Whitehouse.gov tracks users with an invisible image

[iago]

They use a technique generally used by ad sites and other malware:

The White House's site uses what's known as a Web bug — a tiny graphic image that's virtually invisible — to keep track anonymously of who's visiting and when. The bug is sent by a server maintained by an outside contractor, WebTrends Inc., and lets the traffic-analysis company know that another person has visited a specific page on the site.

http://www.globetechnology.com/servlet/story/RTGAM.20051230.gtbugs1230/BNStory/Technology/

[zorm]

Perhaps I'm missing something these days, but how is this any different then simply looking at the web server logs?

[iago]

It's generally done by somebody who doesn't have access to the logs.  In this case, I believe they said it's being done by a different site, and is generally used for wide statistical analysis. 

[zorm]

Uh huh, and its not like the whitehouse.org site couldn't do it themselves so I don't get what the big deal is? Its not something evil but the story makes it out to be that way.

[iago]

Oh, I should also mention that this is used to track users over different sites using cookies and the "referer: " field.  Knowing where a user has been before and after your site, and their entire browser history for sites that use this, are largely considered a violation of privacy.  I don't know about you guys, but I don't like the idea of the Government (or anybody else) tracking where I've been. 

[Blaze]

I wrote something like that on my old random avatar.

[iago]

Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies.

[zorm]

AFIAK cookies can't work cross-domain so I don't get how that can be used for tracking. Referer only shows the last site you visited and thats only if you click a link for the site on the last site. Both of these are standard things for browsers to do. It seems sorta silly to be sending a webserver such information and then bitch when someone decides to analyze it. Basically if you don't want to share limited information fix your browser and don't complain about what said website does.

[Quik]

Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies.

That would be neat to implement as a backup in forum software.

[iago]

AFIAK cookies can't work cross-domain so I don't get how that can be used for tracking.

The image is always hosted on the same site, and the referer is the site that includes the cookie. 

So say www.x86labs.org and www.valhallalegends.com were both being tracked by evilsite.com.  They would both have <img src="http://www.evilsite.com/evil.gif" width=0 height=0 /> on their page.  If somebody visited www.x86labs.org, they would receive a cookie from www.evilsite.com, when they request the image.  When they visit www.valhallalegends.com, they see the image again, and send the cookie they have for www.evilsite.com.  In both cases, the referer: for the request is set to the site that the user is visiting. 

With that, the user can be tracked across multiple sites without their knowledge.  Most browsers block cookies like that now (IE and FireFox and others), but it shouldn't be up to the browser to stop a Government site from tracking me. 

[iago]

Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies.

That would be neat to implement as a backup in forum software.

Yeah, but it involves some abuse of protocols.  It's not really proper

[Quik]

Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies.

That would be neat to implement as a backup in forum software.

Yeah, but it involves some abuse of protocols.  It's not really proper

That's why you make it an option.

[iago]

Haha, I used to use images to track users that had cookies disabled.  I think I left my PoC at work, sadly. :-/

But it would be able to remember users who had changed ip's and cleared cookies.

That would be neat to implement as a backup in forum software.

Yeah, but it involves some abuse of protocols.  It's not really proper

That's why you make it an option.

It's still not a good idea to implement.  It can be considered a browser vulnerability, and that's not something that should be used anywhere other than a PoC.