Skip to Content
Uncategorized

Wired.com and Huffington Post Amongst List of Privacy-Invading Websites

Behavior and history-sniffing websites know what you copy, click, and rollover, and even which of their competitors you’re visiting.
December 3, 2010

A new paper (pdf) from researchers at the University of California, San Diego reveals that a significant proportion of the 50,000 most-visited sites on the web are engaging in some level of behavioral tracking. Furthermore, and more disturbingly, a few are actually examining your browser’s history to determine what other sites you visit, exploiting a security vulnerability known about for a decade.

What the web looks like from the perspective of a javascript behavior-examining browser custom-built for this experiment.

Not all of the transgressions uncovered by lead author Dongseok Jan are equally invasive. Less offensive are sites like Wired, Technorati, Answerbag, and Perez Hilton, which are using analytics service Tynt.com to, for example, track what content users are copying and pasting from their websites, a process called “behavior sniffing.” More worrisome is behavior known as “history sniffing,” in which a site uses javascript to query a browser about what sites its users have visited previously. Jan’s list includes 46 websites engaging in this behavior.

Youporn.com, which determines whether a user has visited its competitors’ websites, even went so far as to engage in a primitive form of cryptography in order to hide the URLs of the sites it’s asking about.

History sniffing works because browsers change the color of links a user has already visited: the javascript used on these sites simply queries those specific links to see if their color has been changed. The exploit does not work in Google’s Chrome or Apple’s Safari browsers, and a fix for Firefox is available in its newest version. Internet Explorer, however, remains vulnerable to this exploit.

The researchers singled out the Huffington Post for special opprobrium:

Suspicious website While investigating several sites that installed event handlers, we also found that the huffingtonpost.com site exhibits suspicious behavior. In particular, every article on the site’s front page has an on-mouse-over event handler. These handlers collect in a global data structure information about what articles the mouse passes over. Despite the fact the information is never sent on the network, we still consider this case to be suspicious because not only is the infrastructure present, but it in fact collects the information locally.

Morningstar.com has reported that it had no idea it was collecting this information, which appears to have been gathered by an ad network, called Interclick, running banners on its site. Interclick claims that the history sniffing it engaged in was simply an attempt to gather quality-control data to verify the anonymized data it gets from other sources. This data allows it to segment users by type, for example, car enthusiast, technology buyer, juggalo, etc.

For more on this discovery, including the custom web browsing engine the researchers built to examine the javascript of thousands of websites, check out the UCSD press release and the original paper (pdf).

This post is indebted to the uncommonly good (and thorough) technology reporting of Forbes.com’s Kashmir Hill.

Keep Reading

Most Popular

Workers disinfect the street outside Shijiazhuang Railway Station
Workers disinfect the street outside Shijiazhuang Railway Station

Why China is still obsessed with disinfecting everything

Most public health bodies dealing with covid have long since moved on from the idea of surface transmission. China’s didn’t—and that helps it control the narrative about the disease’s origins and danger.

individual aging affects covid outcomes concept
individual aging affects covid outcomes concept

Anti-aging drugs are being tested as a way to treat covid

Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.

Europe's AI Act concept
Europe's AI Act concept

A quick guide to the most important AI law you’ve never heard of

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.