Feeds

Popular sites caught sniffing user browser history

YouPorn nabbed in real-world privacy sting

The Power of One eBook: Top reasons to choose HP BladeSystem

Boffins from Southern California have caught YouPorn.com and 45 other sites pilfering visitors' surfing habits in what is believed to be the first study to measure in-the-wild exploits of a decade-old browser vulnerability.

YouPorn, which fancies itself the YouTube of smut, uses JavaScript to detect whether visitors have recently browsed to PornHub.com, tube8.com and 21 other sites, according to the study. It tracked the 50,000 most popular websites and found a total of 46 other offenders, including news sites charter.net and newsmax.com, finance site morningstar.com and sports site espnf1.com.

“We found that several popular sites – including an Alexa global top-100 site – make use of history sniffing to exfiltrate information about users' browsing history, and, in some cases, do so in an obfuscated manner to avoid easy detection,” the report states. “While researchers have known about the possibility of such attacks, hitherto it was not known how prevalent they are in real, popular websites.”

To cover its tracks, YouPorn encodes its JavaScript to hide the sites it searches for and decodes it only when used. Other websites dynamically generate the snoop code to prevent detection by simple inspection. Still others rely on third-party history-stealing libraries from services that include interclick.com and meaningtool.com.

The scientists detected the history stealing by concocting their own version of Google's Chrome browser with a JavaScript information flow engine that “uses a dynamic source-to-source rewriting approach.”

The 46 sites exploit a widely known vulnerability that currently exists in all production version browsers except of Apple's Safari, which earlier this year became the first major browser to insulate users against the threat. Google Chrome, which is based on the same Webkit engine, soon followed. Beta versions of Mozilla Firefox and Microsoft Internet Explorer also fix the problem, but production versions of those browsers are still wide open.

The exploit works by using JavaScript to read cascading style sheet technologies included in virtually every browser that causes visited links to appear in purple rather than blue. Developers have known of the weakness for a decade or more but until recently said it couldn't be easily repaired without removing core functionality.

The study also detected code on sites maintained by Microsoft, YouTube, Yahoo and About.com that perform what the scientists called “behavioral sniffing.” They employ JavaScript that covertly tracks mouse movements on a page to detect what a user does after visiting it.

A PDF of the paper, which was written by Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham, is here. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.