Common Browser Exploits
Homepage Hijacking and Favorites Hijacking
A simple javascript on any site can change a users IE homepage. Sometimes a user will like a homepage and will choose to click on a link that will make it their homepage (also known as "start page"), or will want to add it to their list of "Favorites," and they're too lazy or busy to go through IE's default method. This is generally not a problem, but when it becomes a problem, it's a fairly large one. When a users browser homepage is "hijacked," there is no way for them to change it back to what it used to be. (Browser hijackings are possible, but rarer in non-IE browsers.) When a users "Favorites" are hijacked, an entry for a site will not let them remove it. IE is the only browser with which "Favorites" hijacking is possible, because Microsoft created IE specifically to include this: the first time a user installs IE, a list of "Favorites" is already given, and some are impossible to delete along the default route. So this is a case of "It's not a bug, it's a *feature*." A few years ago, the only people who attempted to hijack homepages or favorites were unscrupulous crackers who wanted to annoy people and keep track of how often they opened their browser. But advertisers have taken many lessons from these crackers, and are using many of their methods, including homepage hijacking.
To change your homepage once it's been hijacked: Generally, uninstalling your browser and installing a fresh copy will fix this. However, if the hijacking is from a program, the program must be removed first.
IE Security Zone Exploit
Internet Explorer (IE) uses four security zones to determine what sort of content will be allowed or blocked by the browser. The 3 user-defined ones are "Trusted," "Restricted," and "Intranet," and any site that isn't in one of them will be placed in the "Internet" zone. The "Trusted" zone is problematic: the default setting allows ALL content from a domain in the Trusted zone to be run, including ActiveX controls, cookies, javascripts, etc. All a cracker, advertiser or DCA has to do is somehow add their site to a bunch of people's Trusted zones, and voila! They will be able to do plenty of bad things to the users if the users access the site. In fact, newer versions of AOL Instant Messenger (AIM) exploit this. When a user installs AIM, the site free.aol.com is added to their IE Trusted zone. This is potentially hazardous, because under the default configuration, if they go to free.aol.com, whatever is on the site will run. After knowledge of this AIM exploit spread earlier in 2002, many attempts were made by crackers to gain unauthorized access to free.aol.com so they could put up malicious webcontent that would be run on unsuspecting users computers. Websites have NO RIGHT to add themselves into a particular zone; if you really "Trusted" them, you'd add them yourself.
Preventing Trusted zone Exploits: Change your Security settings for the Trusted zone to prompt before doing anything like running ActiveX or accepting cookies. Also, add free.aol.com to your Restricted sites: crackers may yet gain access to the site, as it is now a very enticing site to crack. Also, you can use a different browser.
ActiveX Controls and "Drive-by Downloads"
According to the ActiveX website, "ActiveX is a set of technologies from Microsoft that enables interactive content for the World Wide Web. Before ActiveX, Web content was static, 2-dimensional text and graphics. With ActiveX, Web sites come alive using multimedia effects, interactive objects, and sophisticated applications that create a user experience comparable to that of high-quality CD-ROM titles. ActiveX provides the glue that ties together a wide assortment of technology building blocks to enable these *active* Web sites."
However, along with increased functionability for web designers, there are also very high security risks. It allows remote servers to run scripts on your computer, which can create a very dangerous situation. Misuse of these controls can allow someone to modify the contents of your disk, either by deleting files or putting new, unasked-for files on your drive, without even letting you know about it. In fact, this is a very popular method for spyware to install itself through advertising banners. It's generally called "drive-by downloading" and basically means that just by viewing an ad, your browser will install spyware onto your computer in the background without notifying you, and you'll move on to the next ad-infested site, never realizing you were "shot." This can easily be prevented by setting your browser either to block ActiveX or prompt before loading them. In the case of IE, it is best if you use this setting for ALL security zones.
Domain Logs
Everytime you "visit" a website, your browser is actually requesting and downloading a file or series of files from a remote webserver. Along with the request is some important information the remote webserver needs to know so that it can send the files back to the user, including the IP address, the file requested, and the browser and OS of the user (some javascripts allow different versions of a page to load depending on the browser used.) These requests are saved in online logs that are generally of the form:
xxx.xxx.xxx.xx - - [05/Oct/2002:22:28:50 -0700] "GET /file.html HTTP/1.1" xxx "http://referringurl.com" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
where xxx.xxx.xxx.xxx is the IP of the user requesting the file, the "GET" command is the file requested, the "xxx" is the flag of the transfer (200 means OK, 404 means "file not found," 304 means "not modified since last retrieval"), referringurl.com is the referring URL (the webpage which the user accessed the file through), and the rest says what browser and OS they were using. They may also include your screen resolution, and when you last requested this document. These logs are not accessible by the general public (they can, however, be accessed by an intruder who cracks the webserver.) Logging this information is important for domain managers, because they can use this as evidence of an attack on their site, as well as general information about who visits their site. Every domain keeps a log like this, and the vast majority of them do not use it for bad purposes. However, it is possible for domain logs to be exploited by DCAs in many ways. Very few websites store the advertising banners on their site locally. The majority of advertisers want the banners to be loaded dynamically (so they control the content of the banner, and not the webmaster), so the img tag for banners will point to an image on the adserver. Downloading an adbanner will leave an entry in the adservers log like the example one above. This generally is not a serious exploit, as there is little they can do with this information except collect it--keep in mind that most IP's are created dynamically by the users internet service provider (ISP) and thus do not relate specific information about the user. Furthermore, in most households, more than one person uses the same browser and internet connection, so it is impossible for a DCA to tie the transfer to a specific person with only the domain log entry. But advertisers put their banners on many different sites, and they can thus keep track of what combination of URLs a particular IP or range of IPs visits, as well as the frequency of visits and duration of the stay (if the adbanner is set to refresh itself after a given amount of time.)
Preventing yourself from being entered in Domain Logs: If you're unsure about a site, and you don't want to let them know what OS/browser you're using or you have a static IP, you can access their website through an anonymizing proxy. Anonymizing proxies are third-party websites that will download the files you request and then display them to you. When using an anonymizing proxy, you never directly contact the other website. Some anonymizers are The Anonymizer (which requires you to register), GoProxy (which includes all sorts of strange advertisements and cookies), and sam spades "safe web browser" (which displays the source of html documents for you so you can see what a page is doing without having to download it.) There are many other methods of anonymous browsing, but these are perhaps the "most legal."
Web Bugs
Web bugs are small, usually transparent .gif images like this one (I put a border around it so you can see it better) but with a small twist: if you save this image to your disk and then right-click on its icon and choose "Properties," you will notice that the "Last Modified" tag is set far in the future! Advertisers can use this to their advantage. Most content viewed by your browser is downloaded to disk and stored in a cache. After a given time, if you visit the website or open the html email that contains the web bug, your browser will check the remote server to see if there is a newer version of the .gif. The browser does this by telling the remote server what the "Last modified" date on the image is. A DCA can use this to their advantage: they create multiple versions of the same .gif with different timestamps, and keep track of which users they allowed access to .gifs with certain dates, they can tie the request to a specific user.
Preventing tracking using web bugs: Clearing the browser's cache very often will, in most cases, prevent this sort of tracking. Also an application called Norton's ScanDisk (no free download; comes with Norton's AntiVirus suite) will check for errors on your disk, including checking for invalid timestamps. Running this program may allow you to find out if you have web bugs in your cache, although it includes a huge overhead (Norton's applications are bulky and slow.) Probably the best method to prevent this is to use a browser that has a robust image manager (Mozilla and Opera come to mind for this, as I will discuss in the next section) that will allow you to pick and choose which images you will download. Text-only browsers like Lynx won't even display images (but will give you the option to download them if you want to) and will thus prevent web bugs from ever being downloaded to your cache.
Images in html Email
Many Windows-based clients and all web-based email services will display html tags in email. This includes the displaying inline images. Everytime you open an email with html content that includes an image, your email client or web browser (for web-based email) will contact the webserver of the image to initiate a download. This leaves an entry in the domain's log. This generally isn't a problem, except for web-based email. The referring URL, which is the URL of the page the email was displayed with, will be added to the domain log. Even though it is difficult for a spammer or DCA to find out the exact email address of a person who opened an html email, it is possible for them to compile statistics about which domains give them the most "hits" so they can focus their spamming tactics towards those email domains. Also, this coupled with web bugs as described above, can allow a spammer or DCA to find out which email addresses are currently active, without the user (stupidly) replying to their message or clicking on an "opt-out" link.
Preventing tracking based on images in html email:
This is perhaps one of the most difficult tracking tactics to combat, because it exploits important www standards. Using non-html-based email clients is the most effective method, but most people who use web-based email don't have access to an email account that will allow them to use a client. Using a browser and an email client that uses a browsers settings (Netscape Messenger, Mozilla Email, Opera Email) with a robust image manager will help curb this problem.
Cookies
Cookies are small text files loaded by a page or image that are stored on a users hard drive. The only time that a cookie can be stored on a users computer is if they download a file from the cookies domain. The text a cookie contains can be anything, ranging from a "last visit" flag to a users credit card information. Because they are plaintext, any network the packet a cookie is in passes through can read the cookie. Most websites will attempt to encrypt the information in a cookie if it is very personal information, like a credit card number. Once a cookie is stored on a users computer, the only domain that can access the cookie is the one it came from. There are many ways to exploit this situation. As previously mentioned, advertisers dynamically display their banners on third-party websites, which means a browser must contact the adserver to download the banner. They are not going to create different adservers for every website they advertise on, so a user going to different sites will end up contacting the same adserver multiple times. Thus, Adserver1, which advertises on both websiteA.com and websiteB.com will have access to both cookies stored from those sites.
Preventing cookies: All browsers that support cookies also allow you the option to turn them off. Not all browsers are equal, and some of them may force you to make life-or-death decisions concerning cookies. (I will discuss the merits and demerits of various browsers as they pertain to this in the next topic!) However, cookies can be useful, especially if you order stuff online through companies like amazon or half.com. Some websites, like Yahoo! Mail won't let you log in unless you have cookies enabled. Thus, privacy concerns must also take functionability into account, and any web browser you use should have a good cookie manager. The merits of 5 different browsers will be analyzed in the next section.
previous main next
A simple javascript on any site can change a users IE homepage. Sometimes a user will like a homepage and will choose to click on a link that will make it their homepage (also known as "start page"), or will want to add it to their list of "Favorites," and they're too lazy or busy to go through IE's default method. This is generally not a problem, but when it becomes a problem, it's a fairly large one. When a users browser homepage is "hijacked," there is no way for them to change it back to what it used to be. (Browser hijackings are possible, but rarer in non-IE browsers.) When a users "Favorites" are hijacked, an entry for a site will not let them remove it. IE is the only browser with which "Favorites" hijacking is possible, because Microsoft created IE specifically to include this: the first time a user installs IE, a list of "Favorites" is already given, and some are impossible to delete along the default route. So this is a case of "It's not a bug, it's a *feature*." A few years ago, the only people who attempted to hijack homepages or favorites were unscrupulous crackers who wanted to annoy people and keep track of how often they opened their browser. But advertisers have taken many lessons from these crackers, and are using many of their methods, including homepage hijacking.
To change your homepage once it's been hijacked: Generally, uninstalling your browser and installing a fresh copy will fix this. However, if the hijacking is from a program, the program must be removed first.
IE Security Zone Exploit
Internet Explorer (IE) uses four security zones to determine what sort of content will be allowed or blocked by the browser. The 3 user-defined ones are "Trusted," "Restricted," and "Intranet," and any site that isn't in one of them will be placed in the "Internet" zone. The "Trusted" zone is problematic: the default setting allows ALL content from a domain in the Trusted zone to be run, including ActiveX controls, cookies, javascripts, etc. All a cracker, advertiser or DCA has to do is somehow add their site to a bunch of people's Trusted zones, and voila! They will be able to do plenty of bad things to the users if the users access the site. In fact, newer versions of AOL Instant Messenger (AIM) exploit this. When a user installs AIM, the site free.aol.com is added to their IE Trusted zone. This is potentially hazardous, because under the default configuration, if they go to free.aol.com, whatever is on the site will run. After knowledge of this AIM exploit spread earlier in 2002, many attempts were made by crackers to gain unauthorized access to free.aol.com so they could put up malicious webcontent that would be run on unsuspecting users computers. Websites have NO RIGHT to add themselves into a particular zone; if you really "Trusted" them, you'd add them yourself.
Preventing Trusted zone Exploits: Change your Security settings for the Trusted zone to prompt before doing anything like running ActiveX or accepting cookies. Also, add free.aol.com to your Restricted sites: crackers may yet gain access to the site, as it is now a very enticing site to crack. Also, you can use a different browser.
ActiveX Controls and "Drive-by Downloads"
According to the ActiveX website, "ActiveX is a set of technologies from Microsoft that enables interactive content for the World Wide Web. Before ActiveX, Web content was static, 2-dimensional text and graphics. With ActiveX, Web sites come alive using multimedia effects, interactive objects, and sophisticated applications that create a user experience comparable to that of high-quality CD-ROM titles. ActiveX provides the glue that ties together a wide assortment of technology building blocks to enable these *active* Web sites."
However, along with increased functionability for web designers, there are also very high security risks. It allows remote servers to run scripts on your computer, which can create a very dangerous situation. Misuse of these controls can allow someone to modify the contents of your disk, either by deleting files or putting new, unasked-for files on your drive, without even letting you know about it. In fact, this is a very popular method for spyware to install itself through advertising banners. It's generally called "drive-by downloading" and basically means that just by viewing an ad, your browser will install spyware onto your computer in the background without notifying you, and you'll move on to the next ad-infested site, never realizing you were "shot." This can easily be prevented by setting your browser either to block ActiveX or prompt before loading them. In the case of IE, it is best if you use this setting for ALL security zones.
Domain Logs
Everytime you "visit" a website, your browser is actually requesting and downloading a file or series of files from a remote webserver. Along with the request is some important information the remote webserver needs to know so that it can send the files back to the user, including the IP address, the file requested, and the browser and OS of the user (some javascripts allow different versions of a page to load depending on the browser used.) These requests are saved in online logs that are generally of the form:
xxx.xxx.xxx.xx - - [05/Oct/2002:22:28:50 -0700] "GET /file.html HTTP/1.1" xxx "http://referringurl.com" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
where xxx.xxx.xxx.xxx is the IP of the user requesting the file, the "GET" command is the file requested, the "xxx" is the flag of the transfer (200 means OK, 404 means "file not found," 304 means "not modified since last retrieval"), referringurl.com is the referring URL (the webpage which the user accessed the file through), and the rest says what browser and OS they were using. They may also include your screen resolution, and when you last requested this document. These logs are not accessible by the general public (they can, however, be accessed by an intruder who cracks the webserver.) Logging this information is important for domain managers, because they can use this as evidence of an attack on their site, as well as general information about who visits their site. Every domain keeps a log like this, and the vast majority of them do not use it for bad purposes. However, it is possible for domain logs to be exploited by DCAs in many ways. Very few websites store the advertising banners on their site locally. The majority of advertisers want the banners to be loaded dynamically (so they control the content of the banner, and not the webmaster), so the img tag for banners will point to an image on the adserver. Downloading an adbanner will leave an entry in the adservers log like the example one above. This generally is not a serious exploit, as there is little they can do with this information except collect it--keep in mind that most IP's are created dynamically by the users internet service provider (ISP) and thus do not relate specific information about the user. Furthermore, in most households, more than one person uses the same browser and internet connection, so it is impossible for a DCA to tie the transfer to a specific person with only the domain log entry. But advertisers put their banners on many different sites, and they can thus keep track of what combination of URLs a particular IP or range of IPs visits, as well as the frequency of visits and duration of the stay (if the adbanner is set to refresh itself after a given amount of time.)
Preventing yourself from being entered in Domain Logs: If you're unsure about a site, and you don't want to let them know what OS/browser you're using or you have a static IP, you can access their website through an anonymizing proxy. Anonymizing proxies are third-party websites that will download the files you request and then display them to you. When using an anonymizing proxy, you never directly contact the other website. Some anonymizers are The Anonymizer (which requires you to register), GoProxy (which includes all sorts of strange advertisements and cookies), and sam spades "safe web browser" (which displays the source of html documents for you so you can see what a page is doing without having to download it.) There are many other methods of anonymous browsing, but these are perhaps the "most legal."
Web Bugs
Web bugs are small, usually transparent .gif images like this one (I put a border around it so you can see it better) but with a small twist: if you save this image to your disk and then right-click on its icon and choose "Properties," you will notice that the "Last Modified" tag is set far in the future! Advertisers can use this to their advantage. Most content viewed by your browser is downloaded to disk and stored in a cache. After a given time, if you visit the website or open the html email that contains the web bug, your browser will check the remote server to see if there is a newer version of the .gif. The browser does this by telling the remote server what the "Last modified" date on the image is. A DCA can use this to their advantage: they create multiple versions of the same .gif with different timestamps, and keep track of which users they allowed access to .gifs with certain dates, they can tie the request to a specific user.
Preventing tracking using web bugs: Clearing the browser's cache very often will, in most cases, prevent this sort of tracking. Also an application called Norton's ScanDisk (no free download; comes with Norton's AntiVirus suite) will check for errors on your disk, including checking for invalid timestamps. Running this program may allow you to find out if you have web bugs in your cache, although it includes a huge overhead (Norton's applications are bulky and slow.) Probably the best method to prevent this is to use a browser that has a robust image manager (Mozilla and Opera come to mind for this, as I will discuss in the next section) that will allow you to pick and choose which images you will download. Text-only browsers like Lynx won't even display images (but will give you the option to download them if you want to) and will thus prevent web bugs from ever being downloaded to your cache.
Images in html Email
Many Windows-based clients and all web-based email services will display html tags in email. This includes the displaying inline images. Everytime you open an email with html content that includes an image, your email client or web browser (for web-based email) will contact the webserver of the image to initiate a download. This leaves an entry in the domain's log. This generally isn't a problem, except for web-based email. The referring URL, which is the URL of the page the email was displayed with, will be added to the domain log. Even though it is difficult for a spammer or DCA to find out the exact email address of a person who opened an html email, it is possible for them to compile statistics about which domains give them the most "hits" so they can focus their spamming tactics towards those email domains. Also, this coupled with web bugs as described above, can allow a spammer or DCA to find out which email addresses are currently active, without the user (stupidly) replying to their message or clicking on an "opt-out" link.
Preventing tracking based on images in html email:
This is perhaps one of the most difficult tracking tactics to combat, because it exploits important www standards. Using non-html-based email clients is the most effective method, but most people who use web-based email don't have access to an email account that will allow them to use a client. Using a browser and an email client that uses a browsers settings (Netscape Messenger, Mozilla Email, Opera Email) with a robust image manager will help curb this problem.
Cookies
Cookies are small text files loaded by a page or image that are stored on a users hard drive. The only time that a cookie can be stored on a users computer is if they download a file from the cookies domain. The text a cookie contains can be anything, ranging from a "last visit" flag to a users credit card information. Because they are plaintext, any network the packet a cookie is in passes through can read the cookie. Most websites will attempt to encrypt the information in a cookie if it is very personal information, like a credit card number. Once a cookie is stored on a users computer, the only domain that can access the cookie is the one it came from. There are many ways to exploit this situation. As previously mentioned, advertisers dynamically display their banners on third-party websites, which means a browser must contact the adserver to download the banner. They are not going to create different adservers for every website they advertise on, so a user going to different sites will end up contacting the same adserver multiple times. Thus, Adserver1, which advertises on both websiteA.com and websiteB.com will have access to both cookies stored from those sites.
Preventing cookies: All browsers that support cookies also allow you the option to turn them off. Not all browsers are equal, and some of them may force you to make life-or-death decisions concerning cookies. (I will discuss the merits and demerits of various browsers as they pertain to this in the next topic!) However, cookies can be useful, especially if you order stuff online through companies like amazon or half.com. Some websites, like Yahoo! Mail won't let you log in unless you have cookies enabled. Thus, privacy concerns must also take functionability into account, and any web browser you use should have a good cookie manager. The merits of 5 different browsers will be analyzed in the next section.