pentacles, magic

A nice cup of rabies

Rantings with occasional art.

Previous Entry Share Next Entry
return of the linkjack code
geeky, spider8483
shatterstripes
Quiet as a mouse, there's a new version of the DrivingRevenue code being served on LJ. This change is, of course, not reflected in the latest LJ News post or the latest LJ code release post. And any attempt to bring this up on those posts is probably going to get completely buried under the deluge of "OMG I CAN BUY TEN THOUSAND ICON SLOTS ♥♥♥♥"

This code is much more complex. It's also not obfuscated, which is nice. It also seems to be doing a lot more processing on the remote end - there's no more juicy list of strings to pull out and see just what sites it's linkjacking.

It's even got a credit for a MIT-licensed URL parser it's using. So hooray for not, you know, tripping every single alert in my head that this is probably malicious code within the first ten seconds of looking at it. It's still of dubious ethics but at least it's not acting like it's got tons to hide, you know?

A quick dig into the code shows that it does this:
1. Wake up and get a list of every single link on the page.
2. Send this list to http://outboundlink.me/anxo/dr_ta_1/dr_rwl_v2.php
3. Get back a list of which URLs need to be fuzzled with.
4. Attach code to every single link; upon pressing 'return' or clicking the mouse on the link, check if it's in the list in step 3, and change it.

It also seems to be repeatedly asking outboundlink.me for this data at random intervals. Oh, no, I see: when you roll over a link it'll query outboundlink.me as to what should be done with it. Sneaky sneaky sneaky.

It is not presently stripping Amazon affiliate IDs, nor is it inserting new ones. It is however Doing Things: an unaffiliated link to China Miéville's upcoming book gets turned into a monstrosity like file:///Users/egypt/Desktop/Friends.html?dr_log=-1&linkout=http%3A//www.amazon.com/Kraken-China-Mieville/dp/034549749X/ upon cut-and-paste. (where 'file:///Users/egypt/Desktop/Friends.html' is the URL of whatever page you'e viewing).

DrivingRevenue also seems to have learned from the mistakes we found; the crittersbythebay.com problem is no more. I guess they have somewhat more robust code for deciding which links should be munged running on their own server than they were able to kludge up in their original Javascript.

Looks like you can stop most of these shenanigans by blocking outboundlink.me. And http://l-stat.livejournal.com/js/pagestats/DR_v4u.js - hell, maybe just disallow all Javascript from LJ if they're gonna keep pulling crap like this without saying a damn thing. Actually if you wanna block this I'd suggest blocking outboundlink.* - they've switched from .net to .me, and will probably switch to some other top-level domain as they keep getting noticed. I'm just blocking anything from http://l-stat.livejournal.com/js/pagestats/ myself.

I really need to sit down and figure out the roadblocks to moving my posting habits to Dreamwidth. Let's see: lost some icon associations upon import, need to find out what'll happen if I try a re-import, XJournal needs a little expanding to deal with multiple services. That's about it.

(thanks to foxfirefey for the heads-up on the return of this stuff.)

  • 1
Heh. I was just refreshing after adding some adblock filters to remove this muppetry, wondering when you'd post an update... And here we are! :-D

Oh, and a note: This crap showing up might be related to the fact that LJ is now letting paid and permanent users embed Google Analytics tracking in their journals; drivingrevenue/outboundlink is supposedly owned by Google. I have, however, not turned this feature on, nor, probably have you - so why would we be seeing this code included?

…Aaaand, nope. I just turned on Analytics and I'm seeing a completely different snippet of code coming in at the end of the pages for handling that. So, um, yeah, hello linkjack code, nice to see you again, you're looking a lot healthier now! Now get the fuck out.

Dear LJ, DrivingRevenue is DrivingUsAway. Thanks for your time, please find a different means of income.

I just updated my Adblock filters.

Going off on a tangent regarding a-la-carte user icon slots, I never understood why people needed or wanted so many. What do people use them for? Mood sets?

Icons can be part of the discourse. And some people just loooove to make them - often folks will declare their love for something by making icons using it. Like, say, someone who loves Final Fantasy N+1 might sit down and make like twenty icons using their favorite character from that.

And, well, if you use icons as part of the discourse, you don't want them to have to vanish when you go from being a huge fan of FFN+1 to being a huge fan of Mister Ninja's Pirate Show, right? Sometimes you're still in a FFN+1 mood and wanna use that, plus you want your old entries to show your FFN+1 phase...

That makes sense. I tend to follow the "message board" paradigm of icon as personal identifier, so haven't put as much effort into alternates. I just don't post enough on LJ to justify paying for them.

I do have the "shmup" tag/icon pair, and could find a use for "art" and "games" icons if I had them. :)

I think you've got a few more slots. If you actually wanted to take the time to make 'em of course. I have a ton because I'll snip them out of my art as often as not. Or make one for something I enjoy, like this animated harpy icon built from La-Mulana's art assets...

It looks like I have four slots free.

Or for evoking favorite scenes from movies, or quoting favorite lines from movies. :}

That's pretty much what I do. (Final Fantasy included. xD) I like to have an individual icon for whatever fandom I'm discussing, and I have a LOT of fandoms...

Another reason people want more userpics is for roleplaying accounts. It's really common to use icons to depict your character's facial expression or mood, so people with more expressive characters like having lots and lots of icons.

so the previous opt out thing, is it still working?

I haven't checked! If you've opted out, then view the source of any LJ page and see if it's got this down near the end:

<div id='hello-world' style='text-align: left; font-size:0; line-height:0; height:0; overflow:hidden;'>
<script type="text/javascript"> var DR_id = 1111; </script>
<script src="http://l-stat.livejournal.com/js/pagestats/DR_v4u.js" type="text/javascript"></script>
</div>


(The inline CSS on the div that contains the script is a touch that makes me giggle. One more bit of obfuscation. Just in case.)

Looks like somebody has never heard of display:none.

Or maybe this is what a "SEO Expert" told them to do in case the script decides to start pumping keywords out. Who knows?

The CSS on that div has *always* been like that, I can assure you. It drove me nuts for the entire last year on anti_aol because I wanted to make it visible somehow and style it (it didn't contain Javascript back then, it was just an empty div styled just the way LJ has it styled now) but without pulling some sort of special s2 magic that I was incapable of working out the code for, I couldn't do jack with it. Just to let you know. Maybe that div was always there for that purpose, thus, that's why it was always styled like that.

Edited at 2010-04-16 10:52 pm (UTC)

Ah, thanks; I guess I just never noticed it when I was poking around last time.

And, huh. Something like
#hello-world {font-size:normal !important; line-height:1em !important; height:auto !important; overflow:visible !important;} didn't work? Local styles override stylesheets, but !important overrides that...

I swear, I thought I tried everything (I last tried, coincidentally, just weeks before LJ inserted JavaScript into it), but maybe I missed something simple that you suggested. My idea was to make it visible, about two inches high, style it to match my blog, then force some content into it via the before: and after: CSS selectors -or something like that. I had all these ideas for trying to get around the hard-coded limitations to give the blog more flexibility... Not that it matters now! :)

Edited at 2010-04-16 11:44 pm (UTC)

Blocking done and dusted. That said, it does seem that, at present, they're just tracking how many people are using referral links within their ljs and on what pages, since the final page doesn't seem to have that issue. It might be that they're planning to start giving people warnings about doing it (iirc, it's technically against t&c isn't it?) or just going to strip out any referral tags people add to stop them generating revenue (which is why I'm curious about how it treats links which already *have* amazon referal tags)

I checked; it's not doing anything to existing Amazon affiliate IDs. I haven't checked anywhere else.

It is, however, doing very weird things when you cut and paste an unaffiliated e-commerce link - it turns it into a link to the page you cut it from, that the Javascript then bounces to the actual target. Very weird.

For people using GlimmerBlocker, I believe the following regular expression will match all outboundlink.* and *.outboundlink.* hosts: (?:.+\.)?outboundlink\.(\w+)

ahhh so this is what it's all about.

I'm very OCD about these things so seeing "transferring data from outboundlink.me" at the bottom of each LJ tab was driving me crazy. Will definitely block it.

Thanks for bringing up the outboundlink.me issue.

So today NoScript popped up, revealing the cookie.

I searched for it on ixquick and found your post.

I am just a common user and appreciate your noting the less-than-transparent manner in which lj slid this in

Here via a quick search after poking around in the news post. Thanks for the explanation of what I started seeing last night. I was able to block some stuff in the console and use Noscript to cut down what's on my end but I am none too pleased that this linkjacking is going on from my journal.

This is the second round of it, to boot. Hit the 'drivingrevenue.net' tag at the bottom of the post for more details than you probably want of how it was working the first time. ("Badly" is the tl;dr version; the code was aggressively obfuscated, made itself more visible, and broke some links.)

I'm peeking around, thanks! This is really bad form on the part of LJ and has the potential to break the trust of a lot of people who share links under friends-lock or the like with no expectation that these will be logged or tampered with.

Thanks for the succinct explanation, too. I've put up a public post on my DW and LJ with links to your post and elsewhere hoping to get this noticed!

Hi, this can be disabled if you run in the console
set opt_exclude_stats 1

here's more details http://community.livejournal.com/no_lj_ads/87881.html

Thanks for the info on what it is and how to block it. I was wondering what the heck that was hanging there in the status line when I wasn't even doing anything. Do Not Want.

Ah, thanks for doing this digging! I noticed the stuff from outboundlink.me tripping my NoScript a couple days ago, and at first thought someone on my flist had embedded something that was looking for script permissions. But, when it didn't go away after more than 20+ entries had scrolled off the first page, I just blocked the damned thing with NoScript then Googled to see what I could find on it. Your entry was the first thing I saw. :)

Blockity block blocked. Thanks for keeping an eye out for this.

Thanks for the heads up - seen this mentioned in a few LJs/DWs already. Won't LJ ever learn to avoid pissing off their userbase? *headdesks*


I'm glad that my default behaviour is to block everything and then selectively allow, because I hadn't actually noticed this until reading my friends list--and then realising that NoScript was spitting out "3/4 scripts partially allowed".

Hey Alice, move over dear...




Hey, Thank you for all your info and help above. I think I understood about PI % of it! :o) Anyhow and

However, if you are one of us (those that don’t have a secure grip on what all this talk is about) and want a bit of protection, try this:

I use FireFox Browser. One of the add-ons is No Script (noscript.net)

I’m 65 and don’t have but the slightest understanding of Computer Security anymore. What I learned was back when we programmed in BASIC. :o) What I do know is that I don’t like Microsoft’s IE.

How No Script works for me:

I go to a website and if I click on something that doesn’t work, I go to my Startbar and click on the NoScript Icon. It gives me a list of all the Scripts that are trying to run. I can,

1 authorize permanently (something I trust such as Livejournal.com)

2 authorize temporarily (if I’m buying something from Amazon but don’t want to make it permanent. Or if someone on LJ posts a youtube video. I Never make youtube permanent, and it isn’t a hassle for me to simply click on the Video each and every time.)

3 block. Such as offermatica.com. If I find out later that I need one of the blocked ones, I can “Temporarily Allow” or “Allow all from: we.are.ur.frined.us” for example.

I also like and use Ghostery which lets me block Ads and counters and such. I don’t want AOHell keeping track of who-what-where I go and then sending that info to a hundred sites that decide that I’d like to see a thousand adds on Jet Propelled Toothpaste Dispensers.

When I find one listed in Ghostery (again, in the Start Bar), I can click on it and go to a sight that tells me what it is about. That way, those that use names that don’t say much, are better explained.

Anyway, all this for the casual novice that accidentally falls down the Rabbit Hole and, like Alice, finds a Mushroom or two that may or may not be useful! :o)




Re: Hey Alice, move over dear...

If you've told NoScript "sure, I trust LJ, let through any Javascript they want to give me", then you'll want to go into its settings and say "um, maybe I don't trust them so much any more"; LJ is abusing our trust of them by serving this tracking/linkjacking stuff themselves.

Which is why I keep feeling like I need to find the time to do all the yak-shaving required to move myself and as much of my social circle as possible to Dreamwidth; LJ is beginning to look less and less like a snark and more and more like a boojum...

Re: Hey Alice, move over dear...




Dreamwidth? I'll check it out... things are getting thin here anyway :o)



Note that blocking outboundlink.me with NoScript screws with using the 'Add Friend' buttons both on someone's userinfo and in the nav bar (I discovered this fun by noticing they didn't work, finding out out I needed to unblock outboundlink.me to make them work, and then googling outboundlink.me to see what was going on).

I use Firefox with NoScript. I mark outboundlink.me as an untrusted site. Period! Of course, after I do that, I must open almost all of LJ's links by right-clicking and opening in a new tab. That is why I have left LJ. Dreamwidth respects, not rapes, its users.

hey, just found this through google 'cause I was so sick of the outboundlink thing. I'm using firefox and when I click on links, no popups appear, but my link doesn't open either. T_T Just am glad that it's not my computer being weird. =\

I have no idea what I'm saying...

User parikala referenced to your post from I have no idea what I'm saying... saying: [...] ink it here too just in case someone hasn't seen it yet. It's... kind of a big security issue according to someone more knowledgeable than me and that's kinda freaky, so...

- - - -

History: Once upon a time, LJ fubbed up a code that would insert their affiliate link to urls without an affiliate number, meaning they would get commission in the event someone followed that link and purchased something from that site. The bad part is that they told NO ONE about it (Sketchy 101), and also that the code was so bad it couldn't distinguish between totallyalinktothebay.com and ebay.com and so a crapton of links were rendered unusable.

Useful links that detail this stuff (because I am technological incompetent):
Noticed some differences in LiveJournal outbound links?
What is LJ doing to my links?
LiveJournal, you fucked up again.
Present: They are, apparently, doing it again. Except, you know. With better coding. Still not on with the telling part, though, which is still sketchy but I'm really linking this because of this part:

The way it does this is an enormous security risk. [...] The problem is that this process involves sending information about these URLs to an outside company as soon as you mouse over the link. Every link you mouse over gets sent. Which means that an enterprising script kiddie with some time on his or her hands could pretty easily intercept the 'GET' requests that the script sends to the outside site, and would know what people linked in f-locked or private entries. Depending on the entry and the URL, the link could have other account information associated with it, which makes scripts like these perfect backdoors if you really want to screw with someone and you know a little code.
Edit: More info written here [...]

Sorry to drag up an old post but I wanted to thank you for this detailed analysis. I found your post after noticing Privoxy going nuts while I was hovering-over links and fetching stuff from outboundlink.net. A few extra rules in the actions file and it is no longer :-)

Cheers!

  • 1
?

Log in

No account? Create an account