Feeds

back to article Popular sites caught sniffing user browser history

Boffins from Southern California have caught YouPorn.com and 45 other sites pilfering visitors' surfing habits in what is believed to be the first study to measure in-the-wild exploits of a decade-old browser vulnerability. YouPorn, which fancies itself the YouTube of smut, uses JavaScript to detect whether visitors have …

COMMENTS

This topic is closed for new posts.

Page:

Coat

YouPorn..

... one of the many "Start Private Browsing" websites out there in internet-land :)

2
0
Thumb Down

espnf1

espn's forumla 1 website is on that list. pretty major network there.

0
0
Pint

In the name of science

Browsing youporn in the name of science. Got to love it.

Cue:

* 27 "where do I sign up" posts

* 10 "Lousy Pinko Liberals wasting my tax dollars" posts

* 8 "Think of the Children" posts

* 15 "Think of the Children" (sarcastic or ironic) posts

11
0
Happy

where do I sign up? =)

and? =)

0
0
Silver badge
Linux

How interesting.

NoScript is your friend

8
3
Bronze badge

Add on components

Indeed, that and Adblock plus, BetterPrivacy (for preventing super cookie tracking), Ad blocker, Cookie Culler, Phish Tank Site Checker, Privacy Choice Tracker Watcher, and SSL Blacklist. Care is needed when using add on components. They've been known to bring problems of their own, accidental as well as intended.

0
0
Paris Hilton

Hmmm

"They employ JavaScript that covertly tracks mouse movements on a page to detect what a user does after visiting it."

Can't they just work that out anyway?

6
0
Bronze badge

RE: Hmmm

Mostly, but they can learn a little extra this way. For example, if you point at a link or an ad, that might imply you were tempted and nearly decided to click it. Potentially interesting information.

0
0
Silver badge

erratically pointing all over the place

I have my mouse speed and acceleration settings cranked to the max so that you only need to move the mouse about 2 millimetres to move the pointer from one side of the screen to the other (Because i use the mouse on my lap and I find it works for me!) so I'd love to see what their mouse snooping utility thinks of me if I were to visit their site and they see that I'm erratically pointing all over the place!

0
0
Silver badge

People who point where they look

Is there a name for that?

6
0
Alert

at the very least

It allows them to know how long you were looking at the page.

Without it all the know is that you loaded a page at X and loaded another at Y. With this they can see you loaded a page at X and spent 5 minutes actively looking at it then stopped and finally loaded another page at Y

0
0

I wouldn't demonize the porn sites.

It's easy to kick a porn site but what about what youtube, google, facebook, myspace, and all the like do?

I've never visited youporn or other sites like that because I wouldn't consider them to be safe to begin with but if you want to talk about sniffing.

What is sniffed when you watch a youtube video when google owns it and it's all tied together.

I have some porn site interests and while I don't condone any illegal sniffing or browsing of your data finding out what type of niche your into helps the industry because unlike youtube that suggests videos half the time completely unrelated to what your into (for marketing purposes and other agendas) porn sites that do this type of thing will suggest porn content that you are probably into.

And unlike the garbage software industry most of the porn we have is made in the usa keeping the jobs here.

4
1
E 2

I really think you are missing the point.

I really think you are missing the point.

1
0
Stop

There's A Fix

CTRL-SHIFT-DEL

Make sure you select "ALL HISTORY".

0
0

Query

I suspect that won't work.

The intrusion collects addresses of the purple links.

My Firefox History is just one day, but in Preferences the default Save Visited Sites came as 9 days. Naturally I have now set it to zero.

I used to imagine that it was enough to stop the history list interrogators by exiting all sites by clicking down through te list to the home page, or the search page, or the Register. I am so niaive.

0
0

It will work..

The "History" bit clears which links display as purple, hence fixing the problem. It's really not all that serious though. You can't even tell if you've visited a specific domain, it has to be an exact link match - for example you could only tell if someone had visited Facebook if they had gone to the mian homepage first - if you followed a link in to your profile, you're safe. It really is fairly limited. Still all privacy holes are bad, and should be fixed.

It is a slightly awkward problem, in that custom CSS means it's not a matter of "blue or purple" it's ":link or :visited", and those psuedoselectors are not exposed to the DOM. This is compunded by the problem that an individual link might have extra styles applied. Personally I would be quite happy with them simply removing currentStyle access to hyperlinks, or even harcoding any check to the default blue. How many legitimate reasons are there really for checking what colour a link currently is? All of the ones I can think of are more easily and cleanly expressed with CSS anyway.

0
0
Happy

Good thing I use NetSurf then

No javascript.

0
3
Anonymous Coward

Netsurf

You are clearly a masochist

2
0
Silver badge

Strange bedfollows

Amongst all those porn / pirate sites we see Newsmax and Answers in Genesis. Two right wing fundamentalist web sites. I guess they share many of the same ethics as the people they decry, especially when it comes to privacy.

2
0
Anonymous Coward

Answers in Genesis

No they are not right wing, they are Christian fundamentalist, and that is two different things. Jesus could hardly be called right wing. Clearly you are left wing and flying around in circles as a consequence.

2
9
Silver badge

Yes they are right wing

I didn't call Jesus right wing fundamentalist sites, I said these sites were. A fact which is plain just be reading them.

As for Jesus, I have no idea what political leanings some mythologised figure had 2000 years ago. And neither do you. Hasn't stopped everyone and their uncle coopting his name to justify the most ugly and hateful views though.

11
0

Check yourself or friends...

http://www.didyouwatchporn.com/ uses the same exploit...

0
0

Re: Check yourself or friends...

> http://www.didyouwatchporn.com/ uses the same exploit...

I suppose it makes a very good test of how well private browsing works. Nice.

As one site wrote regarding the other image, "a little bunny! It's funny because it's the same motif Playboy uses" (http://roget.biz/sites-pour-savoir-si-vos-potes-visitent-des-sites-pornos)

0
0
Anonymous Coward

I can confirm

That that site does NOT work.

Oh yes I did.

1
0
E 2

All I can say is

I used the Francis character from L4D as my avatar on StackOverflow when I made an account there.

Now, when I post elsewhere having used the same email to make my account, guess what my avatar often defaults to?

Techeye.net particularly bothered me in this regard.

Strangely enough Facebook has not managed to mine this connection.

0
0
RJ

Gravatar

Maybe StackOverflow uploaded your avatar to the Gravatar service and linked it to your email?

0
0
Boffin

Same avatar across multiple sites?

They probably use "gravatar" or something similar to set it... have a google and you will be able to change it.

0
0
Bronze badge
Paris Hilton

Oh dear

Somewhat alarmingly, charter.net is my ISP. But I see they're the number two offender after youporn, that's mighty reassuring.

0
0
Anonymous Coward

Well this...

explains why Charter tries to get everyone to set their site as their homepage.

I have seen their techs, when out here on service calls (and at others homes) try to set the home page to charter.net.

I'm glad I don't let them touch my comps usually. If they need to use a comp for something, I have a laptop with a separate account they can use.

1
0
Silver badge

Ah, now that's a thought......

"And unlike the garbage software industry most of the porn we have is made in the usa keeping the jobs here."

.............that would surely imply that the desire to watch someone else having sex with your wife could be classified as outsourcing.

1
0
Silver badge

YouPorn?

It's a valid point James Woods makes above regarding the techincal aspects of sniffing, and our trust of more mainstream sites...

...but I just can't help thinking if you go to a site called YouPorn, you kinda deserve everything you get...

0
15
Silver badge
Alert

Get what's coming to you

"...but I just can't help thinking if you go to a site called YouPorn, you kinda deserve everything you get..."

Hmmm, nice . . . .

5
1
Bronze badge

Why?

"...but I just can't help thinking if you go to a site called YouPorn, you kinda deserve everything you get..."

Why do you think that? Is it because you are some sort of modern day Mary Whitehouse?

You may or may not like porn, but there are much, much worse things on the internet. The trouble is the average Daily Mail reader likes to bury their head in the sand and pretend there is nothing worse in the world than porn, except possibly swearing on TV.

8
0

Why? Because it's porn?

Porn has been around since cave paintings. Don't generalize all porn as being something seedy or bad. Porn has a healthy place in modern society. Besides, porn is pretty much mainstream now thanks to our Z list celeb culture.

1
0
Silver badge

YouPorn redux

Wow. 7 down votes. :-) For what it is worth, I'm not a Mary Whitehouse wannabe Daily Fail reader...

Perhaps before clicking "down" and saying "oh, what a prude", you might stop to consider that while no site is 100% secure, there are some sectors which are a magnet for dubious activity in the "exploit" sense. I mean, if you complained about getting rootkitted while cruising russian download sites, people would laugh at you and ask "what did you expect?". But on the other hand YouPorn is acceptable? Or maybe some of you don't want to face up to the fact that visitors to such a site may be more lead by their pecker than their brains, so might be a little more permissive with what they let run on their computer.

Tell me - how well do you trust a porn site, its operators, and its security measures? Think carefully before answering, because this article is about just such a behaviour...

3
7

@Grease Monkey

"the average Daily Mail reader likes to bury their head in the sand and pretend there is nothing worse in the world than porn"

Not true. They hate immigrants more. Not to mention the errosion of family values.

Of course that doesn't stop them paying Mistress Sveltana the Ukranian dominatrix £100 every Thursday night while the wife is at bridge club to punish them for being a very naughty boy.

3
1

@heyrick -- the same way I check any other site.

As someone who has been the victim of a drive-by infection at work by allowing scripts while checking out a completely legitimate site* I know that no site is safe.

The way I tend to keep safe is by keeping my eyes and ears open about problems with sites by reading El reg and similar. I also tend to block all adverts and block third-party scripts on all sites (because adverts are annoying and the sites that run them have a history of being exploited).

I also run Linux at home, and have an XP VM which I can use as a sacrificial lamb if I really want to try out a new site that could be dodgy.

There's also a not-so-reliable but up until now fairly good rule of thumb that dodgy sites tend to "look dodgy" either badly designed, or cluttered, or full of adverts or scripts for other sites (often with names like xxccddff.co.ru). Like I said, it's not completely effective but so far aside from the history reading (which doesn't bother me as I don't have it turned on) YouPorn has shown itself to be as safe as it looks.

*It was deliberate, I was testing NoScript and the AV installation after a colleague tipped me off.

1
1
Anonymous Coward

@Alpha Tony

Mistress Sveltana the Ukranian dominatrix only charges £80 on Tuesday afternoons....but that is for old age pensioners only.

1
0
Silver badge

Re: Tell me - how well do you trust a porn site

Why would a (legal) porn site be any more or less trustworthy than any other (legal) site? Because porn is 'icky' in the view of some? Because only 'bad' people would run a site dealing with such content? (Maybe this is true - my experience of such things isn't exactly pervasive).

3
0
Silver badge
Paris Hilton

Does not parse

"As someone who has been the victim of a drive-by infection . . . It was deliberate"

If it was deliberate, how exactly were you a victim?

Paris, because I would be her victim any day . . .

0
0
Headmaster

@Goat Jam

Cambridge Dictionary Online definition of victim: "someone or something which has been hurt, damaged or killed or has suffered, either because of the actions of someone or something else, or because of illness or chance"

I still had to clean the damn infection up, so I suffered. If I have unprotected sex with someone who is HIV positive I could still describe myself as "an AIDS victim" if I suffered from the disease.

1
1
Bronze badge

Eejit

"I still had to clean the damn infection up, so I suffered."

Then you're a complete amateur. Don't you test this sort of thing on a dedicated machine that is completely reimaged every time it boots, a virtual machine perhaps?

0
0
Anonymous Coward

javascript is only half evil

As a dev, I know that flash LSO were/are still tracked - sites like youporn and any other pr0n site uses flash and they store flash cookies(LSO), which can be read with the right script. Even browser pr0n mode does not always clean flash cookies.

Somebody mentioned that NoScript was a deterrent - This is hardly true. Most video sites require js enabled browser for playback.

0
0
Happy

a pedantically required title

BetterPrivacy for Firefox addresses the Flash LSO problem. Setting it aggressively to clear everything it can whenever it can has not yet caused me any problems using Firefox.

One of the advantages of NoScript is that you can be selective in the scripts that you allow. Be restrictive. I never allow anything that does not seem directly related to the task I want to achieve on that page. ElReg works quite nicely without JS, for instance.

The only time that policy has come unstuck for me is when buying and the "Verified by Visa" system jumps up from the bank site to call a script from yet another site. One only finds out the name of the site, to consider permitting it, after the bank has already declined the transaction. Even that has an advantage; it keeps the overdraft down!

2
0

NoScript is more fine grained than turning js on or off

Noscript lets you selectively turn on individual scripts. Even if a site relies on javascript and flash for video playback (be that youporn or iplayer) you can still turn on only those scripts that are responsible for making that work, and keep every other script turned off.

1
0
Silver badge

But sites are getting smart.

The sites booby-trap the sites to make sure you bite. NoScript filters by domain, and guess where the history-sniffer code's going to reside? In the same domain as the video player, which you MUST allow in order to get anything productive out of the site. So no videos without a history sniff.

0
0
Unhappy

javascript is only half evil

From wikipedia(I know that wiki is not always a veritable source of information, but....)

"The current version of Flash does not allow 3rd party LSOs to be shared across domains. For example, an LSO from "www.example.com" cannot be read by the domain "www.example2.com".

However, any domain can read the master LSO, which contains a listing of all LSO placing websites visited."

The last sentence simply means that if you visit a pr0n site that uses flash and sets flash cookies in your browser, another site can collect this information. This was used by panoptclick project and this technique is comparable to history checks performed using css vlink.

If you still do not trust this info, visit

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

macromedia.com is able to pull info about all sites that set a flash cookie on your computer.

I am not entirely sure how/where LSO are stored, but if this is a central repository(for all browsers), you can probably find details about sites that you visit via BrowserA when you are using BrowserB. This last bit is prolly paranoia, but I'd rather be paranoid rather than trust flash...

0
0
Heart

mouse tracking

mouse tracking is awesome when your marketing director won't listen - we were able to use it to boost conversions on our insurance site by 30% - you could re-play their interactions with the page and it helped us detect a lot more fraudulent policies - you could watch them weighing up the risks to get the best quote - one guy must have run through his entire family trying to find the cheapest postcode to live in.

0
2
FAIL

Not a good predicator of fraud ...

maybe you should design a device which detects stress patterns in speech. You could use it on the phone ...

There are many legitimate reasons why people would change parameters when shopping for an insurance *quote*. None of which would result in fraud.

I've just finished a research study into the possibility of detecting fraud at the point of sale of an insurance policy (motor) ... the view from on high was that we already have dedicated teams in place who analyse policies for fraud anyway. Besides, there's no way you could catch someone who did all their quote "adjusting" on one site, but purchased through another (or in person, or on the phone) having got their "perfect" profile.

Still, kept me busy for a few days !

5
0

Page:

This topic is closed for new posts.