Hacker News new | past | comments | ask | show | jobs | submit login

Here's the paper giving details:

http://www2.research.att.com/~bala/papers/wosn09.pdf

There's three ways info leaks:

1 - Referer header, eg facebook.com/profile.php?id=1

2 - Request, eg analytics.google.com/script.js?page=facebook.com/profile.php?id=1

3 - Cookies, eg z.digg.com points to an omniture server, and so passes all digg cookies to them!

1 and 2 are easily exploitable by advertisers who wanted to, but 1 especially seems like a very standard way of building urls on most services. Definitely will get them hammered for good reason, but there's not necessarily any bad intent.

3 seems a lot worse. Are there legit reasons I'm missing for hosting ad servers on the same domain, and so puncturing the browser security model?




> Are there legit reasons I'm missing for hosting ad servers on the same domain, and so puncturing the browser security model?

Avoiding generic (not targeted to your site specifically) AdBlock URL filtering.


Also, many browsers block third-party cookies by default, which may screw up your analytics.


Many browsers can, but few do. Firefox, chrome and IE don't by default.


True. I misspoke about many, but you will still improve the accuracy of your analytics by doing this.


Omniture isn't an ad server, it's an analytics system. Perhaps they do allow sharing with 3rd parties (i.e. ad servers) but I'd guess that's somewhere in the settings.


re: 1 - For user shared links, Facebook redirects to anonymize the referring profile. I suspect they forgot to do the same for ads, and it was an honest if frustrating mistake.


They didn't use to do this, the only reason they redirect now is so that if a link is deemed a virus of some sort they can easily stop it from spreading, and you can enable a setting so that before visiting every link you get an interstitial that tells you that you are leaving Facebook.


I've sometimes subdomained a few, select third party services on the same domain. For example, if a third party hosts your landing pages and you wish to own the urls to those, subdomaining is the best way to handle that.

That said, you should practice decent subdomain level security with cookies. You can and SHOULD restrict cookies to subdomain levels. The only exception is for SSO related cookies (that are stored at the domain root) that still need at least a second, shared secret verification at the very minimum.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: