December 2, 2010

Browser Bug Exploited By Porn Sites

Research finds that porn sites are among the top users that take advantage of a browser bug that reveals all the places people go online.

Computer science researchers at UC San Diego carried out the study that found 485 sites exploiting the bug.

The glitch allows sites access to all the other sites that users have visited.  Many use it to target ads or see if users are patronizing rivals.

The researchers said their work showed a need for better defenses against history tracking.

The bug exploits the way many browsers handle links people have visited.

A code can be written to interrogate a visitor's browser to see what it does to a given list of websites. 

The team surveyed 50,000 of the web's most visited websites and found that 485 sites used this method in order to check a browser's history.

The most popular site that uses the technique is an adult site called YouPorn.  Many other porn sites use it too as well as sports, news, movies and finance websites.

The researchers also looked at other popular techniques that sites use to map and monitor what visitors do.  Some run scripts that track the trail a user's mouse pointer takes on and across pages.

"Our study shows that popular Web 2.0 applications like mashups, aggregators, and sophisticated ad targeting are rife with different kinds of privacy-violating flows," the researchers wrote.

The team found that some modern browsers like Google's Chrome and Apple's Safari are not vulnerable to history hijacking and that most recent version of Mozilla has also closed the loophole.  Internet Explorer users can bypass the bug by turning on "private browsing."

Users can check how much information they are leaking by visiting a webpage set up by security researchers that tries to grab their history.

The researchers said there was a "pressing need to devise flexible, precise and efficient defenses" against the history hijacking technique.

The research team is now planning more in-depth work that it hopes will result in tools that will more comprehensively defend against attempts to exploit the bug.


On the Net: