Author Topic: Whitehouse.gov tracks users with an invisible image  (Read 5336 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Whitehouse.gov tracks users with an invisible image
« on: January 02, 2006, 01:25:44 pm »
They use a technique generally used by ad sites and other malware:

Quote
The White House's site uses what's known as a Web bug — a tiny graphic image that's virtually invisible — to keep track anonymously of who's visiting and when. The bug is sent by a server maintained by an outside contractor, WebTrends Inc., and lets the traffic-analysis company know that another person has visited a specific page on the site.

http://www.globetechnology.com/servlet/story/RTGAM.20051230.gtbugs1230/BNStory/Technology/

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: Whitehouse.gov tracks users with an invisible image
« Reply #1 on: January 02, 2006, 07:51:01 pm »
Perhaps I'm missing something these days, but how is this any different then simply looking at the web server logs?
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Whitehouse.gov tracks users with an invisible image
« Reply #2 on: January 02, 2006, 08:03:26 pm »
It's generally done by somebody who doesn't have access to the logs.  In this case, I believe they said it's being done by a different site, and is generally used for wide statistical analysis. 

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: Whitehouse.gov tracks users with an invisible image
« Reply #3 on: January 02, 2006, 08:12:44 pm »
Uh huh, and its not like the whitehouse.org site couldn't do it themselves so I don't get what the big deal is? Its not something evil but the story makes it out to be that way.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Whitehouse.gov tracks users with an invisible image
« Reply #4 on: January 02, 2006, 08:50:22 pm »
Oh, I should also mention that this is used to track users over different sites using cookies and the "referer: " field.  Knowing where a user has been before and after your site, and their entire browser history for sites that use this, are largely considered a violation of privacy.  I don't know about you guys, but I don't like the idea of the Government (or anybody else) tracking where I've been. 

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Whitehouse.gov tracks users with an invisible image
« Reply #5 on: January 02, 2006, 08:50:56 pm »
I wrote something like that on my old random avatar. :)
And like a fool I believed myself, and thought I was somebody else...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Whitehouse.gov tracks users with an invisible image
« Reply #6 on: January 02, 2006, 09:29:12 pm »
Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies. :)

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: Whitehouse.gov tracks users with an invisible image
« Reply #7 on: January 02, 2006, 09:31:53 pm »
AFIAK cookies can't work cross-domain so I don't get how that can be used for tracking. Referer only shows the last site you visited and thats only if you click a link for the site on the last site. Both of these are standard things for browsers to do. It seems sorta silly to be sending a webserver such information and then bitch when someone decides to analyze it. Basically if you don't want to share limited information fix your browser and don't complain about what said website does.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Whitehouse.gov tracks users with an invisible image
« Reply #8 on: January 02, 2006, 09:35:04 pm »
Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies. :)

That would be neat to implement as a backup in forum software.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Whitehouse.gov tracks users with an invisible image
« Reply #9 on: January 02, 2006, 09:50:58 pm »
AFIAK cookies can't work cross-domain so I don't get how that can be used for tracking.

The image is always hosted on the same site, and the referer is the site that includes the cookie. 

So say www.x86labs.org and www.valhallalegends.com were both being tracked by evilsite.com.  They would both have <img src="http://www.evilsite.com/evil.gif" width=0 height=0 /> on their page.  If somebody visited www.x86labs.org, they would receive a cookie from www.evilsite.com, when they request the image.  When they visit www.valhallalegends.com, they see the image again, and send the cookie they have for www.evilsite.com.  In both cases, the referer: for the request is set to the site that the user is visiting. 

With that, the user can be tracked across multiple sites without their knowledge.  Most browsers block cookies like that now (IE and FireFox and others), but it shouldn't be up to the browser to stop a Government site from tracking me. 


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Whitehouse.gov tracks users with an invisible image
« Reply #10 on: January 02, 2006, 09:51:28 pm »
Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies. :)

That would be neat to implement as a backup in forum software.

Yeah, but it involves some abuse of protocols.  It's not really proper :)

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Whitehouse.gov tracks users with an invisible image
« Reply #11 on: January 02, 2006, 10:24:30 pm »
Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies. :)

That would be neat to implement as a backup in forum software.

Yeah, but it involves some abuse of protocols.  It's not really proper :)

That's why you make it an option.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Whitehouse.gov tracks users with an invisible image
« Reply #12 on: January 02, 2006, 10:25:54 pm »
Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies. :)

That would be neat to implement as a backup in forum software.

Yeah, but it involves some abuse of protocols.  It's not really proper :)

That's why you make it an option.

It's still not a good idea to implement.  It can be considered a browser vulnerability, and that's not something that should be used anywhere other than a PoC.