back to article Popular sites caught sniffing user browser history

Boffins from Southern California have caught YouPorn.com and 45 other sites pilfering visitors' surfing habits in what is believed to be the first study to measure in-the-wild exploits of a decade-old browser vulnerability. YouPorn, which fancies itself the YouTube of smut, uses JavaScript to detect whether visitors have …

COMMENTS

This topic is closed for new posts.
  1. Lord Lien
    Coat

    YouPorn..

    ... one of the many "Start Private Browsing" websites out there in internet-land :)

  2. mafoo
    Thumb Down

    espnf1

    espn's forumla 1 website is on that list. pretty major network there.

  3. Anonymous Coward
    Pint

    In the name of science

    Browsing youporn in the name of science. Got to love it.

    Cue:

    * 27 "where do I sign up" posts

    * 10 "Lousy Pinko Liberals wasting my tax dollars" posts

    * 8 "Think of the Children" posts

    * 15 "Think of the Children" (sarcastic or ironic) posts

    1. C Yates
      Happy

      where do I sign up? =)

      and? =)

  4. Will Godfrey Silver badge
    Linux

    How interesting.

    NoScript is your friend

    1. Scorchio!!

      Add on components

      Indeed, that and Adblock plus, BetterPrivacy (for preventing super cookie tracking), Ad blocker, Cookie Culler, Phish Tank Site Checker, Privacy Choice Tracker Watcher, and SSL Blacklist. Care is needed when using add on components. They've been known to bring problems of their own, accidental as well as intended.

  5. Tim #3
    Paris Hilton

    Hmmm

    "They employ JavaScript that covertly tracks mouse movements on a page to detect what a user does after visiting it."

    Can't they just work that out anyway?

    1. Pablo

      RE: Hmmm

      Mostly, but they can learn a little extra this way. For example, if you point at a link or an ad, that might imply you were tempted and nearly decided to click it. Potentially interesting information.

      1. LinkOfHyrule

        erratically pointing all over the place

        I have my mouse speed and acceleration settings cranked to the max so that you only need to move the mouse about 2 millimetres to move the pointer from one side of the screen to the other (Because i use the mouse on my lap and I find it works for me!) so I'd love to see what their mouse snooping utility thinks of me if I were to visit their site and they see that I'm erratically pointing all over the place!

        1. matt 83
          Alert

          at the very least

          It allows them to know how long you were looking at the page.

          Without it all the know is that you loaded a page at X and loaded another at Y. With this they can see you loaded a page at X and spent 5 minutes actively looking at it then stopped and finally loaded another page at Y

      2. Ole Juul

        People who point where they look

        Is there a name for that?

  6. James Woods

    I wouldn't demonize the porn sites.

    It's easy to kick a porn site but what about what youtube, google, facebook, myspace, and all the like do?

    I've never visited youporn or other sites like that because I wouldn't consider them to be safe to begin with but if you want to talk about sniffing.

    What is sniffed when you watch a youtube video when google owns it and it's all tied together.

    I have some porn site interests and while I don't condone any illegal sniffing or browsing of your data finding out what type of niche your into helps the industry because unlike youtube that suggests videos half the time completely unrelated to what your into (for marketing purposes and other agendas) porn sites that do this type of thing will suggest porn content that you are probably into.

    And unlike the garbage software industry most of the porn we have is made in the usa keeping the jobs here.

    1. E 2

      I really think you are missing the point.

      I really think you are missing the point.

  7. Anonymous Coward
    Stop

    There's A Fix

    CTRL-SHIFT-DEL

    Make sure you select "ALL HISTORY".

    1. Alan Firminger

      Query

      I suspect that won't work.

      The intrusion collects addresses of the purple links.

      My Firefox History is just one day, but in Preferences the default Save Visited Sites came as 9 days. Naturally I have now set it to zero.

      I used to imagine that it was enough to stop the history list interrogators by exiting all sites by clicking down through te list to the home page, or the search page, or the Register. I am so niaive.

      1. Octopoid

        It will work..

        The "History" bit clears which links display as purple, hence fixing the problem. It's really not all that serious though. You can't even tell if you've visited a specific domain, it has to be an exact link match - for example you could only tell if someone had visited Facebook if they had gone to the mian homepage first - if you followed a link in to your profile, you're safe. It really is fairly limited. Still all privacy holes are bad, and should be fixed.

        It is a slightly awkward problem, in that custom CSS means it's not a matter of "blue or purple" it's ":link or :visited", and those psuedoselectors are not exposed to the DOM. This is compunded by the problem that an individual link might have extra styles applied. Personally I would be quite happy with them simply removing currentStyle access to hyperlinks, or even harcoding any check to the default blue. How many legitimate reasons are there really for checking what colour a link currently is? All of the ones I can think of are more easily and cleanly expressed with CSS anyway.

  8. Richard Porter
    Happy

    Good thing I use NetSurf then

    No javascript.

    1. Anonymous Coward
      Anonymous Coward

      Netsurf

      You are clearly a masochist

  9. DrXym

    Strange bedfollows

    Amongst all those porn / pirate sites we see Newsmax and Answers in Genesis. Two right wing fundamentalist web sites. I guess they share many of the same ethics as the people they decry, especially when it comes to privacy.

    1. Anonymous Coward
      Anonymous Coward

      Answers in Genesis

      No they are not right wing, they are Christian fundamentalist, and that is two different things. Jesus could hardly be called right wing. Clearly you are left wing and flying around in circles as a consequence.

      1. DrXym

        Yes they are right wing

        I didn't call Jesus right wing fundamentalist sites, I said these sites were. A fact which is plain just be reading them.

        As for Jesus, I have no idea what political leanings some mythologised figure had 2000 years ago. And neither do you. Hasn't stopped everyone and their uncle coopting his name to justify the most ugly and hateful views though.

  10. Dicko99

    Check yourself or friends...

    http://www.didyouwatchporn.com/ uses the same exploit...

    1. William Towle

      Re: Check yourself or friends...

      > http://www.didyouwatchporn.com/ uses the same exploit...

      I suppose it makes a very good test of how well private browsing works. Nice.

      As one site wrote regarding the other image, "a little bunny! It's funny because it's the same motif Playboy uses" (http://roget.biz/sites-pour-savoir-si-vos-potes-visitent-des-sites-pornos)

    2. Anonymous Coward
      Anonymous Coward

      I can confirm

      That that site does NOT work.

      Oh yes I did.

  11. E 2

    All I can say is

    I used the Francis character from L4D as my avatar on StackOverflow when I made an account there.

    Now, when I post elsewhere having used the same email to make my account, guess what my avatar often defaults to?

    Techeye.net particularly bothered me in this regard.

    Strangely enough Facebook has not managed to mine this connection.

    1. RJ

      Gravatar

      Maybe StackOverflow uploaded your avatar to the Gravatar service and linked it to your email?

    2. Kevin Fairhurst
      Boffin

      Same avatar across multiple sites?

      They probably use "gravatar" or something similar to set it... have a google and you will be able to change it.

  12. Pablo
    Paris Hilton

    Oh dear

    Somewhat alarmingly, charter.net is my ISP. But I see they're the number two offender after youporn, that's mighty reassuring.

  13. Anonymous Coward
    Anonymous Coward

    Well this...

    explains why Charter tries to get everyone to set their site as their homepage.

    I have seen their techs, when out here on service calls (and at others homes) try to set the home page to charter.net.

    I'm glad I don't let them touch my comps usually. If they need to use a comp for something, I have a laptop with a separate account they can use.

  14. Arctic fox

    Ah, now that's a thought......

    "And unlike the garbage software industry most of the porn we have is made in the usa keeping the jobs here."

    .............that would surely imply that the desire to watch someone else having sex with your wife could be classified as outsourcing.

  15. heyrick Silver badge

    YouPorn?

    It's a valid point James Woods makes above regarding the techincal aspects of sniffing, and our trust of more mainstream sites...

    ...but I just can't help thinking if you go to a site called YouPorn, you kinda deserve everything you get...

    1. Elmer Phud
      Alert

      Get what's coming to you

      "...but I just can't help thinking if you go to a site called YouPorn, you kinda deserve everything you get..."

      Hmmm, nice . . . .

    2. Grease Monkey Silver badge

      Why?

      "...but I just can't help thinking if you go to a site called YouPorn, you kinda deserve everything you get..."

      Why do you think that? Is it because you are some sort of modern day Mary Whitehouse?

      You may or may not like porn, but there are much, much worse things on the internet. The trouble is the average Daily Mail reader likes to bury their head in the sand and pretend there is nothing worse in the world than porn, except possibly swearing on TV.

      1. Alpha Tony

        @Grease Monkey

        "the average Daily Mail reader likes to bury their head in the sand and pretend there is nothing worse in the world than porn"

        Not true. They hate immigrants more. Not to mention the errosion of family values.

        Of course that doesn't stop them paying Mistress Sveltana the Ukranian dominatrix £100 every Thursday night while the wife is at bridge club to punish them for being a very naughty boy.

        1. Anonymous Coward
          Anonymous Coward

          @Alpha Tony

          Mistress Sveltana the Ukranian dominatrix only charges £80 on Tuesday afternoons....but that is for old age pensioners only.

    3. Anonymous Coward
      Anonymous Coward

      Why? Because it's porn?

      Porn has been around since cave paintings. Don't generalize all porn as being something seedy or bad. Porn has a healthy place in modern society. Besides, porn is pretty much mainstream now thanks to our Z list celeb culture.

    4. heyrick Silver badge

      YouPorn redux

      Wow. 7 down votes. :-) For what it is worth, I'm not a Mary Whitehouse wannabe Daily Fail reader...

      Perhaps before clicking "down" and saying "oh, what a prude", you might stop to consider that while no site is 100% secure, there are some sectors which are a magnet for dubious activity in the "exploit" sense. I mean, if you complained about getting rootkitted while cruising russian download sites, people would laugh at you and ask "what did you expect?". But on the other hand YouPorn is acceptable? Or maybe some of you don't want to face up to the fact that visitors to such a site may be more lead by their pecker than their brains, so might be a little more permissive with what they let run on their computer.

      Tell me - how well do you trust a porn site, its operators, and its security measures? Think carefully before answering, because this article is about just such a behaviour...

      1. Cameron Colley

        @heyrick -- the same way I check any other site.

        As someone who has been the victim of a drive-by infection at work by allowing scripts while checking out a completely legitimate site* I know that no site is safe.

        The way I tend to keep safe is by keeping my eyes and ears open about problems with sites by reading El reg and similar. I also tend to block all adverts and block third-party scripts on all sites (because adverts are annoying and the sites that run them have a history of being exploited).

        I also run Linux at home, and have an XP VM which I can use as a sacrificial lamb if I really want to try out a new site that could be dodgy.

        There's also a not-so-reliable but up until now fairly good rule of thumb that dodgy sites tend to "look dodgy" either badly designed, or cluttered, or full of adverts or scripts for other sites (often with names like xxccddff.co.ru). Like I said, it's not completely effective but so far aside from the history reading (which doesn't bother me as I don't have it turned on) YouPorn has shown itself to be as safe as it looks.

        *It was deliberate, I was testing NoScript and the AV installation after a colleague tipped me off.

        1. Goat Jam
          Paris Hilton

          Does not parse

          "As someone who has been the victim of a drive-by infection . . . It was deliberate"

          If it was deliberate, how exactly were you a victim?

          Paris, because I would be her victim any day . . .

          1. Cameron Colley
            Headmaster

            @Goat Jam

            Cambridge Dictionary Online definition of victim: "someone or something which has been hurt, damaged or killed or has suffered, either because of the actions of someone or something else, or because of illness or chance"

            I still had to clean the damn infection up, so I suffered. If I have unprotected sex with someone who is HIV positive I could still describe myself as "an AIDS victim" if I suffered from the disease.

            1. Grease Monkey Silver badge

              Eejit

              "I still had to clean the damn infection up, so I suffered."

              Then you're a complete amateur. Don't you test this sort of thing on a dedicated machine that is completely reimaged every time it boots, a virtual machine perhaps?

      2. LaeMing

        Re: Tell me - how well do you trust a porn site

        Why would a (legal) porn site be any more or less trustworthy than any other (legal) site? Because porn is 'icky' in the view of some? Because only 'bad' people would run a site dealing with such content? (Maybe this is true - my experience of such things isn't exactly pervasive).

  16. Anonymous Coward
    Anonymous Coward

    javascript is only half evil

    As a dev, I know that flash LSO were/are still tracked - sites like youporn and any other pr0n site uses flash and they store flash cookies(LSO), which can be read with the right script. Even browser pr0n mode does not always clean flash cookies.

    Somebody mentioned that NoScript was a deterrent - This is hardly true. Most video sites require js enabled browser for playback.

    1. Anonymous Coward
      Happy

      a pedantically required title

      BetterPrivacy for Firefox addresses the Flash LSO problem. Setting it aggressively to clear everything it can whenever it can has not yet caused me any problems using Firefox.

      One of the advantages of NoScript is that you can be selective in the scripts that you allow. Be restrictive. I never allow anything that does not seem directly related to the task I want to achieve on that page. ElReg works quite nicely without JS, for instance.

      The only time that policy has come unstuck for me is when buying and the "Verified by Visa" system jumps up from the bank site to call a script from yet another site. One only finds out the name of the site, to consider permitting it, after the bank has already declined the transaction. Even that has an advantage; it keeps the overdraft down!

    2. Mike Kamermans

      NoScript is more fine grained than turning js on or off

      Noscript lets you selectively turn on individual scripts. Even if a site relies on javascript and flash for video playback (be that youporn or iplayer) you can still turn on only those scripts that are responsible for making that work, and keep every other script turned off.

      1. Charles 9

        But sites are getting smart.

        The sites booby-trap the sites to make sure you bite. NoScript filters by domain, and guess where the history-sniffer code's going to reside? In the same domain as the video player, which you MUST allow in order to get anything productive out of the site. So no videos without a history sniff.

  17. Anonymous Coward
    Unhappy

    javascript is only half evil

    From wikipedia(I know that wiki is not always a veritable source of information, but....)

    "The current version of Flash does not allow 3rd party LSOs to be shared across domains. For example, an LSO from "www.example.com" cannot be read by the domain "www.example2.com".

    However, any domain can read the master LSO, which contains a listing of all LSO placing websites visited."

    The last sentence simply means that if you visit a pr0n site that uses flash and sets flash cookies in your browser, another site can collect this information. This was used by panoptclick project and this technique is comparable to history checks performed using css vlink.

    If you still do not trust this info, visit

    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

    macromedia.com is able to pull info about all sites that set a flash cookie on your computer.

    I am not entirely sure how/where LSO are stored, but if this is a central repository(for all browsers), you can probably find details about sites that you visit via BrowserA when you are using BrowserB. This last bit is prolly paranoia, but I'd rather be paranoid rather than trust flash...

  18. web_bod
    Heart

    mouse tracking

    mouse tracking is awesome when your marketing director won't listen - we were able to use it to boost conversions on our insurance site by 30% - you could re-play their interactions with the page and it helped us detect a lot more fraudulent policies - you could watch them weighing up the risks to get the best quote - one guy must have run through his entire family trying to find the cheapest postcode to live in.

    1. Anonymous Coward
      FAIL

      Not a good predicator of fraud ...

      maybe you should design a device which detects stress patterns in speech. You could use it on the phone ...

      There are many legitimate reasons why people would change parameters when shopping for an insurance *quote*. None of which would result in fraud.

      I've just finished a research study into the possibility of detecting fraud at the point of sale of an insurance policy (motor) ... the view from on high was that we already have dedicated teams in place who analyse policies for fraud anyway. Besides, there's no way you could catch someone who did all their quote "adjusting" on one site, but purchased through another (or in person, or on the phone) having got their "perfect" profile.

      Still, kept me busy for a few days !

  19. Anonymous Coward
    Big Brother

    Browser design?

    Am I the only one who believes that most of web browsers were specifically designed to enable abuses such as this one? Call me paranoid, but how to otherwise explain a vulnerability being collectively ignored during a whole decade?

    The interests of Microsoft, Apple, Google and former Netscape are quite clear. Google also gave a lot of cash to the Mozilla Corporation, and one has to be an idiot to believe that the donation was without any strings attached.

    Who will protect me from the makers of browsers?

  20. Gnomalarta
    Happy

    Flash Cookies

    Better Privacy is the plugin for all you Firefox users. Works for me.

  21. Scott van Looy
    FAIL

    Vrhh?

    "The study also detected code on sites maintained by Microsoft, YouTube, Yahoo and About.com that perform what the scientists called “behavioral sniffing.” They employ JavaScript that covertly tracks mouse movements on a page to detect what a user does after visiting it."

    This is a website owner tracking what a user does on that website. It is not scary, it is not dangerous and it is not covert. FUD much?

    1. Anonymous Coward
      Thumb Up

      Agreed!

      The owner of the site should be allowed to employ such techniques to improve their site. No harm in that.

      1. Glenn Charles
        Pirate

        yeah, but...

        The touch screens sense the stains sometimes, supposedly, you know?

  22. Cameron Colley

    Am I the only person who has no history?

    I've never understood the point of browser history -- I can recall most sites I have visited and if I like them I'll bookmark them or, more often than not, just remember the URL. I actually find it creepy when I use another browser without the history turned off -- the red links and the fact that chrome shows a list of visited sites when I open it is just odd to me.

    Oh well, I'm sure it's just me.

    1. Charles 9

      Backtracking.

      Some people have delayed reactions to sites (reconsidering after moving on) or run into situations that require them to backtrack. It's for those kinds of people (and the people that close tabs/windows by mistake) that the browser history exists so they can get back to that site they wanted but no longer remember how they reached (and sometimes, not even searching helps--I've had that happen a few times personally).

      1. LaeMing

        I like a nice short history

        I compromise between privacy and convenience (I do sometimes need to backtrack) by setting my history quite short (usually 8 entries). I am a real cookie-nazi too: cookies are for MY conveinence, not the site's!

      2. Goat Jam
        Badgers

        RE: Backtracking

        I agree. I do a lot of technical searches and rarely do I bookmark the results. Quite often I find myself in the situation where I recall having searched for something in the past. I never remember the complete URL (this especially applies to forum posts) but I can usually recall or repeat the same search terms. Having a list of google results with a few shown in purple can be a great time saver when trying to locate something you'd found another time.

        Personally, I don't know what all the hysteria regarding browser histories is all about. They can profile me all they like and I will still continue to ignore any ads they put in front of me.

        If that is the price you have to pay (ignoring targetted ads) to have a "free" (as in beer) internet then I'm prepared to pay it.

  23. Anonymous Coward
    Alert

    Futility, all is futility

    The thing that amuses me is that all this snooping and spying is in the interests of targeted advertising, Yet (imho) online advertising is generally useless. The number of purchases that actually result per snoop incident is probably down around 1 in a million, or even lower. [Yes, that number is pulled right out of my ass!] [Ooops, this is El Reg - make that "arse".]

    The energy and money invested in snooping would be far better spent making sure your commerce website is delivering the information the potential customer wants to see, in a convenient fashion.

    Example: I'm looking for a specific piece of body jewelry, a 2-gauge titanium captive segment ring (aka smooth segment ring aka segment ring), either ½" or ⅝" inner diameter. Some body jewelry sites make it very easy to ascertain if they carry such an item. Others are so badly organized that you end up scanning dozens, even hundreds, of thumbnail photos looking for what you want. Some are so awkward that one throws one's hands up in despair and goes away.

    Sure, I'm looking for an item that appears not to exist anywhere, but what about the poor teen-aged girl who's just looking for something specific for her navel piercing?

    Another example: looking for sex toys. [Don't sneer: we know all regular readers of El Reg are pimply faced youths who enjoy a little vinyl lovin' from time to time.] Most sites are very coy about what their offerings are made of (some claim to, but most of those are either confused or they're lying), to say nothing of the exact size. Is that Ultra Neutron Bomb dildo 243 mm in circumference, or is it 261 mm? Is it measured at the halfway point, or at the widest point?

    Let's not even touch on clothes, where sizing is far too often stated as "small, medium, large" with no objective measurements. Cripey, even saying "hippo sized" would be an improvement over a lot of sites, or stating "cut for the traditionally built butt".

    Marketers: don't waste your time snooping when your actual sales website is an unnavigable mess that is impossible to search effectively!

    1. Charles 9

      You ignore the costs.

      The costs involved per individual ad are so minuscule as to be nearly zero. A hit in a million is actually GOOD for the site and means PROFITS. That's why spam persists even with all the filtering in the world--they only need to get lucky once in a long while to earn enough to keep going.

    2. LaeMing
      Heart

      Sir or Ma'am! You go too far.

      "The energy and money invested in snooping would be far better spent making sure your commerce website is delivering the information the potential customer wants to see, in a convenient fashion."

      E-Comerce sites that help you buy the things you want?! What malakary is this!

  24. Danny 2

    Tech question

    "YouPorn encodes its JavaScript to hide the sites it searches for and decodes it only when used. Other websites dynamically generate the snoop code to prevent detection by simple inspection. Still others rely on third-party history-stealing libraries from services that include interclick.com and meaningtool.com. The scientists detected the history stealing by concocting their own version of Google's Chrome browser with a JavaScript information flow engine"

    Can anyone expand on whether this compiled code or just encoded in the sc ript, and how the technique helped expose it?

  25. jon 72
    Boffin

    Old News

    The exploit is over a decade old and not soley confined to being a Javascript problem, there being a way to achieve the same result with cgi scripting. So the list of sites using this technique is probably a lot higher than the research suggests.

  26. Tufty Squirrel
    Coat

    deserving what you get

    >> if you go to a site called YouPorn, you kinda deserve everything you get...

    You mean "copious quantities of porn"? That's what I'd hope you get.

  27. bugalugs

    Having " passed " as a bunny before, I popped over to al4a.com

    then refreshed the didyouwatchporn thingy and it listed the visit. Used dclean to delete

    the cookie and I was clean. IE/options/tools/delete worked too. Easy to circumvent then.

  28. Glenn Charles

    Interclick.com

    Oldest in the business, to my knowledge, and once very nasty.

  29. web_bod
    WTF?

    there are never good reasons to "experiment" with your details when buying car insurance

    RE: AC :: Not a good predicator of fraud

    I think you miss the point, when we detected a lot of fudging we'd route them through to a call centre, the operator would have a full set of all the changes on the screen - a couple of polite challenges was enough to get them to crack - we had one "20 year old county court judge" who turned out to be a law student and a woman who'd found that the carpark in her local Sommerfield was in a cheaper postcode and was effectively live in the superstore.

    The only reason for lying on an insurance application is to lower the premium or to get cover that you're not eligible for - there is a concept "utmost good faith" that inusrers fall back on when you come to make a claim - our system simply ensured that iffy drivers paid a fair price for cover and that most people were actually getting the cover that they were paing for.

    It's simple you can lie to get a cheap premium, but your lies will be uncovered when you make a claim and the insurer is perfectly entitled to walk away and trouser any money you've paid them.

This topic is closed for new posts.

Other stories you might like