Welcome to WebmasterWorld Guest from 54.162.107.231

Forum Moderators: phranque

Message Too Old, No Replies

Browser History File Hijack

     
3:52 pm on Dec 2, 2010 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:22823
votes: 304


Browser History File Hijack [bbc.co.uk]
A survey of 50,000 of the web's most visited websites by the team from UC San Diego found 485 sites using this method to get at browser histories, 63 were copying the data it reveals and 46 were found to be "hijacking" a user's history.

"Our study shows that popular Web 2.0 applications like mashups, aggregators, and sophisticated ad targeting are rife with different kinds of privacy-violating flows," wrote the researchers.

The researchers pointed out that some modern browsers, such as Chrome and Safari, are not vulnerable to history hijacking and that the most recent version of Mozilla has closed the loophole. Users of Internet Explorer can defeat the bug by turning on "private browsing".

4:31 pm on Dec 2, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


Interesting Findings:

1) "when a user clicks on a link, there is a clear visual cue that information is being
sent over the network the target of the link will know that the user has clicked.

However, when we list clicking as being tracked covertly, we mean that there is an additional event-handler that tracks the click, and sends information about the click to another server. google is known for doing this: when a user clicks on a link on the search page, the click is recorded by google through an event handler, without any visual cue that this is happening"

2) Of the 115 sites on which the filtered flow were reported, we found that 7 used a behavior tracking software product developed by tynt to track what is copied off the sites.

3) "While investigating several sites that installed event handlers, we also found that the huffingtonpost site exhibits suspicious behavior."
5:19 pm on Dec 2, 2010 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4842
votes: 1


Interesting find. 1% of the 50K most visited sites. Clickileaks, anyone?
5:38 pm on Dec 2, 2010 (gmt 0)

Full Member from US 

10+ Year Member

joined:July 12, 2000
posts:323
votes: 4


An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications

[cseweb.ucsd.edu...]

While investigating several sites that installed event handlers, we also found that the huffingtonpost.com site exhibits suspicious behavior. In particular, every article on the site's front page has an onmouse-over event handler. These handlers collect in a global data structure information about what articles the mouse passes over. We consider this case to be suspicious because not only is the infrastructure present, but it in fact collects the information locally.
6:15 pm on Dec 2, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts:4393
votes: 2


And Smart Phones?
8:18 pm on Dec 2, 2010 (gmt 0)

Moderator from CA 

WebmasterWorld Administrator httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 29, 2003
posts:4059
votes: 0


With a few mouse event handlers and a little AJAX, recording behaviour of users on your page is trivial. Testing a given list of sites against user's history is easy - the CSS/Javascript trick that enables it has been known for a couple of years, at least.

Note that this hack can't return your entire browsing history. What it can do is tell whether a particular URL is in your browser's history.

You can glean quite a lot of insight from just a few "hits" if you query the history creatively. It depends what you want to find out about your visitors.

Once that information is received at the server, your web experience can be tailored to your browsing habits.


Tracking clicks makes sense; why would someone not do that. Tracking mouseovers... not as much. I don't consider tracking mouse events to be privacy violations, though it is a bit creepy.
11:17 pm on Dec 2, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member

joined:Apr 14, 2010
posts:3169
votes: 0


Some "reputable" companies are doing the same under the guise of doing "wholesome" things with it, but it all adds to someone's bottom line (not the visitor) and so is all the same. Browsers should ban any entity that attempts to retrieve visitor history, it's nobody's business but your own.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members