back to article Popular sites caught sniffing user browser history

Boffins from Southern California have caught YouPorn.com and 45 other sites pilfering visitors' surfing habits in what is believed to be the first study to measure in-the-wild exploits of a decade-old browser vulnerability. YouPorn, which fancies itself the YouTube of smut, uses JavaScript to detect whether visitors have …

COMMENTS

This topic is closed for new posts.

Page:

  1. Lord Lien
    Coat

    YouPorn..

    ... one of the many "Start Private Browsing" websites out there in internet-land :)

  2. mafoo
    Thumb Down

    espnf1

    espn's forumla 1 website is on that list. pretty major network there.

  3. Anonymous Coward
    Pint

    In the name of science

    Browsing youporn in the name of science. Got to love it.

    Cue:

    * 27 "where do I sign up" posts

    * 10 "Lousy Pinko Liberals wasting my tax dollars" posts

    * 8 "Think of the Children" posts

    * 15 "Think of the Children" (sarcastic or ironic) posts

    1. C Yates
      Happy

      where do I sign up? =)

      and? =)

  4. Will Godfrey Silver badge
    Linux

    How interesting.

    NoScript is your friend

    1. Scorchio!!

      Add on components

      Indeed, that and Adblock plus, BetterPrivacy (for preventing super cookie tracking), Ad blocker, Cookie Culler, Phish Tank Site Checker, Privacy Choice Tracker Watcher, and SSL Blacklist. Care is needed when using add on components. They've been known to bring problems of their own, accidental as well as intended.

  5. Tim #3
    Paris Hilton

    Hmmm

    "They employ JavaScript that covertly tracks mouse movements on a page to detect what a user does after visiting it."

    Can't they just work that out anyway?

    1. Pablo

      RE: Hmmm

      Mostly, but they can learn a little extra this way. For example, if you point at a link or an ad, that might imply you were tempted and nearly decided to click it. Potentially interesting information.

      1. LinkOfHyrule

        erratically pointing all over the place

        I have my mouse speed and acceleration settings cranked to the max so that you only need to move the mouse about 2 millimetres to move the pointer from one side of the screen to the other (Because i use the mouse on my lap and I find it works for me!) so I'd love to see what their mouse snooping utility thinks of me if I were to visit their site and they see that I'm erratically pointing all over the place!

        1. matt 83
          Alert

          at the very least

          It allows them to know how long you were looking at the page.

          Without it all the know is that you loaded a page at X and loaded another at Y. With this they can see you loaded a page at X and spent 5 minutes actively looking at it then stopped and finally loaded another page at Y

      2. Ole Juul

        People who point where they look

        Is there a name for that?

  6. James Woods

    I wouldn't demonize the porn sites.

    It's easy to kick a porn site but what about what youtube, google, facebook, myspace, and all the like do?

    I've never visited youporn or other sites like that because I wouldn't consider them to be safe to begin with but if you want to talk about sniffing.

    What is sniffed when you watch a youtube video when google owns it and it's all tied together.

    I have some porn site interests and while I don't condone any illegal sniffing or browsing of your data finding out what type of niche your into helps the industry because unlike youtube that suggests videos half the time completely unrelated to what your into (for marketing purposes and other agendas) porn sites that do this type of thing will suggest porn content that you are probably into.

    And unlike the garbage software industry most of the porn we have is made in the usa keeping the jobs here.

    1. E 2

      I really think you are missing the point.

      I really think you are missing the point.

  7. Anonymous Coward
    Stop

    There's A Fix

    CTRL-SHIFT-DEL

    Make sure you select "ALL HISTORY".

    1. Alan Firminger

      Query

      I suspect that won't work.

      The intrusion collects addresses of the purple links.

      My Firefox History is just one day, but in Preferences the default Save Visited Sites came as 9 days. Naturally I have now set it to zero.

      I used to imagine that it was enough to stop the history list interrogators by exiting all sites by clicking down through te list to the home page, or the search page, or the Register. I am so niaive.

      1. Octopoid

        It will work..

        The "History" bit clears which links display as purple, hence fixing the problem. It's really not all that serious though. You can't even tell if you've visited a specific domain, it has to be an exact link match - for example you could only tell if someone had visited Facebook if they had gone to the mian homepage first - if you followed a link in to your profile, you're safe. It really is fairly limited. Still all privacy holes are bad, and should be fixed.

        It is a slightly awkward problem, in that custom CSS means it's not a matter of "blue or purple" it's ":link or :visited", and those psuedoselectors are not exposed to the DOM. This is compunded by the problem that an individual link might have extra styles applied. Personally I would be quite happy with them simply removing currentStyle access to hyperlinks, or even harcoding any check to the default blue. How many legitimate reasons are there really for checking what colour a link currently is? All of the ones I can think of are more easily and cleanly expressed with CSS anyway.

  8. Richard Porter
    Happy

    Good thing I use NetSurf then

    No javascript.

    1. Anonymous Coward
      Anonymous Coward

      Netsurf

      You are clearly a masochist

  9. DrXym

    Strange bedfollows

    Amongst all those porn / pirate sites we see Newsmax and Answers in Genesis. Two right wing fundamentalist web sites. I guess they share many of the same ethics as the people they decry, especially when it comes to privacy.

    1. Anonymous Coward
      Anonymous Coward

      Answers in Genesis

      No they are not right wing, they are Christian fundamentalist, and that is two different things. Jesus could hardly be called right wing. Clearly you are left wing and flying around in circles as a consequence.

      1. DrXym

        Yes they are right wing

        I didn't call Jesus right wing fundamentalist sites, I said these sites were. A fact which is plain just be reading them.

        As for Jesus, I have no idea what political leanings some mythologised figure had 2000 years ago. And neither do you. Hasn't stopped everyone and their uncle coopting his name to justify the most ugly and hateful views though.

  10. Dicko99

    Check yourself or friends...

    http://www.didyouwatchporn.com/ uses the same exploit...

    1. William Towle

      Re: Check yourself or friends...

      > http://www.didyouwatchporn.com/ uses the same exploit...

      I suppose it makes a very good test of how well private browsing works. Nice.

      As one site wrote regarding the other image, "a little bunny! It's funny because it's the same motif Playboy uses" (http://roget.biz/sites-pour-savoir-si-vos-potes-visitent-des-sites-pornos)

    2. Anonymous Coward
      Anonymous Coward

      I can confirm

      That that site does NOT work.

      Oh yes I did.

  11. E 2

    All I can say is

    I used the Francis character from L4D as my avatar on StackOverflow when I made an account there.

    Now, when I post elsewhere having used the same email to make my account, guess what my avatar often defaults to?

    Techeye.net particularly bothered me in this regard.

    Strangely enough Facebook has not managed to mine this connection.

    1. RJ

      Gravatar

      Maybe StackOverflow uploaded your avatar to the Gravatar service and linked it to your email?

    2. Kevin Fairhurst
      Boffin

      Same avatar across multiple sites?

      They probably use "gravatar" or something similar to set it... have a google and you will be able to change it.

  12. Pablo
    Paris Hilton

    Oh dear

    Somewhat alarmingly, charter.net is my ISP. But I see they're the number two offender after youporn, that's mighty reassuring.

  13. Anonymous Coward
    Anonymous Coward

    Well this...

    explains why Charter tries to get everyone to set their site as their homepage.

    I have seen their techs, when out here on service calls (and at others homes) try to set the home page to charter.net.

    I'm glad I don't let them touch my comps usually. If they need to use a comp for something, I have a laptop with a separate account they can use.

  14. Arctic fox

    Ah, now that's a thought......

    "And unlike the garbage software industry most of the porn we have is made in the usa keeping the jobs here."

    .............that would surely imply that the desire to watch someone else having sex with your wife could be classified as outsourcing.

  15. heyrick Silver badge

    YouPorn?

    It's a valid point James Woods makes above regarding the techincal aspects of sniffing, and our trust of more mainstream sites...

    ...but I just can't help thinking if you go to a site called YouPorn, you kinda deserve everything you get...

    1. Elmer Phud
      Alert

      Get what's coming to you

      "...but I just can't help thinking if you go to a site called YouPorn, you kinda deserve everything you get..."

      Hmmm, nice . . . .

    2. Grease Monkey Silver badge

      Why?

      "...but I just can't help thinking if you go to a site called YouPorn, you kinda deserve everything you get..."

      Why do you think that? Is it because you are some sort of modern day Mary Whitehouse?

      You may or may not like porn, but there are much, much worse things on the internet. The trouble is the average Daily Mail reader likes to bury their head in the sand and pretend there is nothing worse in the world than porn, except possibly swearing on TV.

      1. Alpha Tony

        @Grease Monkey

        "the average Daily Mail reader likes to bury their head in the sand and pretend there is nothing worse in the world than porn"

        Not true. They hate immigrants more. Not to mention the errosion of family values.

        Of course that doesn't stop them paying Mistress Sveltana the Ukranian dominatrix £100 every Thursday night while the wife is at bridge club to punish them for being a very naughty boy.

        1. Anonymous Coward
          Anonymous Coward

          @Alpha Tony

          Mistress Sveltana the Ukranian dominatrix only charges £80 on Tuesday afternoons....but that is for old age pensioners only.

    3. Anonymous Coward
      Anonymous Coward

      Why? Because it's porn?

      Porn has been around since cave paintings. Don't generalize all porn as being something seedy or bad. Porn has a healthy place in modern society. Besides, porn is pretty much mainstream now thanks to our Z list celeb culture.

    4. heyrick Silver badge

      YouPorn redux

      Wow. 7 down votes. :-) For what it is worth, I'm not a Mary Whitehouse wannabe Daily Fail reader...

      Perhaps before clicking "down" and saying "oh, what a prude", you might stop to consider that while no site is 100% secure, there are some sectors which are a magnet for dubious activity in the "exploit" sense. I mean, if you complained about getting rootkitted while cruising russian download sites, people would laugh at you and ask "what did you expect?". But on the other hand YouPorn is acceptable? Or maybe some of you don't want to face up to the fact that visitors to such a site may be more lead by their pecker than their brains, so might be a little more permissive with what they let run on their computer.

      Tell me - how well do you trust a porn site, its operators, and its security measures? Think carefully before answering, because this article is about just such a behaviour...

      1. Cameron Colley

        @heyrick -- the same way I check any other site.

        As someone who has been the victim of a drive-by infection at work by allowing scripts while checking out a completely legitimate site* I know that no site is safe.

        The way I tend to keep safe is by keeping my eyes and ears open about problems with sites by reading El reg and similar. I also tend to block all adverts and block third-party scripts on all sites (because adverts are annoying and the sites that run them have a history of being exploited).

        I also run Linux at home, and have an XP VM which I can use as a sacrificial lamb if I really want to try out a new site that could be dodgy.

        There's also a not-so-reliable but up until now fairly good rule of thumb that dodgy sites tend to "look dodgy" either badly designed, or cluttered, or full of adverts or scripts for other sites (often with names like xxccddff.co.ru). Like I said, it's not completely effective but so far aside from the history reading (which doesn't bother me as I don't have it turned on) YouPorn has shown itself to be as safe as it looks.

        *It was deliberate, I was testing NoScript and the AV installation after a colleague tipped me off.

        1. Goat Jam
          Paris Hilton

          Does not parse

          "As someone who has been the victim of a drive-by infection . . . It was deliberate"

          If it was deliberate, how exactly were you a victim?

          Paris, because I would be her victim any day . . .

          1. Cameron Colley
            Headmaster

            @Goat Jam

            Cambridge Dictionary Online definition of victim: "someone or something which has been hurt, damaged or killed or has suffered, either because of the actions of someone or something else, or because of illness or chance"

            I still had to clean the damn infection up, so I suffered. If I have unprotected sex with someone who is HIV positive I could still describe myself as "an AIDS victim" if I suffered from the disease.

            1. Grease Monkey Silver badge

              Eejit

              "I still had to clean the damn infection up, so I suffered."

              Then you're a complete amateur. Don't you test this sort of thing on a dedicated machine that is completely reimaged every time it boots, a virtual machine perhaps?

      2. LaeMing

        Re: Tell me - how well do you trust a porn site

        Why would a (legal) porn site be any more or less trustworthy than any other (legal) site? Because porn is 'icky' in the view of some? Because only 'bad' people would run a site dealing with such content? (Maybe this is true - my experience of such things isn't exactly pervasive).

  16. Anonymous Coward
    Anonymous Coward

    javascript is only half evil

    As a dev, I know that flash LSO were/are still tracked - sites like youporn and any other pr0n site uses flash and they store flash cookies(LSO), which can be read with the right script. Even browser pr0n mode does not always clean flash cookies.

    Somebody mentioned that NoScript was a deterrent - This is hardly true. Most video sites require js enabled browser for playback.

    1. Anonymous Coward
      Happy

      a pedantically required title

      BetterPrivacy for Firefox addresses the Flash LSO problem. Setting it aggressively to clear everything it can whenever it can has not yet caused me any problems using Firefox.

      One of the advantages of NoScript is that you can be selective in the scripts that you allow. Be restrictive. I never allow anything that does not seem directly related to the task I want to achieve on that page. ElReg works quite nicely without JS, for instance.

      The only time that policy has come unstuck for me is when buying and the "Verified by Visa" system jumps up from the bank site to call a script from yet another site. One only finds out the name of the site, to consider permitting it, after the bank has already declined the transaction. Even that has an advantage; it keeps the overdraft down!

    2. Mike Kamermans

      NoScript is more fine grained than turning js on or off

      Noscript lets you selectively turn on individual scripts. Even if a site relies on javascript and flash for video playback (be that youporn or iplayer) you can still turn on only those scripts that are responsible for making that work, and keep every other script turned off.

      1. Charles 9

        But sites are getting smart.

        The sites booby-trap the sites to make sure you bite. NoScript filters by domain, and guess where the history-sniffer code's going to reside? In the same domain as the video player, which you MUST allow in order to get anything productive out of the site. So no videos without a history sniff.

  17. Anonymous Coward
    Unhappy

    javascript is only half evil

    From wikipedia(I know that wiki is not always a veritable source of information, but....)

    "The current version of Flash does not allow 3rd party LSOs to be shared across domains. For example, an LSO from "www.example.com" cannot be read by the domain "www.example2.com".

    However, any domain can read the master LSO, which contains a listing of all LSO placing websites visited."

    The last sentence simply means that if you visit a pr0n site that uses flash and sets flash cookies in your browser, another site can collect this information. This was used by panoptclick project and this technique is comparable to history checks performed using css vlink.

    If you still do not trust this info, visit

    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

    macromedia.com is able to pull info about all sites that set a flash cookie on your computer.

    I am not entirely sure how/where LSO are stored, but if this is a central repository(for all browsers), you can probably find details about sites that you visit via BrowserA when you are using BrowserB. This last bit is prolly paranoia, but I'd rather be paranoid rather than trust flash...

  18. web_bod
    Heart

    mouse tracking

    mouse tracking is awesome when your marketing director won't listen - we were able to use it to boost conversions on our insurance site by 30% - you could re-play their interactions with the page and it helped us detect a lot more fraudulent policies - you could watch them weighing up the risks to get the best quote - one guy must have run through his entire family trying to find the cheapest postcode to live in.

    1. Anonymous Coward
      FAIL

      Not a good predicator of fraud ...

      maybe you should design a device which detects stress patterns in speech. You could use it on the phone ...

      There are many legitimate reasons why people would change parameters when shopping for an insurance *quote*. None of which would result in fraud.

      I've just finished a research study into the possibility of detecting fraud at the point of sale of an insurance policy (motor) ... the view from on high was that we already have dedicated teams in place who analyse policies for fraud anyway. Besides, there's no way you could catch someone who did all their quote "adjusting" on one site, but purchased through another (or in person, or on the phone) having got their "perfect" profile.

      Still, kept me busy for a few days !

  19. Anonymous Coward
    Big Brother

    Browser design?

    Am I the only one who believes that most of web browsers were specifically designed to enable abuses such as this one? Call me paranoid, but how to otherwise explain a vulnerability being collectively ignored during a whole decade?

    The interests of Microsoft, Apple, Google and former Netscape are quite clear. Google also gave a lot of cash to the Mozilla Corporation, and one has to be an idiot to believe that the donation was without any strings attached.

    Who will protect me from the makers of browsers?

Page:

This topic is closed for new posts.

Other stories you might like