How do sites like Facebook know so much about your browsing and how do you stop it?

R

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
I typically run with an ad blocker but the other day I was at work on a computer that I had it turned off as it was a new install of FF and just never got around to installing adblock plus. I was on FB and noticed that I was getting ads for EXACT items that I searched for on a completely different site... at home. It was literally the same items that showed up in the search result, and advertised by the same company. They even had the nerve to say "we missed you", basically acknowledging "so yeah you did a search for this the other day, here it is again".

How in the world do they track what I do on another website? That is kinda scary, is it some kind of browser function where they can actually see what is in your other tabs? How do I stop this from being possible? Who knows what other sites may also be doing, ex: snooping on my banking to get my account info, or stealing passwords etc...

Guessing they use some kind of cross site scripting stuff or something. Is there a way to block that stuff from being possible? I don't like the idea that one site can know what I do on another site.

"Don't use Facebook" is not really an answer, I'm more worried about the fact that this is possible in first place, as it does not stop other sites from doing it too and with more sensitive info. How does this work?
 
Sp33dFr33k said:
My guess is they are reading cookies of other sites you visited.
Click to expand...

So that's actually possible? I always figured browsers would not allow that. Then again browsers seem to allow lot of things these days that they should not. Like drive by spyware that installs stuff into your computer without any kind of prompt.
 
If site A and site B has an advertising company in common, they can easily put together your exact habits.
 
I don't know if they still do,but I left facebook, because they put tracking cookies on my computer and were annoying me, even when I was not on their site.
 
Every "like" button comes from Facebook's servers so they know (via referrer) which site you visited.
 
TCM2 said:
Every "like" button comes from Facebook's servers so they know (via referrer) which site you visited.
Click to expand...

How do they know what I actually did on that site though? Is it possible through scripting for a site to know what you are doing in another tab? That would be really stupid, but it would not really surprise me.
 
It's nice that you can turn it off but I'm more concerned about the fact that they can see my internet history and who knows what else as it means a malicious site could do it too. Is there a global way of blocking this sort of thing without relying on the site honoring a setting? I don't think ad blockers nececerily stop the scripts they just stop the ads from showing. The tracking and info collection still happens and its enough info for them to know who I am across multiple machines.
 
delete your facebook account and stop using it.

now they won't know anything about you :D
 
Its amazing how little info and simply bits of harmless info can be presented in ways to freak people out.

The actual info is usually pretty limited and harmless, just looks like they know a ton about you.
 
tonyyy said:
delete your facebook account and stop using it.

now they won't know anything about you :D
Click to expand...

I'm not concerned so much about Facebook, but more about how they are doing it. What is stopping malicious sites from collecting the same type of info and using it for malicious purposes, or worse, does the type of scripting they use allow them to also look at stuff like passwords? Is it really the case that through scripting you can read another domain's cookies? That means anyone can steal stuff like passwords or login sessions of various sites.

I guess I'll have to experiment with a packet sniffer to see what kind of info gets sent out, though I imagine it's probably encrypted.
 
In many cases it is simply the ad networks, and search boxes are typically tied into ad networks hence how they know what you were "searching for".
 
Red Squirrel said:
I'm not concerned so much about Facebook, but more about how they are doing it. What is stopping malicious sites from collecting the same type of info and using it for malicious purposes, or worse, does the type of scripting they use allow them to also look at stuff like passwords? Is it really the case that through scripting you can read another domain's cookies? That means anyone can steal stuff like passwords or login sessions of various sites.

I guess I'll have to experiment with a packet sniffer to see what kind of info gets sent out, though I imagine it's probably encrypted.
Click to expand...

Basically everything about cookies is here https://en.wikipedia.org/wiki/HTTP_cookie

Sometimes I really get the feeling that you think and come up with an explanation before doing the slightest bit of research.

If website example.com includes a Like button, the button code is directly included from e.g. facebook.com. The button code can set and read cookies belonging to facebook.com only. Obviously the button code can read and write that cookie regardless of the website that includes it. When requesting the button code, your browser also sends to facebook.com a Referrer header that contains the URL of the website the button is on. If the URL includes search results as part of a GET request, I think that info is also available in the Referrer.

So Facebook knows every website you visit that has its button code on it and it can track you with a cookie. If you are logged in on Facebook, that tracking extends to your real identity. You don't even need to interact with the button, merely loading it from Facebook servers provides them with all that info.
 
Hmmm I did not figure they were tied in that much, as FB has to know the format of the search query for each site. Does not seem THAT bad then considering it requires each site to actually add the like button. Given everything it knows it felt more like it's using some kind of cross site scripting stuff and worried me it could also be used maliciously to get more sensitive info such as banking. Though I guess if ever my banking site ads any facebooky stuff I should probably block that... well I think I'm going to block it anyway out of principle. Is there any decent FF add ons for this, preferably something that is more generic and not JUST for FB as I'm sure lot of other sites may do the same kind of stuff.
 
You must log in or register to reply here.
Back
Top