How To Profit From Invading Your Users Privacy
shoemoney
·
·
7 min read
*Important Notice* Please consult with laws in your area before acting on anything in this post. Even though many sites are doing some of the methods I describe it does not mean its legal. Consult your legal council.
What if I told you that just by visiting my website I am able to know everything about you. What sites you have been to, your name, your wife's name, your phone number, your household income, and much more.
Here is how it works
Within your web browser (internet explorer, chrome, firefox, etc.) one of the things it checks is for links that the site is linking to. This is a "feature" for the user so they are able to tell if they had been to the site before. By default, links that you have not visited are underlined blue and links that you have visited are a violet color. Websites can override these defaults using cascading style sheets (CSS) to make links a certain color or even replace the text all together to load images for the links or more importantly visited links. Now I can also set each visited link to a particular image. So, lets say you come to my site and have visited apple.com. I could load apple.com as the image for that link if you had visited the site. But that is not very practical. What would be practical (and profitable) is to set links for the top 10000 retail sites in the world in a 1 pixel frame that the user would never see. While the user would not see it... the website owner would and then could load advertisements based on what sites you have previously visited. This actually exposes a MUCH bigger problem though. If you can load a image based on where a person has been then whats stopping me from dropping an eBay affiliate cookie if you have been to eBay? An apple cookie if you been to apple.com? An Amazon cookie, if I know you shop at Amazon? Dropping these cookies via an image would pay me every time you continue to shop at these sites you already shop at. Plus it would be a nightmare for affiliate programs because unlike most cookie stuffing. Your click through to conversion would be in line (maybe even more inline) then blind cookieing the entire world and easily getting busted. Now before you run off and do this people are not only getting kicked out from affiliate programs for stuffing cookies, but some are actually being charged with "wire fraud" by the FBI. It doesn't really matter anyway though because about year ago web browsers started blocking the ability to load images from visited active links. So can you still see where all your users have been? Yes- but it takes a little more technical ability. Through Javascript you can check to see if your visitors have visited. All you have to do is set your visited links to an arbitrary color and then simply query the browser to see which links match the color you had chosen. Lets say we don't even use css and leave the visited link as the default color. Then I would run this code on the page:function stealHistory() {
// loop through websites and check which ones have been visited
for (var i = 0; i < websites.length; i++) {
var link = document.createElement("a");
link.id = "id" + i;
link.href = websites;
link.innerHTML = websites;
document.body.appendChild(link);
var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
document.body.removeChild(link);
// check for visited
if (color == "rgb(0, 0, 255)") {
document.write('' + websites + '');
} // end visited check
}
}
This would loop through a predefined set of specified websites and then check to see what color your web browser is displaying them as. If you have visited them then I know.
Now you might think that it takes a while to check all these sites to see if you have visited before? It really is a client side thing so it varies but, in my tests I was able to load 10,000 sites in less than 5 seconds.
The scary thing is you could mix some ajax in with this and load a image that would still stuff cookies or maybe even an iframe.
Now the above is obviously just proof of a concept code. You would want to log the data to some sort of database.
What if I told you I was doing this to people on my sites... not stuffing but just tracking them. Tracking their ip with all the sites they visit. You would say I am pretty shady right?
Big sites are doing it right now
A report done 7 months ago by the University of California, San Diego scanned more than 50,000 of the top Alexa ranked sites and here are some of the big names that were using javascript to detect what sites you have been to:youtube.com wired.com technorati.com youporn.com charter.net newsmax.com namepros.com morningstar.com twincities.com yahoo.co.jp sina.com.cn microsoft.com mail.ru about.com thesun.co.uk perezhilton.comMaybe you recognize some of them? A lot of them have since removed the code. Read the full report for more details. It also has the exact code the sites were using (a lot better than my example above).