pentacles, magic

A nice cup of rabies

Rantings with occasional art.

Previous Entry Share Next Entry
return of the linkjack code
geeky, spider8483
Quiet as a mouse, there's a new version of the DrivingRevenue code being served on LJ. This change is, of course, not reflected in the latest LJ News post or the latest LJ code release post. And any attempt to bring this up on those posts is probably going to get completely buried under the deluge of "OMG I CAN BUY TEN THOUSAND ICON SLOTS ♥♥♥♥"

This code is much more complex. It's also not obfuscated, which is nice. It also seems to be doing a lot more processing on the remote end - there's no more juicy list of strings to pull out and see just what sites it's linkjacking.

It's even got a credit for a MIT-licensed URL parser it's using. So hooray for not, you know, tripping every single alert in my head that this is probably malicious code within the first ten seconds of looking at it. It's still of dubious ethics but at least it's not acting like it's got tons to hide, you know?

A quick dig into the code shows that it does this:
1. Wake up and get a list of every single link on the page.
2. Send this list to
3. Get back a list of which URLs need to be fuzzled with.
4. Attach code to every single link; upon pressing 'return' or clicking the mouse on the link, check if it's in the list in step 3, and change it.

It also seems to be repeatedly asking for this data at random intervals. Oh, no, I see: when you roll over a link it'll query as to what should be done with it. Sneaky sneaky sneaky.

It is not presently stripping Amazon affiliate IDs, nor is it inserting new ones. It is however Doing Things: an unaffiliated link to China Miéville's upcoming book gets turned into a monstrosity like file:///Users/egypt/Desktop/Friends.html?dr_log=-1&linkout=http%3A// upon cut-and-paste. (where 'file:///Users/egypt/Desktop/Friends.html' is the URL of whatever page you'e viewing).

DrivingRevenue also seems to have learned from the mistakes we found; the problem is no more. I guess they have somewhat more robust code for deciding which links should be munged running on their own server than they were able to kludge up in their original Javascript.

Looks like you can stop most of these shenanigans by blocking And - hell, maybe just disallow all Javascript from LJ if they're gonna keep pulling crap like this without saying a damn thing. Actually if you wanna block this I'd suggest blocking outboundlink.* - they've switched from .net to .me, and will probably switch to some other top-level domain as they keep getting noticed. I'm just blocking anything from myself.

I really need to sit down and figure out the roadblocks to moving my posting habits to Dreamwidth. Let's see: lost some icon associations upon import, need to find out what'll happen if I try a re-import, XJournal needs a little expanding to deal with multiple services. That's about it.

(thanks to foxfirefey for the heads-up on the return of this stuff.)

Heh. I was just refreshing after adding some adblock filters to remove this muppetry, wondering when you'd post an update... And here we are! :-D

Oh, and a note: This crap showing up might be related to the fact that LJ is now letting paid and permanent users embed Google Analytics tracking in their journals; drivingrevenue/outboundlink is supposedly owned by Google. I have, however, not turned this feature on, nor, probably have you - so why would we be seeing this code included?

…Aaaand, nope. I just turned on Analytics and I'm seeing a completely different snippet of code coming in at the end of the pages for handling that. So, um, yeah, hello linkjack code, nice to see you again, you're looking a lot healthier now! Now get the fuck out.

Dear LJ, DrivingRevenue is DrivingUsAway. Thanks for your time, please find a different means of income.

I just updated my Adblock filters.

Going off on a tangent regarding a-la-carte user icon slots, I never understood why people needed or wanted so many. What do people use them for? Mood sets?

Icons can be part of the discourse. And some people just loooove to make them - often folks will declare their love for something by making icons using it. Like, say, someone who loves Final Fantasy N+1 might sit down and make like twenty icons using their favorite character from that.

And, well, if you use icons as part of the discourse, you don't want them to have to vanish when you go from being a huge fan of FFN+1 to being a huge fan of Mister Ninja's Pirate Show, right? Sometimes you're still in a FFN+1 mood and wanna use that, plus you want your old entries to show your FFN+1 phase...

so the previous opt out thing, is it still working?

I haven't checked! If you've opted out, then view the source of any LJ page and see if it's got this down near the end:

<div id='hello-world' style='text-align: left; font-size:0; line-height:0; height:0; overflow:hidden;'>
<script type="text/javascript"> var DR_id = 1111; </script>
<script src="" type="text/javascript"></script>

(The inline CSS on the div that contains the script is a touch that makes me giggle. One more bit of obfuscation. Just in case.)

Blocking done and dusted. That said, it does seem that, at present, they're just tracking how many people are using referral links within their ljs and on what pages, since the final page doesn't seem to have that issue. It might be that they're planning to start giving people warnings about doing it (iirc, it's technically against t&c isn't it?) or just going to strip out any referral tags people add to stop them generating revenue (which is why I'm curious about how it treats links which already *have* amazon referal tags)

I checked; it's not doing anything to existing Amazon affiliate IDs. I haven't checked anywhere else.

It is, however, doing very weird things when you cut and paste an unaffiliated e-commerce link - it turns it into a link to the page you cut it from, that the Javascript then bounces to the actual target. Very weird.

For people using GlimmerBlocker, I believe the following regular expression will match all outboundlink.* and *.outboundlink.* hosts: (?:.+\.)?outboundlink\.(\w+)

ahhh so this is what it's all about.

I'm very OCD about these things so seeing "transferring data from" at the bottom of each LJ tab was driving me crazy. Will definitely block it.

Thanks for bringing up the issue.

So today NoScript popped up, revealing the cookie.

I searched for it on ixquick and found your post.

I am just a common user and appreciate your noting the less-than-transparent manner in which lj slid this in

Here via a quick search after poking around in the news post. Thanks for the explanation of what I started seeing last night. I was able to block some stuff in the console and use Noscript to cut down what's on my end but I am none too pleased that this linkjacking is going on from my journal.

This is the second round of it, to boot. Hit the '' tag at the bottom of the post for more details than you probably want of how it was working the first time. ("Badly" is the tl;dr version; the code was aggressively obfuscated, made itself more visible, and broke some links.)

Hi, this can be disabled if you run in the console
set opt_exclude_stats 1

here's more details

Thanks for the info on what it is and how to block it. I was wondering what the heck that was hanging there in the status line when I wasn't even doing anything. Do Not Want.

Ah, thanks for doing this digging! I noticed the stuff from tripping my NoScript a couple days ago, and at first thought someone on my flist had embedded something that was looking for script permissions. But, when it didn't go away after more than 20+ entries had scrolled off the first page, I just blocked the damned thing with NoScript then Googled to see what I could find on it. Your entry was the first thing I saw. :)

Blockity block blocked. Thanks for keeping an eye out for this.


Log in

No account? Create an account