A recent study launched by the UC San Diego Department of
Computer Science to determine the scope of privacy-violating information flows at
popular websites shows that popular Web 2.0 applications such as mashups,
aggregators, and sophisticated ad targeting are teeming with various kinds of
privacy-violating flows. Ultimately the researchers determined that such attacks
are not being adequately defended against.
This study comes as a result of the increasing complexity of
information flows’ is a general term which can be subcategorized into four
areas of nefarious activity: cookie stealing, location hijacking, history sniffing,
and behavior tracking. Their goal was to draw attention to the prevalence of
history sniffing at high traffic sites.
Websites use these exploits to gather browsing information
about patrons. They then use the information to target ads and determine whether
or not patrons are visiting competing sites.
The researchers designed a customized information flow
policy language that allowed them to detect privacy-violating flows in
the Alexa global top 50,000 websites (Alexa is a company which rates websites
based on traffic.)
Specifically, the study confirmed that out of 50,000 sites,
485 are capable of inferring browser history data. Of these 485 sites, 63 are
transferring browser history data to their network. And 46 of those were actively
participating in history sniffing. They also discovered a number of sites
exhibiting suspicious behavior, but using their current methods they were
unable to determine with certainty whether these sites were participating in
Among the 46 sites employing this technique, adult sites
were most common. There were also examples of news, movie, sports, music and
finance sites as well. The highest ranking and the only site in the Alexa top
100 found guilty of history sniffing was the adult pornography site, Youporn.