Porn sites top list of tracking bug-affected URLs


3 Dec 2010

Porn sites top a list of revealed sites that use a technique to exploit a browser bug that reveals all places people go online, as well as recording browser history, new research shows.

Researchers that compiled the paper, An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, say that YouPorn.com came in at the top of the list of the websites that used the tracking bug.

Around 50,000 of the web’s most-visited sites were surveyed and found that 485 sites used the history tracking bug, and revealed that 63 sites in all were copying that data. Forty-six were found to be hijacking users’ histories.

History sniffing

The researchers at UC San Diego said the inspected URLs on YouPorn.com are “listed in the JavaScript in encoded form and decoded right before they are used. On other websites, the history-sniffing JavaScript is not statically inserted in a web page, but dynamically generated in a way that makes it hard to understand that history sniffing is occurring by just looking at the static code.

The researchers also found that many of the websites make use of a handful of third-party history-sniffing libraries and that “popular Web 2.0 applications like mashups, aggregators and sophisticated ad targeting are rife with different kinds of privacy-violating flows”.

Attack code

The researchers looked into how certain operators run scripts that track the trail a user’s mouse pointer takes on and across pages and revealed which browsers can be affected by the attack code.

Chrome and Safari are not vulnerable and the updated version of Firefox has closed loopholes.

The study examined cookie stealing, location hijacking, history sniffing and behaviour tracking.