Pornhub bypasses ad blockers with webocards

An engineer from BugReplay found a great way to demonstrate how his screencast service works with recording network traffic and demonstrating errors, including WebSockets and JavaScript. He recorded a Pornhub screencast with a traffic log that is synchronized with the video. So, on this demonstration you can clearly see how Pornhub bypasses ad blockers and pushes advertisements with the help of web sockets.

Pornhub works very well. When you enter the site, it checks for the presence of a blocker. If such is found, the site opens a new WebSocket connection, which acts as a backup mechanism for advertising delivery .

On the screencast with the network log you can see a lot of requests that were blocked by uBlock Origin. They are marked as Failed in network traffic.
')

http://cdn1b.static.pornhub.phncdn.com/www-static/js/ph-tracking.js?cache=2016102525 GET Failed https://media.trafficjunky.net/js/holiday-promo.js GET Failed http://www.google-analytics.com/analytics.js GET Failed http://ss.phncdn.com/iframe-1.1.3.html GET Failed http://ss.phncdn.com/iframe-1.1.3.html GET Failed http://engine.phn.doublepimp.com/Tag.engine?time=240&id=7129f320-ce21-4b40-9d7e-37b1df8cf8f0&rand=25334&ver=async&referrerUrl=&fingerPrint=123&abr=false&stdTime=-300&fpe=3&bw=1262&bh=636&res=1280x800 GET Failed http://electosake.com/240/7129f320-ce21-4b40-9d7e-37b1df8cf8f0/82615/asynch/null/123/null/true/-300/3/1262/636/Tag.a1b GET Failed https://www.etahub.com/trackn?app_id=971&product_name=2&category=connectTime&action=other&label=&value=116 GET Failed https://www.etahub.com/trackn?app_id=971&product_name=2&category=ttfb&action=other&label=&value=799 GET Failed https://www.etahub.com/trackn?app_id=971&product_name=2&category=redirectTime&action=other&label=&value=0 GET Failed https://www.etahub.com/trackn?app_id=971&product_name=2&category=domInteractive&action=other&label=&value=1659 GET Failed https://www.etahub.com/trackn?app_id=971&product_name=2&category=domComplete&action=other&label=&value=1829 GET Failed https://www.etahub.com/trackn?app_id=971&product_name=2&category=domContentLoadedEventEnd&action=other&label=&value=1710 GET Failed https://www.etahub.com/trackn?app_id=971&product_name=2&category=loadEventEnd&action=other&label=&value=1850 GET Failed 

Clicking on the query displays the details. Reason for blocking: net::ERR_BLOCKED_BY_CLIENT . This error occurs when the ad blocker in the browser blocks some Ajax calls (at least in Chrome, this is how it works).

Immediately after the error message in the log, we see a request to create a web socket and frames , to which a positive response was received.

 ws://ws.adspayformy.site./nsoj webSocketCreate ws://ws.adspayformy.site./nsoj webSocketFrameSent ws://ws.adspayformy.site./nsoj webSocketFrameReceived 

As if apologizing to users, Pornhub uses the domain adspayformy.site to create the webbox. The joke is clearly aimed at those who use ad blockers.

After downloading the webbox, a frame is created where the encoded JSON content is loaded for each place on the page where the advertising banner should be.

 { "zone_id": 32, "link": "http://cp.pleasedontslaymy.download/_z/eyJj...In19", "media_type": "image", "media_encoding": 0, "img_data": "/9j/4QA.....Wh+n//2Q==", "img_type": "image/jpeg" } 

In this case, zone_id 32 is indicated, which indicates the place for the introduction of advertising. Usually a video is inserted there, but in this example it is a graphic banner, which is indicated in media_type . Content is encoded in base64 and restored in the browser in accordance with the data: URL (or data: URI) scheme, which is supported by almost all modern browsers. On and then data marked as image/jpeg transferred to this scheme.

Advertising blockers usually track web sockets, so coding data in base64 is also a smart move.

Of course, after disclosing dirty Pornhub methods, music will not play for a long time. Already on October 25, one of the developers in the Chromium community under the nickname pkalinnikov suggested a patch , with the help of which the browser will be able to block web-sites through the webRequest API . If the patch is accepted, ad blockers will be able to safely implement the normal way of blocking such hacks in Chrome, but Pornhub owners will have to look for new tricks in the eternal struggle with blockers, which will never stop .

After the release of the publication from the developer BugReplay, it turned out that some ad blockers had learned how to block web sockets like those used by Pornhub. At least, the web socket will not pass through uBlock Origin (the corresponding ticket ) and AdBlock Plus (the ticket ). But the AdBlock blocker and some others have not yet been updated.

The history of the Chrome webRequest API “bug” that does not allow intercepting WebSocket requests ( ticket 129353 ) is very interesting. This ticket was opened in May 2012. And still remains open. The discussion went on for a very long time. Users complained in the discussion that due to the inability to block web-sites, sites can relatively easily bypass ad blockers. After all, if the blocker does not track web sockets through standard APIs, then to block such advertisements you need to look for very difficult workarounds. At first it was a purely theoretical problem. It seems that in 2012 not a single site used such methods to bypass advertising blockers, and the blockers themselves were not as popular at that time as they are now.

The situation changed in 2015 and 2016. Now Pornhub is not the only site that has thought of such a hack. What is most interesting in discussing the ticket in Chromium in August 2016 was one of the developers . He convincingly explained that ad blockers are trying to rewrite the contents of web sockets - and this really threatens the security of users, because it breaks down the basic Javascript functionality. That is, to introduce this patch is to sacrifice security. All anything, but this routeh developer ... @ gmail.com works for MindGeek, which owns both the Pornhub website and the By Traffic Junky advertising network, which delivers advertising there. By the way, similar tricks for circumventing ad blockers work not only on Pornhub, but also on other MindGeek websites.

It seems that quite advanced programmers are working in porn companies. As is known from history, it is the porn industry that has often moved technological progress forward. It turns out that now they are ahead of everyone else in something. At least in the most innovative ways to bypass ad blockers. However, in the same discussion in the tracker Chomium reported that the trick with the web socket and use some other advertising networks, mentioned some network RevDefender.

We wish good luck to comrade pkalinnikov that his patch be accepted into the Chromium code base. Apparently, this is one of the leading developers of Chromium, so we rely on its authority.