

YouPorn sued for sniffing browser history - zone411
http://news.cnet.com/8301-30685_3-20024696-264.html?tag=topTechnologyNews;topTechContentWrap

======
dangrossman
Why is this illegal?

Why would this method of learning about your browser history be illegal, while
the ways Google/DoubleClick/Comscore/etc track you across >80% of all webpages
are not?

They all involve nothing but HTTP and JavaScript, and none of them involve
giving permission first...

~~~
rwmj
Of course the fact that they have been sued does not mean they did anything
illegal (or even anything wrong). It just means that a couple of people in
California scraped the money together to instruct a lawyer.

------
lunaru
For anyone wondering what javascript is involved, it's simply dynamically
creating an <a> tag to said third-party site and doing a getComputedStyle on
it to see if it's a certain color. The color can be set via your own CSS with
a and a:visited.

------
j_baker
Just out of curiosity, what kind of embarrassing data could they pull out of
my browser history? I guess I should be scared they might find out about all
of the porn I've been watching. Oh wait... nevermind.

~~~
JoachimSchipper
I think it's just market research for them. That doesn't mean that it's not a
privacy issue.

On the other hand, I agree that there are worse things to worry about.

------
mfukar
This was "addressed" by the Mozilla folk back in March [1] in a blog post, a
fix will be deployed with Firefox 4, which will be long overdue by then, in my
opinion.

[1] [http://blog.mozilla.com/security/2010/03/31/plugging-the-
css...](http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-
leak/)

------
zone411
I don't think anybody would be too surprised to see a porn site using this
sniffing trick, but some other sites listed are quite surprising to me:
charter.net, namepros.com, morningstar.com, straightdope.com, twincities.com.

------
andre3k1
I'm left wondering if both Wired.com and PerezHilton.com are going to be
subjected to the same sort of lawsuit.

Related: <http://techme.me/ANFk> ("YouPorn, Perez Hilton Exploit Bug to Obtain
Your Browsing History")

~~~
rsingel
At the risk of sounding like a corporate apologist since I write for
Wired.com, Wired.com did NOT use the javascript history hack. It was noted in
the report for using Tynt.com, which notices which portions of a story a
reader copies and pastes and inserts a link back to the story. Wired.com has
since stopped using the service, in no small part because it annoyed the
writers, but it never, to my knowledge and to the report's findings, secretly
captured users' browser histories. You can read the full report's findings at
the following link:
<http://cseweb.ucsd.edu/users/lerner/papers/ccs10-jsc.pdf>.

~~~
andre3k1
Hey. Just a suggestion, but maybe it would have been better from a PR
standpoint to come clean with your viewers in a blog post.

Explain how it happened without your knowledge. Explain how Wired won't let it
ever happen again. Etc. Etc.

Readers love the transparency :)

~~~
rsingel
I'm not sure there's really anything to report back. Tynt is fairly widely
used, and is really nothing more than a piece of javascript that watches copy
and paste and inserts a link back to the original story into the paste buffer.
It's annoying, but there's no profiling going on and is far less of a tracking
system than say Google Analytics. It's just more annoying.

------
jacquesm
firefox users:

about:config

layout.css.visited_links_enabled -> false

problem solved.

~~~
patio11
That is not necessarily sufficient, because there are many, many variations on
this attack.

For example, suppose my target site has an asset at a well known URL, such as:

<http://www.google.com/intl/en_ALL/images/srpr/logo1w.png>

I could execute Javascript on your machine to load that in a standard IMG tag,
in a div with display: none set on it. I could then, via a variety of fairly
unobtrusive methods, time how long it takes your browser to load that image.

If you have been to Google recently, that image will be cached, and your
browser will load it almost instantaneously. If you have not been to Google
recently, that image will not be in your cache, and my Javascript will
_trivially_ be able to tell the difference between "presence of a network
request going through the Internet" and "absence of said request."

You don't even really need the asset if you want to be tricky about it. (I can
time your DNS cache, too, it just takes a little more work.)

~~~
detst
I was thinking recently about how a similar technique could be used on
DropBox. Government employee uploads "sensitive" data and sees that no actual
data is transfered. They now have a person of interest in a leak or possession
case.

~~~
bdonlan
That requires the data the government employee has to be byte-for-byte
identical to the one already in dropbox, which is unlikely for an unintended
leak.

------
Mithrandir
Firefox add-on that prevents this (come FF 4, of course, and there won't be
any need for it):

<http://www.safehistory.com/>

~~~
snprbob86
Looks like someone implemented this for Chromium as well:
<http://codereview.chromium.org/1591027/show>

I'm not sure if it is main Chrome builds yet or not. Anyone know the status of
this?

~~~
_delirium
This bug report claims that it was fixed in Chrome 6, over the summer:
<http://code.google.com/p/chromium/issues/detail?id=40312>

------
aarlo
What do they use the data for?

~~~
findm
I'm guessing they can see what fraction of their visitors also visiting their
competitor's site.

I'm not sure what else they can gather but I'd imagine that if you can pick up
on what "videos/pages/articles" those visitors are visiting, you can seed your
own site with similar content to further entice them to use your site as a
primary resource and decrease the chance they will visit the competition.

------
joshu
i wonder why cars.com and edmunds.com?

a) either they all were by the same people

b) there's a referral stuffing attack?

------
tfe
I wonder how people would react if Wikileaks engaged in this practice.

