Study Finds Popular Sites Guilty of Hi-Jacking History

Author: Brian Donohue
minute read

A recent study launched by the UC San Diego Department of
Computer Science to determine the scope of privacy-violating information flows at
popular websites shows that popular Web 2.0 applications such as mashups,
aggregators, and sophisticated ad targeting are teeming with various kinds of
priv

HIstory sniffingA recent study launched by the UC San Diego Department of
Computer Science to determine the scope of privacy-violating information flows at
popular websites shows that popular Web 2.0 applications such as mashups,
aggregators, and sophisticated ad targeting are teeming with various kinds of
privacy-violating flows. Ultimately the researchers determined that such attacks
are not being adequately defended against.

This study comes as a result of the increasing complexity of
JavaScript web applications propagating privacy-violating information flows. ‘Privacy-violating
information flows’ is a general term which can be subcategorized into four
areas of nefarious activity: cookie stealing, location hijacking, history sniffing,
and behavior tracking. Their goal was to draw attention to the prevalence of
history sniffing at high traffic sites.

Websites use these exploits to gather browsing information
about patrons. They then use the information to target ads and determine whether
or not patrons are visiting competing sites.

The researchers designed a customized information flow
policy language that allowed them to detect privacy-violating flows in
JavaScript code and used a modified Chrome browser to conduct their study over
the Alexa global top 50,000 websites (Alexa is a company which rates websites
based on traffic.)

Specifically, the study confirmed that out of 50,000 sites,
485 are capable of inferring browser history data. Of these 485 sites, 63 are
transferring browser history data to their network. And 46 of those were actively
participating in history sniffing. They also discovered a number of sites
exhibiting suspicious behavior, but using their current methods they were
unable to determine with certainty whether these sites were participating in
history sniffing.

Among the 46 sites employing this technique, adult sites
were most common. There were also examples of news, movie, sports, music and
finance sites as well. The highest ranking and the only site in the Alexa top
100 found guilty of history sniffing was the adult pornography site, Youporn.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.