Ghostery addon: ghostRank _CAN_ leak "personally identifiable" details

Discussion in 'privacy problems' started by inka, Oct 30, 2013.

Thread Status:
Not open for further replies.
  1. inka

    inka Registered Member

    Oct 21, 2009
    During past wilders discussions, I stated that I periodically audit the code of browser addons that I use
    and I reported that ghostery's code was "clean".
    The version I had previously audited was ghostery-2.7.1-sm+fx.xpi

    Tonight, when I skimmed the content of (did not fully audit) Ghostery v5.0.5 for firefox
    I discovered something new, and unsettling
    ghostrank.js : line 113
    census_url = '' +
    '?bid=' + encodeURIComponent(bug.aid) + // company app ID
    '&apid=' + encodeURIComponent(bug_id) + // app pattern ID
    '&d=' + encodeURIComponent(host_with_pathname) +
    '&src=' + encodeURIComponent(bug_url) +
    Although the querystring is is stripped from the reported pageview URL and bug_url...
    if a site is employing mod_rewrite (ala "seo-friendly" urls)
    a segment of the path may well contain a session-specific identifier
    for instance:
    hxxp:// / 1234sessonID5678 /ad_asset.gif

    In this scenario, if you are logged in to a site, and an ad "known" to Ghostery is encountered
    (per the content of the Ghostery "bugdb.js" and "lsodb.js" files)
    the ghostrank telemetry would convey that:
    -- YOU, PERSONALLY had been served the ad (or lso, or widget)
    -- the exact page into which the ad had been served
    -- whether or not the ad displayed in page "above the fold"
    (not evident in the code snippet i pasted, but this detail is explicitly captured)
    -- based on your rules in effect, whether or not the ad had (or had not) been blocked from display
    -- whether the ad was blocked "with malice" (specifically) or as the result of a "checkmark all" rule

    Even if you are not logged to the ad-laden site during a given pageview...
    based on the collected ghostrank details, even your kid sister could later correlate that hit with your IP or other fingerprinting details if you do, eventually, login to that site.
    (not pickin' on yer l'il sister, bubba -- it's a wordplay on BigBrother)

    If you are tempted to split hairs by arguing that a sessionID is not a "personally identifiable" detail, save your breath.

    It is what it is.
    No, I haven't often seen "seo-friendly" -crafted, personalized ad URLs...
    ...but, with a userbase of over 900,000 Ghostery installs, Evidon may be tempted to collude with advertisers, encouraging their clients to utilize (cough, cough) "seo-friendly" URLs when serving ad assets.

    To be clear:
    In this newer version of Ghostery, ghostrank telemetry is still disabled by default
    (until and unless you checkmark "opt in")
  2. TheWindBringeth

    TheWindBringeth Registered Member

    Feb 29, 2012
    That snippet you posted looks interesting. Just thinking out loud, if I may...

    - Theoretically at least, a "bug" could be specific to certain institutions and/or contexts. Thus I would consider even the bug "company app ID" and "app pattern ID" potentially revealing.
    - I would be concerned about any hostnames being phoned home. Even if the objective is to capture the bug server rather than the site the user is visiting, many sites map third-level domains to ad/bug servers.
    - Should there be questions about what would get phoned home in practice, one could modify things so the phoning home doesn't happen but that info gets dumped to the console.
    - I wish we had interns we could punt test work to (lol).
Thread Status:
Not open for further replies.