not that summarizing it as "a script on the site" is wrong; it's technically correct in a pedantic[*] way, to say the script is on the site, since that does happen to be where it's stored. But we're not ever going to have a technically literate and informed public OR LEGISLATORS (and they are getting mentioned in this article; their knowledge or lack thereof is critical since they're threatening to pass laws related to this topic) if we continue to leave out the most important and fundamental aspect of how most privacy leaks happen.

The same goes for the mention of cookies.

The FTC has proposed the creation of a Do Not Track option for Web surfers, which would regulate history sniffing as well as ad networks placing cookies on your computer to keep track of you.

Never in the history of the web, has any network placed a cookie on someone's computer. Just as above, that is a seemingly-convenient shorthand, but it actually obfuscates the truth to such an immense degree that anyone who tries to make decisions (I'm looking at you, lawmakers) will totally get all their policies wrong.

Servers offer cookies. User agents place cookies on people's computers, completely voluntarily.

[*] Pedantic. It might sound like I'm being the pedantic one here, but the essence of pedantry is to focus on irrelevant truths, such as defending the truth of a statement that a script is "on a site" because the master copy happens to be stored on the site. Such truths are a deception, because a script on a site has very little power. It's only when other computers choose to get and run that script, that the script starts to really do things.

What I'm getting at is that for these client-side problems, we need to present and think about them as client-side problems.

Use multiple browsers

[mbone]

My recommendation is to use multiple browsers.

Say you use Firefox for your web searches.

Then run Facebook on Safari (say)

Anything google on Opera.

Any porn on Chrome.

Etc.

There are a bunch of broswers out there - use them to silo off the nosey actors like Facebook, Google and Youporn.

Re:

[adnonsense]

This is what I've been doing for years.

Though I'd swap the Opera and Chrome recommendations.

Re:

[Jah-Wren Ryel]

Or use multiple profiles with the same browser, for example start firefox with:

-no-remote -ProfileManager

and then create different profiles for different websites.

You will have completely different sets of plugins, bookmarks, histories, settings, etc.
Some plugins, like flash, will share common settings because they store stuff outside of the firefox directories (~/.macromedia/ for example).

Answers in Genesis is also using this

[wk633]

As pointed out by PZ Myers http://scienceblogs.com/pharyngula/2010/12/another_reason_to_avoid_visiti.php [scienceblogs.com]
The comments in their javascript are kind of funny.In particular, // CREATIONIST GROUPIES