Ghostery addon: ghostRank _CAN_ leak "personally identifiable" details

During past wilders discussions, I stated that I periodically audit the code of browser addons that I use
https://www.wilderssecurity.com/showthread.php?t=348995
and I reported that ghostery's code was "clean".
The version I had previously audited was ghostery-2.7.1-sm+fx.xpi

Tonight, when I skimmed the content of (did not fully audit) Ghostery v5.0.5 for firefox
I discovered something new, and unsettling
ghostrank.js : line 113

Code:

census_url = 'https://l.ghostery.com/api/census' +
'?bid=' + encodeURIComponent(bug.aid) + // company app ID
'&apid=' + encodeURIComponent(bug_id) + // app pattern ID
'&d=' + encodeURIComponent(host_with_pathname) +
'&src=' + encodeURIComponent(bug_url) +

Although the querystring is is stripped from the reported pageview URL and bug_url...
if a site is employing mod_rewrite (ala "seo-friendly" urls)
a segment of the path may well contain a session-specific identifier
for instance:
hxxp:// site.com / 1234sessonID5678 /ad_asset.gif

In this scenario, if you are logged in to a site, and an ad "known" to Ghostery is encountered
(per the content of the Ghostery "bugdb.js" and "lsodb.js" files)
the ghostrank telemetry would convey that:
-- YOU, PERSONALLY had been served the ad (or lso, or widget)
-- the exact page into which the ad had been served
-- whether or not the ad displayed in page "above the fold"
(not evident in the code snippet i pasted, but this detail is explicitly captured)
-- based on your rules in effect, whether or not the ad had (or had not) been blocked from display
-- whether the ad was blocked "with malice" (specifically) or as the result of a "checkmark all" rule

Even if you are not logged to the ad-laden site during a given pageview...
based on the collected ghostrank details, even your kid sister could later correlate that hit with your IP or other fingerprinting details if you do, eventually, login to that site.
(not pickin' on yer l'il sister, bubba -- it's a wordplay on BigBrother)

If you are tempted to split hairs by arguing that a sessionID is not a "personally identifiable" detail, save your breath.

It is what it is.
No, I haven't often seen "seo-friendly" -crafted, personalized ad URLs...
...but, with a userbase of over 900,000 Ghostery installs, Evidon may be tempted to collude with advertisers, encouraging their clients to utilize (cough, cough) "seo-friendly" URLs when serving ad assets.

To be clear:
In this newer version of Ghostery, ghostrank telemetry is still disabled by default
(until and unless you checkmark "opt in")

 

That snippet you posted looks interesting. Just thinking out loud, if I may...

- Theoretically at least, a "bug" could be specific to certain institutions and/or contexts. Thus I would consider even the bug "company app ID" and "app pattern ID" potentially revealing.
- I would be concerned about any hostnames being phoned home. Even if the objective is to capture the bug server rather than the site the user is visiting, many sites map third-level domains to ad/bug servers.
- Should there be questions about what would get phoned home in practice, one could modify things so the phoning home doesn't happen but that info gets dumped to the console.
- I wish we had interns we could punt test work to (lol).