A prominent online marketer that helps websites deliver targeted ads has been exploiting a decade-old browser flaw that leaks the history of websites that users visit, a researcher from Stanford University reported. Epic Marketplace doesn't use the well-documented browser history leak to track specific websites a user has …
I am 12 years old and what is this?
Pr0n is why the internet was invented. Goatse and meatspin.com are a bit over the top though.
I'm afraid the name is pretty descriptive, and a 12 year old would already know the site anyway...
Ok, so if it grabs your browsing history...
... deleting your history, cookies and all other files reguarly works too right?
The fisrt step when configuring a browser ...
Don't be insane
Disabling JS shuts off a huge majority of web sites that non-techy people use every day. Setting JS to 'off' by default would be like restricting all cars to 30mph in case someone does something dangerous.
...browsers and HTML have gone way beyond their design parameters and into the territory of unexpected consequences as a result.
But 'we are where we are' and as someone has said scripting drives most of the sites people actually use.
But I do think this breaks the new cookie legislation?
And that is exactly why I'm using NoScript with my browser, see: http://noscript.net
It works on Firefox (which I've stopped using due to the annoying interface chances) and derivatives like SeaMonkey.
turn off layout.css.visited_links_enabled as described in last year's El Reg story on the same sort of subject.
At least you can do that in Firefox and its derivatives.
Re: Don't be insane
As for rendering the whole internet unusable... whilst stuff like gmail, youtube, facebook etc all require it, there's plenty of the web that doesn't. Between using IMAP for the former and a decent pub for the latter, I find I cope quite well.
@Don't be Insane
I use NoScript precisely for this reason and AdBlock because advertisers have no right to be putting anything on my computer without my consent in the first place, and because they have a bad track record of security, what with poisoned ads, behavioural tracking et al.
"I use NoScript precisely for this reason and AdBlock because advertisers have no right to be putting anything on my computer without my consent in the first place,"
They're not putting anything on your computer, they are putting it on the web site you are viewing, and the money from this advertising is what keeps web sites going. Do you read newspapers? If so, do you own a tool that rips out every advertisement from the paper before you touch it?
If you don't want to see the advertising, don't visit the web site.
I'm saddened and amazed
I'd always thought that marketers were as honest as newspaper proprietors and journalists.
I think they are
or did you not hear about NotW?
I would say this is equal if not worse than the "phone hacking", the public however I doubt will give a dam
Wouldn't care anyway!
Sadly 99.9999% of the public will never find out about this, probably wouldn't understand the technicalities and if they did, proabably wouldn't give a monkey's anyway!
People want "shiny stuff", ads maybe slightly annoying but they are a small price to pay to get "shiny stuff". Marketeers are the spawn of Satan himself and should we ever build our three Arcs ready to ship us off to a better life I will make damn sure anyone who even remotely had a job in marketing or making adverts, is on the first one! I will set the co-ordinates to the heart of the sun myself to make sure they are removed once and for all!!
"should we ever build our three Arcs ready to ship us off to a better life I will make damn sure anyone who even remotely had a job in marketing or making adverts, is on the first one"
You do remember that after the first arc left the remaining population were wiped out by a rare disease due to unhygienic telephone handsets...
"...but not related to sensitive categories or sites."
Privacy == sensitive information.
Please move head to chopping block for adjustments.
"this is equal if not worse than the "phone hacking","
Does this involve years and years of bent coppers at various levels taking bribes?
Does this involve a surprisingly close relationship between someone called Peston and someone he's supposed to be reporting on (rather than partying with)?
OK, you can get your coat now.
... this (as in this practice of analysing your online behaviour) could directly affect far more people than the phone hacking.
OK so the credibility of a bunch of journalists and politicians has come into question. In an ideal world it would be nice to think you could believe what you read in the press and that politicians were acting in your best interest.
It would also be nice to think that you could surf the internet without having your browser history being analysed and the sold to advertisers...
What I am trying to say is that: 'hacking' personal information via a default pin is not as malicious as using a exploit.
I'd say it's in the same category under the circumstances, since the voicemail hacking could be described as exploiting a vulnerability/design flaw. The flaw in this case is institutional bad practice by the mobile operators, by (a) having a default PIN for all accounts, and (b) not really telling anyone. I mean how many people even knew about PIN-based access to their voicemail before this whole business blew up? (And please note, the Reg commentariat cannot be considered representative here.) I've been through 3 operators, and only the latest one prompted me to change my PIN, and only a couple of months ago at that - interesting timing, no?
Just like the browser vendors, they only take action when the problem starts generating widespread bad press. The mobicos deserve a share of the blame in that saga.
RE: RE: NO
so let me get this right,
when you got your phone out of the box with a leaflet stating "your pin is 1234", then you ring you voice mail and are promoted for a pin. you had no idea that there would be a facility to change it?
RE: RE: RE: NO
Was there such a leaflet? OK, perhaps. The box of my last phone and associated gubbins are long gone, but I'll take your word that this info is normally in there somewhere, but I would put this under the category of (as a delightful customer at my business once put it) "Who reads that stuff?"
Please note I'm talking about the general public here. You must have met some of them, hateful people for the most part (me included in this instance). I'm willing to bet that for the majority of people, voicemail was a service that lives in the handset, and the fact that it could even be accessed from elsewhere would be a revelation to most. Like I said, none of my operators have ever prompted me during on-handset use for a PIN (until a month or two ago). Is this unusual?
If you repeat the same lie enough it will become the truth
This is not a privacy bug built into major browsers. It is how html works and is damned difficult to fix (and despite being told this by numerous people, the Register continues to repeat the lie).
This is silly. The fault does not lie with the browser makers but with the idiots marketing people who are happy to invest so much effort to scam one person in 100,000,
Just another XSS vuln when it comes right down to it.
Here's (roughly) how it went down:
Web browsers are built to parse HTML, and the designers say "wouldn't it be nice to color-code links people have already visited, so they don't end up in some sort of loop?" Cool feature, everyone* loves it.
* That's everyone as in everyone the developers listened to, and specifically the people who bought them lunch. There were people who disliked all of these features, but they were curmudgeons who didn't spend money on the right things.
** Yes, HTML IS expandable by default. The specification requires user agents to allow for and ignore elements and attributes that they do not recognize, but to make them available via interfaces like DOM.
*** So one possible workaround (not tested by me) before the vendors plugged this specific hole would be to use a feature like Opera's User Mode style, turning off developer's ability to change the colors of the links, and setting them to the same color value. But that would mean the links could look funny or even be unreadable on some pages.
Always report the unfollowed colour
Steve,your summary of how the exploit works is correct. However, a quick fix for it is for when a script queries the colour of a link, the script always gets the "unfollowed" style, regardless of what colour the user can see. (Or not see, as the exploit is normally carried out in a hidden <div> or <iframe>)
Aww look at all those iddybiddy things running around
This old browser hack was plugged earlier this year for IE and FF in the latest round of releases.
You can test your browsers vulnerability here.
Paris because... I'd plug her anytime
uses the same browser for pr0n as they do for everyday stuff, surely?
The same browser?
I wouldn't even use the same computer!
This is the same company that owns Azoogle. People with long memories might remember them...