The Hacker Found A Way To Monitor Visitors To Competitors Sites
A common pattern: open the search page in Google and click on different results in search of the necessary information.
You can open dozens of individual tabs or go to each site in turn, then return to the search result (the Back button in the browser). Specialist in search engine optimization Dan Petrovich from the Australian company Dejan Marketing came up with how to exploit this pattern with profit for himself and get extensive statistics of visits to competitors’ sites, depriving them of traffic.
The diagram is shown in the picture above. Intercepting the traffic of competitors, the specialist gets the opportunity:
- Generate heat maps of other sites (clicks, transitions, depth of scrolling)
- Record real sessions (mouse movements, keyboard clicks)
- Receive all text from the completed forms, including forms for ordering goods
Of course, Dan Petrovich did not do any of the above, because this is a clear violation of the law. Probably, an alternative way of studying competitors’ sites, without forging search results, but with the help of usual cloning of another’s site – and purchase of traffic through social media, etc., is likely to be a violation of the law.
- The bug in browsers is still not closed, so this method can be used by other attackers: the JavaScript code for exploitation of the vulnerability is published in the public domain. Actually, this script is easy to write and yourself, knowing the functionality of the method history.pushState () to change the history of the browser with the referrer.
Dan Petrovich draws attention that he first used this trick in November 2012. Then, instead of closing the vulnerability, Google manually lowered its page in the search result (the page from which it was redirected to fake search results for the Back button). Now, when he repeatedly demonstrated this method, Google did even more harshly. Without any notifications in Search Console, his site was removed from the search index entirely.
The hacker admits that it is customary in the information security community to handle the vulnerabilities found differently. They are first reported to developers and are expected to correct the bug, and only post factum is told about it. Professional pentester explained in detail the author how he should have been a safe way to demonstrate this vulnerability.
But he acted differently – he showed the scheme on real sites and immediately told everyone. In addition, there are big doubts about the legality of this hack even without real surveillance of users, that is, in the legality of creating fake copies of other people’s sites and redirecting users there. But over the years, none of the competitors filed lawsuits, like Google (which is also affected by the forged search). This is a full-fledged phishing, even for demonstration purposes and without malicious intent. That is, the ethics of the actions of an SEO specialist are in question.
But the fact remains: over the years, the Back button in the browser is still vulnerable to manipulation. According to Petrovich, other sites also use this technique to track visitors on the sites of competitors.
He believes that Google should not exclude his site from the search index, but conduct a number of activities to this old trick stopped working:
- Eliminate the ability to manipulate the Back button in Chrome.
- Automatically lower in the issuance of sites that use this trick (and not manually fine it alone). At the moment Google does not notice these scripts: Petrovich’s experiment remained unnoticed for five years and his site was highly ranked in the search result.
- Mark pages with history.pushState () and substitute search results as “dangerous”.
These phishing scams are partially protected by SSL certificates that are linked to the organization (OV) and with extended validation (EV), but this is still not a panacea for users’ inattention.
The Dan Petrovich experiment showed that now about 50% of users do not find anything suspicious when they are redirected to fake search results, and then to a copy of another site in the local domain. Many users do not check who owns the certificate and does not read into the URL – they are just pleased that the browser has a secure connection icon, although it is issued to someone else’s domain. Attackers have long found out that the icon of a secure connection increases the credibility of the phishing site.
To solve this problem, a number of measures can be taken, for example:
- Require the user to confirm the use of the methods history.pushState and History#replaceState.
- Highlight the most important part of the URL in the Chrome address bar, as Firefox does.
- Do not mark HTTPS sites as “safe” because it misleads the user and gives a false sense of security.
- Change the Back button icon if it leads to an address other than the previous page.