Monday, 9 November 2020

Data Stealing: The Next Logical Step for Adblockers

 Depending on what side of the fence you are on you either love AdBlockers or you hate them.  Content creators and such hate AdBlockers.  Their dislike for this software is justifiable, they depend on the revenue that comes from clicks.  As a regular user of the internet though it can be quite jarring too see all the adds on a website, or be watching an interesting video and then you are subjected to a 3 min video about a new truck.

Even popular services like Twitch are working to combat AdBlockers [2].

I personally have been using adblockers and utilities like Pi-hole for so long that when I see a Youtube add I actually have to pause for second because it has been so long since I have seen an add.  I literally kind of forget that adds are a thing.

Recently though it has been discovered that some adblockers were actually be used to steal data [1].

In this blog I'm going to dive into how AdBlockers tempt folks to steal data.

I'm surprised we haven't heard about data being stolen from AdBlockers sooner honestly.  If you think about it, from a high level, AdBlockers act as middle men between your communication from your browser and the website.  When aAdblocker detects a script that smells like an add it stops the script from running.  So why am I not surprised AdBlockers are being used maliciously?  Well if the software is going through the work of detecting "add" scripts, why not go the extra step of tracking user data?  

Data = $

Maybe it is my google bubble but most of the research links that came up revolved around how to circumvent adblockers.  Even more evidence that people are invested in getting around your browser plugins.

I did find an interesting article describing a technique [3] that web developers use to detect if you are using an ad blocker.  To summarize the article you plant a dummy javascript on your site and if the script is triggered by an adblocker it will fire up an alert.  This is likely the method that is in play when you are moving around the internet and you get a window that comes up "Hey why are you using adblocker?! We need money too!!"

 


The most popular way to get adds on your website fast is using Google Adsense.  If your website is in compliance with the rules that Google has set, then you are allowed to begin participating in the program.  Above is an example of adsense code that is inserted into your website.

This code isn't particularly complicated.

It's a script that exists somewhere in your website code and when visitors land on your page they will be presented with the add that is linked in the script.

Adblockers work in a similar way in that they are in themselves a script that analyzes the website code(similar to how webscrapers work).  The script looks to see if particular patterns are met and then prevents that script from running.

That brings me to the whole point of this article.  If an adblocker is already set up as a middle man analyzing a website before you land on it, wouldn't it be a simple step to add another line of code that sends page stats that you are on to a server somewhere else?

Imagine if 300,000 people are using your adblocker.  You are a smart coder with gumption and you understand that data has value.  300,000 regular users is nothing to turn your nose up at.  A person could sell that data.  The temptation is real.  From a monetary standpoint I can see why people would do it.  From an ethical standpoint I think it is flat out wrong.

What can you do?

Well honestly, read.

Often the best strategy to understanding the security of software is to read about it before you install it.

- Are there reviews?

- Do reviews trigger any ethical red flags for you?

- Is the developer up front about what and how they are using your data?

- Or......stop being an early adopter (I feel like I could write a whole article about early adopters).  The benefit of waiting a bit is that you can read reviews and see what people say.  Why do those tests on on your own systems when you can let other people do the work for you?

- Run apps you want to test in a virtual environment

Educate yourself on the applications you are using because nothing is free.  That free app you downloaded is getting paid somehow, likely by selling your data.

Thanks,

Reference:

[1] https://arstechnica.com/information-technology/2020/10/popular-chromium-ad-blockers-caught-stealing-user-data-and-accessing-accounts/

[2] https://www.theverge.com/2020/9/15/21437787/twitch-midroll-ad-affiliate-partner-cpm

[3] https://medium.com/javascript-in-plain-english/detecting-an-ad-blocker-using-javascript-d488b794e5c7

No comments:

Post a comment