A team of researchers from the University of California, San Diego, are spotlighting the use of "history sniffing" to track user activity online.
Researchers at the University of California,
San Diego, have shined a light
on the way some popular Websites sniff browser histories to
track user activity.
In a paper titled "An Empirical Study of
Privacy-Violating Information Flows in JavaScript Web Applications" (PDF),
the group detailed their analysis of Alexa's global top 50,000
Websites, which they performed with a modified version of the Google
Chrome browser. What they discovered is that 485 of the sites are capable of
inferring browser history data, 63 of which are transferring that data to their
network. In addition, 46 sites were actively participating in history sniffing.
"In most browsers, all application domains share access to a single
visited-page history, file cache, and DNS cache," the report states. "This
leads to the possibility of history sniffing attacks. ... The attack uses the
fact that browsers display links differently depending on whether or not their
target has been visited."
Essentially, attackers trying to sniff histories insert invisible links into
Web pages and use JavaScript to inspect certain style properties of the links,
such as the color field, to determine whether or not someone has visited a
particular URL, the researchers explained. Web analytics firms Tealium and
Beencounter sell services that allow a Website to collect the browsing history
of their visitors using history sniffing, the report notes.
Some of the sites revealed to be performing history sniffing include
YouPorn.com, TwinCities.com and Charter.net, according to the report. A
complete list of sites is contained with the report linked to above.
"Honestly, we didn't know what to expect, as history sniffing is an old
problem-known since at least 2002-and there has been lots of academic research
about history sniffing and possible fixes to it. ... However there were no
systematic studies of history sniffing being used in the wild," said
Ranjit Jhala, co-author of the report. "Our research contribution was that
we built a tool that would detect certain kinds of history sniffing and
unleashed it on the top sites on the Internet. We suspected we might find
instances of history sniffing, because it's clear that there are reasons why
someone might want to do it, but we had no idea where we'd find them or what
they'd look like."
The latest versions of Apple Safari and Google Chrome are not vulnerable to
this kind of history sniffing, and Mozilla has a fix slated for Firefox 4.0,
Jhala said.
The issue of tracking online consumers has been in the news lately due to
the Federal Trade Commission's "Do
Not Track" proposal. In a media call Dec. 1, FTC Chairman Jon
Leibowitz said self-regulation of privacy by businesses has failed to
protect consumers.
"I was surprised that so many popular and mainstream sites actively
gather this kind of information which I would consider somewhat personal,"
Jhala said of the history sniffing. "One analogy is say, I walk into a
Banana Republic store and am told by the salesperson that they've been
monitoring me and know I have recently visited the Gap, J Crew, CVS,
Trader Joes and so on. Perhaps the bigger surprise was that there is an entire
industry that has grown around this practice-behavioral analytics. That said,
perhaps this was inevitable, as advertising is what makes the Internet go
round."
Email
Print
