Journal GameboyRMH's Journal: Facebook's pure HTML tracking system 22
So, thought you were safe from all the tracking systems out there with your browser locked down like Fort Knox? You've got your scripts, cookies, Flash objects & storage all working on a whitelist system, your browser's geolocation API disabled, and maybe even more. And all the tracking & analytics systems out there rely on Javascript and those other "higher functions," right?
Not really. Facebook's doing it old school. It's a long story you can read here, but a peculiar effect caused by my menagerie of security plugins brought my attention to a new form of tracking that Facebook's been using over (at least) roughly the last week. In a Wired.com page, I found that Facebook is using a small iframe that fetches a page with a URL such as:
http://www.facebook.com/widgets/like.php?href=http://www.wired.com/autopia/2011/08/no-public-transit-no-job/&layout=button_count&show_faces=false
In this case the basic URL of the page this was found on being http://www.wired.com/autopia/2011/08/no-public-transit-no-job/
This iframe actually renders the Like button.
This form of tracking will work with the most basic of browsers with all client-side scripting/application systems and web-facing APIs disabled. Upon doing more research I found that Lynx is actually safe as it doesn't display frame contents, but rather converts them into hyperlinks.
From this tracking iframe Facebook can get, at a bare minimum, the following info:
- The page you've just viewed
- Your IP address
- Your browser agent info (which, by default, contains far more detail than you might think - right down to your machine's CPU architecture).
It should also be possible, on a permissive browser, to use cookies, run Javascript from this iframe (which it does include) to get access to much of the info shown in the Panopticlick project, access HTML5 storage, Flash storage, and the geolocation API.
The only surefire way to block it would be to blacklist all connections to any Facebook domains - and the domains of any other tracking services that deploy similar systems in the future.
I was considering posting this to Slashdot's firehose but some more research has shown that Facebook has been offering at least some sort of iframe method for inserting Like buttons since at least April 2010, so I'll just post to my journal for now rather than potentially making a fool of myself.
yet another reason I hate facebook... (Score:1)
Cross-site requests (Score:2)
Note that disabling frames will not fix this; such a widget can gather information just as easily when loaded as an image or other resource - even inside a CSS property ("background-image:url(http://evil/tracker")) which will be evaluated even with the browser in full-on no-scripting mode. The browser is designed to automatically fetch resources when told to do so by a website, regardless of where that resource might be or what information you will transmit simply by requesting it.
Using something like AdBlo
Re: (Score:2)
It should also be possible to block all cross-site requests (loading resources from domain A while on a page from domain B), but that will make all large websites that use CDN basically unusable.
A plugin called RequestPolicy allows cross-site requests to be put under a whitelist policy, but as you said that will break any sites that use CDNs.
Re: (Score:1)
No, it will not break them. It will only require that you explicitly enable the site to access the cdn address. Since the cdn URLs are easy to identify (and you'll immediately notice that something is not working without them), it's easy to enable them.
Re: (Score:2)
True, but that's a pretty big inconvenience to block a handful of tracking services. That's just my opinion on the security/convenience tradeoff, from a purely technical standpoint RequestPolicy is actually the best solution.
Still, if half the sites out there worked like the Gawker sites, and there were only a few malicious/anti-privacy uses of JS in the wild, I probably wouldn't have my JS on a whitelist system.
Re: (Score:1)
Here's a filter subscription for AdBlock [techairlines.com] to filter out some social media sharing buttons. Just found it via a quick google search. Seems to work for the most part so far. The main Facebook (etc.) sites work, but just the individual cross-site trackers are blocked.
Re: (Score:2)
Google Analytics always uses Javascript. Don't allow scripts from google-analytics, it doesn't run. Most tracking services are the same. The difference here is that this will run on any basic browser as long as it renders frames or at least fetches them, a JS whitelisting system like NoScript won't block it.
Pure HTML tracking has always been possible but this is the first time I've seen it used. Another user told me that some less well known 3rd party trackers use similar techniques, so maybe it isn't that
Re: (Score:1)
But shouldn't just fetching the scripts from analytics reveal IP and web page (vie referrer)?
Re: (Score:2)
I've checked out Google Analytics code and it only fetches remote scripts in the middle of embedded scripts, so if you don't allow scripts they won't be fetched at all.
But this raises a good question about NoScript's behavior, if a script isn't allowed, will it block the script from being fetched? If not, then the request could reveal the IP, site and browser agent.
I just looked it up and NoScript is supposed to block all script fetching unless the site is whitelisted, although it's been broken a few times
Re: (Score:2)
Clearly you're so intelligent that you've found a way to break Slashdot's 120-character sig limit. Enlighten us, oh wise one!
Re: (Score:2)
Too bad I'll never know the identity of this genius whose somewhat superior web knowledge to mine makes him a god among Slashdot's insects.
Re: (Score:2)
I was just trying to get your ego to reach critical mass to see what happens. Had many lolz, would do again.
NoScript can block iframes (Score:1)
NoScript can block iframes, if you tell it so ;-)
iframes that were blocked appear as dim-yellow areas. You then need to click the blocked iframe to enable it.
Re: (Score:2)
Ah yes I see it under the Embeddings options. Interesting feature!
It looks like the best solution will be RequestPolicy with its new blacklist mode which is due to be released in the next few months. Or you could use it right now in whitelist mode, if you're up to the extra effort.