back to article Sneaky fingerprinting script in Microsoft ad slips onto StackOverflow, against site policy

StackOverflow, a popular resource for developers looking for code to copy and paste solutions to tricky programming issues, has been found to be serving an ad complete with JavaScript code intended to track users regardless of their privacy choices. A user (Gregg Man from the Google Chrome developer team) noticed the issue …

  1. alain williams Silver badge

    Noscript to the rescue

    Stunts like this (intentional or not) will ensure that I will not white-list sites that try it on.

    1. bombastic bob Silver badge
      Devil

      Re: Noscript to the rescue

      true - and if you need NoScript _OFF_ for some reason, like testing your OWN web pages [don't get me started on web devs and glass houses] you can do what _I_ do, at least on Linux or FreeBSD with Xorg [not Wayland]:

      a) enable the '-listen_tcp' option (or similar, whichever one)

      b) enter 'xhost +localhost' in a console with X running

      c) 'su - guestuser' [or whatever] in an X bash session console

      d) export DISPLAY=localhost:0.0 in the 'guestuser' session

      e) run your browser

      this will sandbox the browser with 'guestuser'. just configure the browser (firefox) to DESTROY ALL HISTORY AND CACHES on the way out. No cookies, no fingerprints, no nothing.

      then if you need a scripty-site loaded, you can have this nice sandbox to play with it in. And you exit the browser, and it flushes EVERYTHING, and you have a nice clean loo... er, BROWSER the next time you load up some CRAPPY script-ridden web site.

      1. Donn Bly

        Re: Noscript to the rescue

        Or use sandboxie if you are testing with Windows platforms.

      2. Nate Amsden Silver badge

        Re: Noscript to the rescue

        I have used this on Linux for as long as I can remember, currently with Palemoon(as my daily driver browser)

        ---

        sudo -u firefox -H VDPAU_NVIDIA_NO_OVERLAY=1 /usr/local/palemoon/palemoon %u

        ---

        I have a script that runs when I login (using Linux Mate) to gnome(on X11):

        --

        #!/bin/bash

        gsettings set org.mate.peripherals-mouse middle-button-enabled true

        xhost +si:localuser:firefox

        ---

        forgot what that VDPAU_NVIDIA_NO_OVERLAY is for but it was probably important at one time for me (I do use Nvidia video cards)

        Also forgot what that gsettings command and the specifics around xhost +si that I am using(other than I believe it is more secure than just opening xhost to a wider audience),it was setup so long ago now.

        Only issue is sometimes I have to manually adjust permissions on files if I am uploading or downloading files, and of course it can't access my $HOME so if I need to upload something from there I normally just copy it to /tmp (single user machine so not worried about any other logged in users)

        1. bombastic bob Silver badge
          Linux

          Re: Noscript to the rescue

          'si:' on xhost means 'server interpreted' according to the man page

          it's apparently for a network interpreted name, and the final ':firefox' is a specific user name

          it's not a syntax i was familiar with, so i was curious and looked it up

  2. pavel.petrman

    uMatrix is a must have

    uMatrix plus Decentraleyes et al are a must have to ensure that every damn bloated website works at least to a degree but all these fingerprinting and data-slurping nasties stay where they belong*. Google fighting these efforts ruthlessly in Chrome seems only logical, if sad. Don't be evil, yes.

    (* my analysis, though, shows that no-one should feel completely protected regardless of how well their defenses were built yesterday)

  3. elDog

    Anyone know why javascript is even allowed in static pages?

    There should be no need to develop dynamic HTML via JS or to communicate with the Mother Ship.

    While uBlock is wonderful, by the time I've selectively allowed enough of the JS modules to be imported to be able to use a site I've probably let in a few baddies.

  4. Wibble

    Why do any ads need to run JS?

    1. Anonymous Coward
      Anonymous Coward

      That monkey ain't gonna punch itself.

    2. Mark 85 Silver badge

      Why? To track you and target you. I find it rather ironic that a Google developer called this out though.

      1. MatthewSt
        Mushroom

        Because it was an ad for a Microsoft service...

    3. bombastic bob Silver badge
      Black Helicopters

      1. it justifies the existence of web "developers"

      2. it allows them to do nefarious things to track you

      3. it offloads THEIR processing onto YOUR computer

      this is just the beginning of a nefarious plot to STEAL from you, your privacy, your CPU cycles, your bandwidth, yotta yotta yotta.

  5. Anonymous Coward
    Anonymous Coward

    Copying and pasting code is so last decade

    Real programmers link directly to that code.

  6. Crisp

    Disrupting the business model of sites that you value

    What about disrupting the computers of the people that visit those sites?

    Millions of users get affected by malicious code served by advertisers.

    AdBlocking only affects the sites you choose to block.

    1. The Dogs Meevonks Silver badge

      Re: Disrupting the business model of sites that you value

      I block everything... I don't whitelist anything and I only allow specific and essential JS to run if it's not ad related.

      If that means a site is broken and I cannot view their content... I simply never use that site again.

      1. Loyal Commenter

        Re: Disrupting the business model of sites that you value

        If that means a site is broken and I cannot view their content... I simply never use that site again.

        That, or hit F12 to open the dev console and add the display:hidden attribute to all the popovers that try to cover the screen when scripts are disabled. Independent, I'm looking at you...

        1. ArrZarr Silver badge
          Pirate

          Re: Disrupting the business model of sites that you value

          I just delete the elements straight up, no need to tinker with the obfuscation when you can just rip it out at the roots.

        2. JohnFen

          Re: Disrupting the business model of sites that you value

          Nah.

          If a website refuses to work because of my defenses, then I'd prefer not to use that website even if I can work around it. Such sites proclaim loud and clear that they have no respect or regard for their users, and I want nothing to do with them.

      2. SImon Hobson

        Re: Disrupting the business model of sites that you value

        I simply never use that site again

        Which is all very well if use of that site is optional. There are many of us who for various reasons (legal and contractual) are required to use certain sites. That might be for doing tax returns, or your employer might insist you use a certain third party site for your timesheets, or it may be the only site with information on some topic you are desperately trying to get information on, or ...

        1. eldakka Silver badge

          Re: Disrupting the business model of sites that you value

          That might be for doing tax returns,
          Since that'd be a government web site (the only one you'd have to use to do tax returns, assuming they don't allow paper filing and/or it is not being done by your accountant who is the one who interacts with the website...) then that probably doesn't matter, as they have everything they'd need from their local intelligence agency (NSA, GCHQ, whoever it is).

          or your employer might insist you use a certain third party site for your timesheets,
          in which case you'd be using your employers computer with your employers standard image on it, right? Do you care if your employers computer is fingerprinted? I don't, not my problem. And, since I'm sitting behind a proxy and firewall on one of, oh, ~15000 identical computers with the same hardware from the same vendor with the same SOE with no ability to install additional software (let alone system components like drivers) with only a few differences in individual user preferences (e.g. resolution), then I'd probably have the same 'work' fingerprint as 5k other devices. Again, it's a work computer, I don't give a flying fcuk about it. Even if it is 'your' computer you use for work (e.g. a contractor), then you do use a separate, disposable (in terms of O/S, there a problem, just re-image it) computer than your personal computer, right?

          or it may be the only site with information on some topic you are desperately trying to get information on
          Assuming there was no other way to get it, at all, that's what VMs via a VPN are for, or, if you are really paranoid, a separate physical machine (e.g. a chromebook or some other cheaparse computer/old computer) - still using a VPN - with the vendor-default O/S image (i.e. you haven't customised it at all so the fingerprint will be that of a million other computers) that you can just re-image after you've visited those sites (using the vendor supplied re-image options).

          There are ways and means, it just depends on how far you are willing to go before you personally evaluate the trade-offs and effort involved whether it is worth it or not.

          1. SImon Hobson

            Re: Disrupting the business model of sites that you value

            Since that'd be a government web site (the only one you'd have to use to do tax returns...) then that probably doesn't matter, as they have everything they'd need from their local intelligence agency (NSA, GCHQ, whoever it is).

            Ha, telling the taxman "no I don't need to do a tax return, <insert relevant spook id> can give you all the information you need" is going to result in what ? In the UK, automatic penalties which ramp up in severity and generally a whole lot of pain. It'll also give them an excuse to "open an enquiry" into your affairs, and once they've done that then they can take a fine tooth comb through your finances for quite a few previous years - and if they accuse you of deliberately misrepresenting what tax you need to pay, then that fine tooth comb can, (AIUI) go back decades.

            You can, for most individuals at the moment, still file on paper - but that needs you to do it a lot earlier, and they are slowly closing the bounds of who can still use paper, with them wanting to get to a state where anyone involved in a business at all has to file online and quarterly !

            in which case you'd be using your employers computer with your employers standard image on it, right?

            Wrong. Looking back, going back to pre-internet (at least, outside of academia) days, I've rarely been using an employers computer. And for quite a while and at least the last two jobs, I've been using my own laptop - maybe a bit of "more fool me for using my own when employer should provide it", but at least I get to use MY choice of computer rather than suffering another breakdown being forced to use something that just drives me nuts.

            At my last job, I once had a colleague look up and say something like "you're doing your timesheet aren't you ?" He based his correct guess on the basis of the "colourful language" coming from my direction - the web application was an abomination written in house, and which forced me to fire up a VM as it only worked with Windows and Exploder 6. I did once suggest to the head dev that such constraints were perhaps a bit restrictive - his response was that all the customers used Windows and Exploder, so there was no need to support anything else. It was "interesting" watching from the sidelines as customers started complaining ;-) As an aside to that, another dev, just before he left for somewhere better, fixed the problem that made it Exploder 6 only - it was just a case of adding or removing a ";" A nice leaving present from him to the rest of us !

            There are ways and means, it just depends on how far you are willing to go before you personally evaluate the trade-offs and effort involved whether it is worth it or not.

            And in the most part, those options you suggest are getting way beyond what most of us (and certainly the majority of users) are prepared to do.

            So yes, I stand by my suggestion that "if you don't like, just don't use that site" just isn't practical for all sites. Where the bar sits does depend very much on your level of paranoia and your technical abilities - but it's still there for most users.

      3. fobobob

        Re: Disrupting the business model of sites that you value

        It has come to this; as an example of why, I left a machine on overnight with Internet Explorer on the default MSN homepage. Came in the next day to find the anti-virus had nixed a small quantity of malicious JavaScripts at around 4 in the morning.

  7. The Dogs Meevonks Silver badge

    and yet when I try to explain to non techie people why I run something like noscript... they look at you with a confused expression. Normal people simply seem unable to comprehend the lengths that these wankers go to, to steal your data and identify you at any cost... and they do so without any seemingly meaningful repercussions.

    The laws are a joke and the guilty get away with it... and we are treated like shit when we do to try and protect our privacy.

    1. Aussie Doc
      Windows

      Must admit, most of my dealings with 'non techie' folks suggests that all that is thrown at them is seen as 'normal' and they just put up with it.

      I have had people viewing me at one of my systems eg a laptop at a worksite and they can't understand why youtube doesn't play an ad before loading my video, why going to <this or that site> doesn't have all those 'ad things that pop up around the place', why there is no trumpet-playing monkey on <this site> etc etc

      I get a few converts.

      Methinks we are fighting a losing battle at times whilst us in the know still argue over which adblocker/script blocker is better than the other.

      I'm not a prolific user of the phone but I've learned how to root it so I can cut down on a lot of the crap.

      This has all got to be using up user's data all over the globe and costing people somewhere along the line.

  8. Doctor Syntax Silver badge

    "Despite this, JavaScript is in ads is everywhere, making it the responsibility of the publisher and the ad server to protect the user."

    And do we trust them to meet those responsibilities? No. That's why we block JavaScript and one of the reasons we block ads.

  9. Doctor Syntax Silver badge

    "The tracking, advertising and monetization story on the internet is convoluted beyond measure, driven by huge global revenue involved, estimated at $298.1bn in 2019"

    Does this represent value for money for the advertisers? I seriously doubt it. The few ads I see from search engines fall into two categories. One is irrelevant and the other is the exact ting I was looking for which the search thing should have thrown up anyway without the search target paying for it to be put there.

    1. ArrZarr Silver badge
      Boffin

      I would suggest that a good amount of it does represent value for money for the companies paying for the ads.

      Online channels are very "Data rich", you can take a single ad and see exactly how many people saw it, how many clicked on it, how many converted through it etc. That is an impossible task for newspaper ads, billboards, Superbowl ads.

      You also get different types. Awareness campaigns are run, I don't think these provide value for money because they have the intent to splurge out as many ads as possible to as many people as possible. Other campaigns will try to get you to buy something directly because there's a sale on.

      SEO vs PPC is difficult. SEO is reliant upon a good number of people visiting the page along with myriad other factors, but highly specific pages are difficult to get ranked because their traffic is comparatively lower. Managing SEO is difficult because Google obfuscates as much of what's going on as possible as part of their work on getting people to stop gaming the system

      PPC gives the advertiser a lot more control over exactly when and where they want a very specific ad to appear to get the searcher - Size 12 red dress can go directly to a dynamic search page which wouldn't necessarily have ever been seen by a search engine's scraping bot.

      There is also a certain amount of irony in those who block any tracking to the extent that Google et al. have a minimal view of you as a person and then saying that the results they get are irrelevant.

      1. Doctor Syntax Silver badge

        "you can take a single ad and see exactly how many people saw it, how many clicked on it, how many converted through it etc."

        Can it also tell you how many were pissed off by seeing that ad yet again? How many were so pissed off they decided there and then that they'd never buy anything more from that advertiser?

        Look again at what you wrote. Look carefully. Think about it. The only "data" in what you listed is the data the advertising industry uses to flog advertising services to the clients. What's more they're probably charging the clients to be provided with that "data".

  10. Doctor Syntax Silver badge

    "although it looks like a static banner advertising Microsoft Azure with a link, the fingerprinting code is running in the background."

    And what do Microsoft have to say about it?

    Let me guess:

    Rogue 3rd party advertising agency.

    A former member of staff.

    We take your/cusotmers'/the Universe's privacy seriously.

    Only a few people affected.

    Lessons learned.

    Steps taken to prevent a repeat.

    Next time it'll be better obfuscated - oops, that's what we really meant but it slipped out accidentally.

    1. Anonymous Coward
      Anonymous Coward

      Things left unsaid

      While the headline clearly says Microsoft, the text seems to state a Google engineer found that the Google ad network served up ads that violated Stack Exchanges advertiser policy. No mention was made where these trackers were pointing, so by the text we have no way to know who is actually responsible for this tangled web. The ads graphics may have been recycled by whoever launched the tracker, or this would have had to been a chain of failures and bad actors, from the creator of the campaign, (M$ or otherwise) to Google passing the ad though its network(and taking its cut of the profits) and Stack failing to detect and filter the adds until the fingerprinting code was discovered by and external researcher.

      So many levels of fail. All because of the packrat's den that HTML and the modern web is.

  11. SVV

    Nasty code served up on StackOverflow?

    Isn't that their job?

    They probably could have been alerted to this earlier, when the post appeared with the title "Need to develop evil privacy busting Javascript web tracker. Please advise complete solution?".

  12. SimonC

    > ...has previously stated that its policy "includes but is not limited to running only static, non-animated banner[s],...

    Recently they've been testing advertising which includes animated banners, with a discussion here: https://workplace.meta.stackexchange.com/questions/6157/were-testing-advertisements-on-the-workplace#comment19633_6157 they are apparently 'investigating types of banner'.

    1. stiine Silver badge
      Meh

      its their site

      As long as they're up-front about it.

  13. JohnFen

    This sort of thing

    This sort of thing is one of the main reasons why I do not allow JavaScript to run by default. The #1 reason why I don't is security.

  14. Dwarf

    All I can say is that its a good job that El Reg, like other sites I visit don't seem to have adverts ... At least none show on my machines :-)

    .. and if anything annoying slips through, right click, block element .. bye !!

  15. eldakka Silver badge
    Facepalm

    StackOverflow has previously stated that its policy "includes but is not limited to running only static, non-animated banner[s], keeping all ads relevant to software development, not participating in real-time bidding or selling our inventory to ad networks. We are not selling user data or targeting ads to you based on any personally identifiable user data."
    And then they go and allow 3rd parties to run arbitrary Javascript in visitors browsers? That policy isn't worth the bits it takes to transmit it.

    the site claims that "Every single ad to appear on any of our sites is vetted by the operations team."
    Exhibit A seems to contradict that statement m'lord.

  16. Rich 2

    Ha ha ha

    A user (Gregg Man from the Google Chrome developer team)....

    Oh, the irony!

  17. hshsb

    Protect your browser fingerprints as a user

    There is no way web developers and advertisers would behave ethically regarding fingerprint usage. There are no regulations similar to GDPR here, unfortunately.

    Instead, you should protect your fingerprint information as a user with additional software:

    https://medium.com/@kameleo/browser-fingerprints-why-does-that-one-ad-follow-you-even-when-youre-in-incognito-mode-d5594277baae

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like