Researchers at the University of California, San Diego, have shined a light on the way some popular Websites sniff browser histories to track user activity.
In a paper titled “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications” (PDF), the group detailed their analysis of Alexa’s global top 50,000 Websites, which they performed with a modified version of the Google Chrome browser. What they discovered is that 485 of the sites are capable of inferring browser history data, 63 of which are transferring that data to their network. In addition, 46 sites were actively participating in history sniffing.
“In most browsers, all application domains share access to a single visited-page history, file cache, and DNS cache,” the report states. “This leads to the possibility of history sniffing attacks. … The attack uses the fact that browsers display links differently depending on whether or not their target has been visited.”
Essentially, attackers trying to sniff histories insert invisible links into Web pages and use JavaScript to inspect certain style properties of the links, such as the color field, to determine whether or not someone has visited a particular URL, the researchers explained. Web analytics firms Tealium and Beencounter sell services that allow a Website to collect the browsing history of their visitors using history sniffing, the report notes.
Some of the sites revealed to be performing history sniffing include YouPorn.com, TwinCities.com and Charter.net, according to the report. A complete list of sites is contained with the report linked to above.
“Honestly, we didn’t know what to expect, as history sniffing is an old problem-known since at least 2002-and there has been lots of academic research about history sniffing and possible fixes to it. … However there were no systematic studies of history sniffing being used in the wild,” said Ranjit Jhala, co-author of the report. “Our research contribution was that we built a tool that would detect certain kinds of history sniffing and unleashed it on the top sites on the Internet. We suspected we might find instances of history sniffing, because it’s clear that there are reasons why someone might want to do it, but we had no idea where we’d find them or what they’d look like.”
The latest versions of Apple Safari and Google Chrome are not vulnerable to this kind of history sniffing, and Mozilla has a fix slated for Firefox 4.0, Jhala said.
The issue of tracking online consumers has been in the news lately due to the Federal Trade Commission’s “Do Not Track” proposal. In a media call Dec. 1, FTC Chairman Jon Leibowitz said self-regulation of privacy by businesses has failed to protect consumers.
“I was surprised that so many popular and mainstream sites actively gather this kind of information which I would consider somewhat personal,” Jhala said of the history sniffing. “One analogy is say, I walk into a Banana Republic store and am told by the salesperson that they’ve been monitoring me and know I have recently visited the Gap, J Crew, CVS, Trader Joes and so on. Perhaps the bigger surprise was that there is an entire industry that has grown around this practice-behavioral analytics. That said, perhaps this was inevitable, as advertising is what makes the Internet go round.”