back to article Site guesses your sex via age-old web flaw

One of the problems that's plagued netizens since the inception of the world wide web that their browsers have a habit of leaking every site they've visited in the recent past. A quick stop at Blowupdolls.com, Mysecretbusinessproject.net or any other site is available to any webmaster with rudimentary coding skills. Now the Mike …

COMMENTS

This topic is closed for new posts.

Page:

Thumb Up

Works pretty well for me:

Likelihood of you being FEMALE is 0%

Likelihood of you being MALE is 100%

0
0
Coat

I'm on the fence

Apparently I'm only 53% male.

It worked this out because I'd been to google.co.uk, apparently. Not sure I see the connection myself.

0
0
Coat

Reminds me of an old piece of spam

"Beth, enlarge your p3n1s!"

Yup, there is a 1.42 ratio on www.getmecoat.com

0
0
Thumb Down

Something's wrong here ...

I'm quite sure that guys are worried about their money as much as gals are (esp. gals who're more then happy to spend their guy's dosh ;) -- but online banking sites turn up at < 1.0 M/F ratio. As do Gmail, Amazon, and the works.

Guess I should start visiting more manly sites ...

0
0
Paris Hilton

fifty fifty is what i go

apparently im not surfing enough pron?? Or maybe it counting that as gynecological??

/> Paris cause we all know shes 100%

PS. can you fix the title bar to recognize numbers as and symbols as a title?

0
0
W
Black Helicopters

I wear a metaphorical eFoilHat, so...

Likelihood of you being FEMALE is 50%

Likelihood of you being MALE is 50%

Likelihood of me setting Firefox to keep history for 0 days, not remember what I enter in forms and search bar, delete all history when I close Firefox, have a blank homepage, have 0 bookmarks except for del.icio.us bookmarklets, having Adblock Plus, filterset.g and customizegoogle add-ons cranked up to max is 100%

Likelihood of a snooper finding out anything useful about me is... I dunno. But doing the above leaves me with a few less things to worry about.

There's a zen-like re-assurance when you have to log in to each site on your first visit since closing and opening up the browser. This whole 'remember me on this computer' and 'remember my password' stuff just dupes and encourages complacency in the average 'mum and dad' level user.

Check me out - living dangerously by not posting anon. :-)

1
0
Silver badge

NoScript

It didn't work at all for me, but I do use Firefox with NoScript. There's a lot to be said for vetting who's allowed to run scripts on your browser.

0
0
Anonymous Coward

Are we 100% sure of this?

Because you have just got me writing code to check this out.

Ever since I have been coding JavaScript I have never been able to get at the history urls in the history object, and most texts will claim you cannot.

Now there is a trick that involves going to a domain that matches, you could detect that.

So, what we are saying here is a site loads up a number of URLs from hotswedishnannieswithpompoms.com to allgoodchistainsunite.org (both available for anyone complaining you can't get a domain nowadays), then it checks them off, and prevents the page moving or perhaps uses multiple frames.

Unless I am missing something here, if you can read the history object in JavaScript then it is broken, it should be unreadable, therefore if it is readable then it will be fixed.

So ok, possible brute force the urls out, that could be stopped, I don't know anyone who really uses that feature anyhow. Though now I think about it, it has a use:- oh what was the last page on theregister.co.uk was I on history.go('www.theregister.co.uk'); that will move window focus to the last page on theregister you were on, even if run on a site 10 hops away. But, still it is not great.

Now, hmm could this be combined with a search engine, possible but probably not, you can be sent back to google, but then you have to get that url and you cannot unless you use a cross site scripting attack (which is a flaw which should be plugged).

Ok, I have gone to the site now, I had to take down the security, it was being blocked. He uses 10K of URLs and combines that with the history.go, possibly css computed values and a detector of some sort (exceptions, frames etc).

Hmm, not really that worrying, and sort of detectable he will have a huge chunk of data somewhere and you will see connections made back to each site.

I think you are hyping this one a bit, if you could read the history object now that would be covert, quick read and a X req call back to your server.

As to these other gaping holes, well there is only the reference one, and that is one deep and helps to determine who linked to you, it can be turned off as well.

Now, something like google urchin and phorm is a different matter, those do work.

But this, well it is obvious, and noisy - hackery but not crackery. It is like saying that safe is not secure because I can point a tank at it and blow the bloody doors off. Still, people should be aware of how it can be used and should watch out for it, but its general use is more benign, maybe a quick reordering of links depending if they have already gone there.

But it is misleading to say 'Mysecretbusinessproject.net' if they don't specify the URL then they won't know it.

A good habit to get into is to do your stuff in batches, and make sure the browser history is cleared.

0
0
Unhappy

I use noscript to block javascript

so it couldn't find out anything about me.

When I turned noscript off, well it promptly decided that since I visit slashdot and go.disney.com I needed to have the police called on me.

0
0
Anonymous Coward

I know that you visit: . It’s a bit scary, I know.

Oh dear, I'm guessing that I'm 0% anything.

(using NoScript, just noticed that SafeHistory is disabled in FF3 and its job is to protect me from this sort of thing. Thank goodness for NoScript then).

0
0
Bronze badge
Pirate

Sweet hack! Can I have my computer back now?

I read the JS code for that. Awesome!

I had to use the "Send feedback..." link in my browser to report this. Privacy or not, it has to be fixed because it's a resource intensive dictionary attack. It's already bad enough that I have to keep building new rules to exclude abusive Flash ads. Now advertisers are going to scan their list of 100000 most interesting URLs on every page load.

0
0
Anonymous Coward

impose a limit?

perhaps browsers should be made to allow to impose an upper limit of how many times any given script can check the history against arbitrary URLs, or how many times per second. This limit could be made available in a browser's preferences. A reasonable default value might be 5 or 10. This script couldn't check 10.000 URLs then.

0
0
Anonymous Coward

@Are we 100% sure of this

which is me rethinking.

It can go covert, I haven't run it yet, but if just the css computedValues are being used on a generated link, then there are a number of ways to keep the noise down on that.

So, I will retract the 'over hyping', and the 'hackery not crackery' statements :)

0
0

Reminder it's a friendly example

Just a reminder that I posted this *for fun*. The point was to demonstrate the vulnerability, not to provide a tool on how to do this. Quoting myself...

"Kind of cute right? Don’t worry — I am not storing your history in any way, this is purely for fun. [...] In case it isn’t obvious — please don’t do this for real."

0
0
Flame

even when you turn off javascrip

"Even when you turn off Javascript, they have other tricks up their sleeves that are much harder to foil, says wally of wally corp, who brought the tool to our attention." Thanks for skipping the interesting bit.

0
0
IT Angle

Another vote for Firefox here...

Theres a little feature I highly recommend : every time you shut down firefox, it wipes your history, cache, passwords etc...

So in this example, it guessed 95% male based on my current browser tabs. God help me what it would have guessed if it knew what I was looking up last night...

0
0

o dear

Likelihood of you being FEMALE is 59%

Likelihood of you being MALE is 41%

not a good day for mr michael

0
0
Silver badge

Wot, no Reg

Likelihood of you being FEMALE is 40%

Likelihood of you being MALE is 60%

Site Male-Female Ratio

google.com 0.98

telegraph.co.uk 1.5

Does this mean that El Reg isn't in the Quantcast top 10K or whatever? If they're only looking at US sites why is the ET in there?

Oh, and since I've stopped reading the ET since the format change I'll be 50-50 pretty soon.

0
0
Unhappy

Oh dear

it told me I had 0% chance of being with a woman.

0
0
Alert

so what about..

Ashlee Vance?

0
0

Script Method

If you look at the JavaScript source (http://www.mikeonads.com/gender/SocialHistory.js) you can see that rather than querying the browser history directly, it creates a link for every site in its dictionary, then checks whether the browser has given it the "never visited before" or "visited before" link colour in order to determine if you've been there in the past.

It's quite a clever idea, but it's still having to brute-force its way to your history, and with that many sites it's very obvious that something's happening from the way the browser hangs, so I can't imagine any other site using it with any more than a handful of URLs.

0
0
Bronze badge

Just for the record

Likelihood of you being FEMALE is 1%

Likelihood of you being MALE is 99%

*works on scrubbing out that last 1%*

0
0
Anonymous Coward

@Tony Hoyle

Your results are not as "bad" as mine:

Likelihood of you being FEMALE is 39%

Likelihood of you being MALE is 61%

Something to do with growing up in outback Australia, I suppose.

0
0
Stop

50-50 .... Mmmmmm?

Firefox set to not remember any history, so the only pages open were this article and the test site. It reckons 50/50 chance.

Which would imply that El. Reg. readership is evenly split between men and women. If that *were* true, why is it only men who post comments...?

0
0
Coat

Title

Likelihood of you being FEMALE is 50%

Likelihood of you being MALE is 50%

Looks like my security's doing it's job... either that or I'm a very confused little boy.

I'll get my sparkly purple leather coat then sall I...

0
0
Anonymous Coward

Rated down...

...because of Mysecretbusinessproject.net FUD.

0
0
Thumb Down

Hmmm

Hmmm , it seems safecache on FF2 has it confused too even in IE pretender mode too , but I did notice at one time CPU hit 100 % for a minute or two trying to run and that script and that evil pesky M$ error send an email popped up as well on the first attempt as the system literally froze and almost went BSOD too !

0
0
Happy

My firefox laughs at your silly applet

No browsing history stored... it's hardly a security "flaw" if you can't be bothered to empty your own bins.

0
0

Works for me!

95% Male ... so it got my gender bang to rights. The wife might say that my feminine side shows more than that .. but then this is my work machine. Testosterone bursting from every pore in the competitive workplace ..

I am going to have to try this on my home machine to see if my gender bias varies by which machine I use. Will I be more androgenous using the Mac at home?

0
0
Paris Hilton

Almost there...

Likelihood of you being FEMALE is 57%

Likelihood of you being MALE is 43%

I thought that, this being my computer at work, it couldn't miss with sites like El Reg and a bunch of technical sites (no porn, though), but Gmail had me nailed. :D

Although, I must admit that a friend psychologist told me that, according to Bem's scale, I am mostly feminine.

0
0
Anonymous Coward

You what?!?!

"Mozilla, Microsoft and the rest of the gang have long refused to do anything about it because fixing the problem would make it hard for users to tell sites they've visited from those they haven't."

I appreciate I know nothing about the specifics of this, but exactly how hard is it to ensure a piece of data is usable by the person sat at the PC, but doesn't get sent out to the outside world ? If not trivial, then what sort of crap system has the industry developed?

0
0
Thumb Up

99% male

I've never felt so manly.

I was surprised that the most male-tilted site on my list was a music site (Harmony Central) and that search engines and email are slightly girly.

And it's good to know that occasionally looking at allegedly-amusing pictures of cats over at icanhascheezburger.com makes me more of a man, not less. I'd always assumed it would be the other way round.

0
0

I'm too much of a nerd...

0% Female, 100% Male.

I should stop browsing tech sites, I guess :(

(hint: I'm female :P )

0
0
Anonymous Coward

Erm...

Like most problems of this nature, it is easily avoided - simply run everything in RAM (Bart PE/Golden Dragon or similar) or reimage fixed disk using ghost or zenworks or similar weekly/daily. Problem solved. If reimaging a fixed disk OS weekly/daily then also full format using Darik boot and nuke or similar multipass eraser/formatting tool. Use someone elses internet connection or a free wifi spot if you want to be all legit.

If that's too much effort for you, then you're probably not doing anything that interesting to anyone else, other than marketing chimps and that ilk, and who cares what they try to sell you!? Be my guest, spend all your time and money trying to sell me shit which I will never buy, regardless of my sex. Surely it's easier to tell someones sex by their name? Or by calling them and speaking to them? I mean, why would anyone invest such effort in such a long clunky way of determining something as inane as someones sex?!

0
0
Joke

@50-50 mmmm

Remember that El Reg is 'a lesbian on-line magazine ', according to The Independent (http://www.theregister.co.uk/2008/05/06/indy_reg/), thus the female browsership is increased.

0
0
Flame

shocking!

Likelihood of you being FEMALE is 54%

Likelihood of you being MALE is 46%

How dare they!! lol Not sure how they worked that out from the below.......

Site Male-Female Ratio

youtube.com 1

photobucket.com 0.85

0
0
Paris Hilton

Clarification...

Likelihood of you being FEMALE is 50%

Likelihood of you being MALE is 50%

This is only because FireFox remembers nothing about me or where I've been, like several other commenters.

I carefully set it up this way, therefore I'm 100% likely to be male, as ladies don't surf dodgy sites that require such an approach. Do they?

Paris, because her history is known to everybody.

0
0
Anonymous Coward

Ratio's

How'd they get the initial ratios?

To do it right you need a load of histories with known genders don't you?

0
0
Silver badge
Boffin

Alternatively...

... run two versions of Firefox, one for the day to day stuff which sits on your HDD as usual and the other one Portable Firefox which you run from a USB stick and which doesn't cache anything and wipes cookies and history when you quit so you can browse the more interesting stuff safely...

... Erm, allegedly!

0
0
Flame

opera

this stupid script dnt even run in opera 9.5 :D

ps: i havent had to go and install 42 third party addons to protect myself!

1
0

Just because I handle the finances

It appears that just because I handle the finances in my family, that this algorithm has decided there's a 93% probability of me being female, rather than the real answer of male. I guess the fact that drudgereport.com and slashdot.org were in the list weren't enough to sway the decision the other way.

0
0
Happy

@Maya

Would you like to trade some gender points with me?

0
0

Well, that explains the weekends

Likelihood of you being FEMALE is 29%

Likelihood of you being MALE is 71%

so 2/7ths of the time I'm female?

Although as I use FF and IE, I checked FF as well (much quicker) and I got 85% MALE, looks like IE makes you effeminate, actually my FF config avoids my work proxy filter, which really means that the sites I'm normally allowed to look at @ work are more girly.... interesting

0
0

acdc?

on my work laptop, I get:

likelihood of you being FEMALE is 78%

Likelihood of you being MALE is 22%

At home, on own laptop, It's near enough reversed.

oh.. and I AM male btw

0
0
DMG
Thumb Down

Gawd..

Likelihood of you being FEMALE is 20%

Likelihood of you being MALE is 80%

So what do I do about these tits then?

*hoiks 'em*

0
0
Unhappy

Oh Dear

Likelihood of you being FEMALE is 32%

Likelihood of you being MALE is 68%

0
0
(Written by Reg staff)

Re: Gawd..

I think all these false positive male readings for girls are indicative of how much we have to sacrifice our femininity to get on in male-dominated arenas.

*scratches arse, belches*

Yup.

0
0
Guy
Thumb Down

Oh Dear

Only 58% Male....and of course search engines are girly....you name the last bloke to ask for directions!!

0
0
Paris Hilton

well, that decides it then...

For many years, I've been wondering about whether to have "the op" or not, this site says I'm 50% male/female, so I'm booking the plastic surgeon this weekend...

:oP

Paris - because she's the only icon here that would make me switch back again...

0
0
Thumb Up

100% red blooded male.

It appears ft.com and appleinsider.com pump up my manliness!

0
0

Page:

This topic is closed for new posts.

Forums