back to article Marketer taps browser flaw to see if you're pregnant

A prominent online marketer that helps websites deliver targeted ads has been exploiting a decade-old browser flaw that leaks the history of websites that users visit, a researcher from Stanford University reported. Epic Marketplace doesn't use the well-documented browser history leak to track specific websites a user has …

COMMENTS

This topic is closed for new posts.
  1. Chris Hatfield

    YouPorn.com ?

    I am 12 years old and what is this?

    1. asdf
      Mushroom

      cant resist

      Pr0n is why the internet was invented. Goatse and meatspin.com are a bit over the top though.

    2. J 3
      Joke

      @YouPorn.com ?

      I'm afraid the name is pretty descriptive, and a 12 year old would already know the site anyway...

  2. Paul 87

    Ok, so if it grabs your browsing history...

    ... deleting your history, cookies and all other files reguarly works too right?

  3. Flocke Kroes Silver badge

    The fisrt step when configuring a browser ...

    ... is to disable javascript. It is long past time this was made the default.

    1. Alastair 7

      Don't be insane

      Disabling JS shuts off a huge majority of web sites that non-techy people use every day. Setting JS to 'off' by default would be like restricting all cars to 30mph in case someone does something dangerous.

      1. Ru
        Boffin

        Re: Don't be insane

        I use NoScript to block all javascript by default, and only enable scripts from particular domains as necessary.

        Much as I understand that many, many websites need javascript-driven advertising in order to pay their bills, ad providers generally just get blacklisted and silently blocked because it is a terrible, terrible idea to give everyone and their dog javascript execute permissions on your computer.

        As for rendering the whole internet unusable... whilst stuff like gmail, youtube, facebook etc all require it, there's plenty of the web that doesn't. Between using IMAP for the former and a decent pub for the latter, I find I cope quite well.

      2. Loyal Commenter Silver badge
        Stop

        @Don't be Insane

        No. Disabling Javascript by default and requiring the user to explicitly allow it for the site would be more akin to requiring car users to have driving licences, if your metaphor wasn't a complete nonsequitur in the first place.

        I use NoScript precisely for this reason and AdBlock because advertisers have no right to be putting anything on my computer without my consent in the first place, and because they have a bad track record of security, what with poisoned ads, behavioural tracking et al.

        1. Alastair 7

          What rubbish

          "I use NoScript precisely for this reason and AdBlock because advertisers have no right to be putting anything on my computer without my consent in the first place,"

          They're not putting anything on your computer, they are putting it on the web site you are viewing, and the money from this advertising is what keeps web sites going. Do you read newspapers? If so, do you own a tool that rips out every advertisement from the paper before you touch it?

          If you don't want to see the advertising, don't visit the web site.

    2. david 63

      I agree...

      ...browsers and HTML have gone way beyond their design parameters and into the territory of unexpected consequences as a result.

      But 'we are where we are' and as someone has said scripting drives most of the sites people actually use.

      But I do think this breaks the new cookie legislation?

    3. Anonymous Coward
      Anonymous Coward

      NoScript

      And that is exactly why I'm using NoScript with my browser, see: http://noscript.net

      It works on Firefox (which I've stopped using due to the annoying interface chances) and derivatives like SeaMonkey.

      IMO an ideal way to browse. At first it blocks everything (javascript, java applets, flash, etc.) and then you can enable stuff. Either temporary or permanently. Its also useful to help you block spamblocks and such, for example by simply allowing stuff from the original website but not from (embedded) sites such as "ads.google.com" (for example).

    4. kwhitefoot

      Or just

      turn off layout.css.visited_links_enabled as described in last year's El Reg story on the same sort of subject.

      At least you can do that in Firefox and its derivatives.

  4. frank ly
    Unhappy

    I'm saddened and amazed

    I'd always thought that marketers were as honest as newspaper proprietors and journalists.

    1. Oninoshiko

      I think they are

      or did you not hear about NotW?

  5. hoffmeister

    Public reaction

    I would say this is equal if not worse than the "phone hacking", the public however I doubt will give a dam

    1. The Fuzzy Wotnot
      Happy

      Wouldn't care anyway!

      Sadly 99.9999% of the public will never find out about this, probably wouldn't understand the technicalities and if they did, proabably wouldn't give a monkey's anyway!

      People want "shiny stuff", ads maybe slightly annoying but they are a small price to pay to get "shiny stuff". Marketeers are the spawn of Satan himself and should we ever build our three Arcs ready to ship us off to a better life I will make damn sure anyone who even remotely had a job in marketing or making adverts, is on the first one! I will set the co-ordinates to the heart of the sun myself to make sure they are removed once and for all!!

      1. John Robson Silver badge
        FAIL

        Arcs

        "should we ever build our three Arcs ready to ship us off to a better life I will make damn sure anyone who even remotely had a job in marketing or making adverts, is on the first one"

        You do remember that after the first arc left the remaining population were wiped out by a rare disease due to unhygienic telephone handsets...

  6. disfit
    FAIL

    Sensitivity training

    "...but not related to sensitive categories or sites."

    Privacy == sensitive information.

    Please move head to chopping block for adjustments.

  7. Anonymous Coward
    Coat

    "this is equal if not worse than the "phone hacking","

    Does this involve years and years of bent coppers at various levels taking bribes?

    Does this involve a surprisingly close relationship between someone called Peston and someone he's supposed to be reporting on (rather than partying with)?

    Etc.

    OK, you can get your coat now.

    1. Anonymous Coward
      Childcatcher

      ...no but

      ... this (as in this practice of analysing your online behaviour) could directly affect far more people than the phone hacking.

      OK so the credibility of a bunch of journalists and politicians has come into question. In an ideal world it would be nice to think you could believe what you read in the press and that politicians were acting in your best interest.

      It would also be nice to think that you could surf the internet without having your browser history being analysed and the sold to advertisers...

    2. hoffmeister

      NO

      What I am trying to say is that: 'hacking' personal information via a default pin is not as malicious as using a exploit.

      1. Havin_it

        RE: NO

        I'd say it's in the same category under the circumstances, since the voicemail hacking could be described as exploiting a vulnerability/design flaw. The flaw in this case is institutional bad practice by the mobile operators, by (a) having a default PIN for all accounts, and (b) not really telling anyone. I mean how many people even knew about PIN-based access to their voicemail before this whole business blew up? (And please note, the Reg commentariat cannot be considered representative here.) I've been through 3 operators, and only the latest one prompted me to change my PIN, and only a couple of months ago at that - interesting timing, no?

        Just like the browser vendors, they only take action when the problem starts generating widespread bad press. The mobicos deserve a share of the blame in that saga.

        1. hoffmeister
          WTF?

          RE: RE: NO

          so let me get this right,

          when you got your phone out of the box with a leaflet stating "your pin is 1234", then you ring you voice mail and are promoted for a pin. you had no idea that there would be a facility to change it?

          1. Havin_it

            RE: RE: RE: NO

            Was there such a leaflet? OK, perhaps. The box of my last phone and associated gubbins are long gone, but I'll take your word that this info is normally in there somewhere, but I would put this under the category of (as a delightful customer at my business once put it) "Who reads that stuff?"

            Please note I'm talking about the general public here. You must have met some of them, hateful people for the most part (me included in this instance). I'm willing to bet that for the majority of people, voicemail was a service that lives in the handset, and the fact that it could even be accessed from elsewhere would be a revelation to most. Like I said, none of my operators have ever prompted me during on-handset use for a PIN (until a month or two ago). Is this unusual?

  8. Tom Chiverton 1

    AdBlock

    Another problem solved without the hassle caused to most web sites when they find out your javascript is off.

  9. OziWan
    Stop

    If you repeat the same lie enough it will become the truth

    This is not a privacy bug built into major browsers. It is how html works and is damned difficult to fix (and despite being told this by numerous people, the Register continues to repeat the lie).

    This is silly. The fault does not lie with the browser makers but with the idiots marketing people who are happy to invest so much effort to scam one person in 100,000,

    1. Havin_it

      HTML?

      No it isn't. If anything it's how Javascript works, and Javascript for all its retroactive establishment of standards (ECMAscript) is a conceit of the browser vendors. What we have here is yet another example of weaknesses in the implementation: why was it ever allowed for this data [whether a link has been visited] to be readable by scripts that can then relay it back upstream?

      Just another XSS vuln when it comes right down to it.

      1. Steve Knox
        Boffin

        Javascript?

        NO. It's not how HTML works, or how JavaScript works, or even how CSS works. It's based on the interaction between those, and thus falls in the realm of (as mentioned above) unintended consequences. And it's definitely NOT cross-site scripting (XSS).

        Here's (roughly) how it went down:

        Web browsers are built to parse HTML, and the designers say "wouldn't it be nice to color-code links people have already visited, so they don't end up in some sort of loop?" Cool feature, everyone* loves it.

        Netscape adds JavaScript, and the developers say "it's expandable by default, just like HTML**, so you can add your own properties to elements and query/manipulate them using JavaScript!" Cool feature, everyone* loves it.

        CSS is developed to separate the style from the structure in HTML. The developers say "It even covers meta-properties, like whether or not you've visited a link, and by the way, it's accessible via Javascript!" Cool features, everyone* loves them.

        Some programmers put 1+1+1 together and realizes it makes 3: "We can 1) use CSS to set the colors of visited vs not-visited links to known values***, 2) programmatically add a link to a hidden area of the page, then 3) query the CSS color property of that link to determine whether or not someone has visited that link. And JavaScript is fast enough now that we can do it thousands of times per second."

        * That's everyone as in everyone the developers listened to, and specifically the people who bought them lunch. There were people who disliked all of these features, but they were curmudgeons who didn't spend money on the right things.

        ** Yes, HTML IS expandable by default. The specification requires user agents to allow for and ignore elements and attributes that they do not recognize, but to make them available via interfaces like DOM.

        *** So one possible workaround (not tested by me) before the vendors plugged this specific hole would be to use a feature like Opera's User Mode style, turning off developer's ability to change the colors of the links, and setting them to the same color value. But that would mean the links could look funny or even be unreadable on some pages.

        1. Colin Miller

          Always report the unfollowed colour

          Steve,your summary of how the exploit works is correct. However, a quick fix for it is for when a script queries the colour of a link, the script always gets the "unfollowed" style, regardless of what colour the user can see. (Or not see, as the exploit is normally carried out in a hidden <div> or <iframe>)

  10. jon 72
    Paris Hilton

    Aww look at all those iddybiddy things running around

    This old browser hack was plugged earlier this year for IE and FF in the latest round of releases.

    You can test your browsers vulnerability here.

    http://ha.ckers.org/weird/CSS-history-hack.html

    Paris because... I'd plug her anytime

  11. Andy Farley
    Stop

    Nobody

    uses the same browser for pr0n as they do for everyday stuff, surely?

    1. Peter Gathercole Silver badge

      The same browser?

      I wouldn't even use the same computer!

  12. Anonymous Coward
    Facepalm

    Azoogle

    This is the same company that owns Azoogle. People with long memories might remember them...

This topic is closed for new posts.

Other stories you might like