History Sniffing: How YouPorn Checks What Other Porn Sites You’ve Visited

earlyresort · on Dec 2, 2010

I've seen this technique used, in conjunction with popular sites that skew heavily male or female, to guess the gender of the user for ad targeting.

I've also seen this technique used on software-as-a-service sites to check for visits to competitors. If the user's already visited a competitor's landing page, an us vs. them feature comparison is shown. If the user's visited a competitor's page that's only accessed by their paying customers, offer them a coupon for switching. If the user has never visited a competitor at all, don't mention any - why educate the user about alternatives?

Using history sniffing to validate the quality of data purchased from BlueKai is a new one to me, but plausible.

Whatever the rationale, it's still a violation of user privacy.

ZoFreX · on Dec 2, 2010

Nothing new here, this is an old technique that already exploded a while back. The Mozilla team said they would be removing this "security hole", I don't know if they have yet.

What most reporting on it fails to cover is the nature of the "history sniffing". They cannot view your browser history. What they can do is query specific URLs against a black box that either says "yes" or "no" to the question "has this user been to this exact URL at some point in the past?"

andrewgph · on Dec 2, 2010

The styling of a:visited elements seems to have been removed in Chromium, there's some discussion of this here:

http://code.google.com/p/chromium/issues/detail?id=56802

So I don't think history sniffing using this method is possible anymore in Chromium. I disappointingly found this out when playing around with facebook history sniffing, so if anyone thinks I'm wrong please let me know!

JacobAldridge · on Dec 2, 2010

Here's Mozilla's linked post on this, from March of this year - http://blog.mozilla.com/security/2010/03/31/plugging-the-css...

To support your statement, I haven't found anything saying this has been removed.

fhars · on Dec 2, 2010

There seems to be a partial fix in the 4.0 codebase: https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c259

sid0 · on Dec 2, 2010

Yeah, sites like http://www.didyouwatchporn.com/ and http://ha.ckers.org/weird/CSS-history-hack.html fail to work in Firefox 4. The followup bugs are more to do with tuning what is allowed and what isn't, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=559722.

BillGoatse · on Dec 2, 2010

The script on YouPorn’s site that checks a user’s history (which you can see for yourself by going to the site and checking out its html with 'View Source')

Did Forbes just tell me to go to YouPorn.com? :)

apl · on Dec 2, 2010

Why yes, it did. You seem a little prudish for someone who goes by the moniker of Mr Goatse.

chunkbot · on Dec 2, 2010

These are the 23 sites that YouPorn is checking for:

pornhub.com

redtube.com

adultfriendfinder.com

xvideos.com

tube8.com

xnxx.com

megaporn.com

megarotic.com

xhamster.com

awempire.com

realitykings.com

brazzers.com

xtube.com

bangbros1.com

fling.com

freeones.com

myfreepaysite.com

debonairblog.com

payserve.com

maxporn.com

videosz.com

aebn.net

pornorama.com

Legion · on Dec 2, 2010

Thanks for the links.

RBr · on Dec 2, 2010

This has been around since at least 2006: http://crypto.stanford.edu/sameorigin/

spot · on Dec 2, 2010

my fav use of this: http://didyouwatchporn.com/ esp the viral part where you can get a report from all your friends.

cmer · on Dec 2, 2010

Totally broken for me. Says I didn't watch pr0n. oops!

endlessvoid94 · on Dec 2, 2010

"Porn enthusiasts" is quite a descriptor.

MrFlibble · on Dec 2, 2010

Perhaps "aficionado" would be better, you know, for classy porn.

napierzaza · on Dec 2, 2010

I didn't need to imagine a porn site sniffing anything thank you.

chopsueyar · on Dec 2, 2010

Favorite tube aggregators?