No place to hide - how aggressive marketing services haunt you
The Internet has long become some kind of Wild West: everyone is responsible for himself, and some things from the twilight areas of morality, like collecting personal data, are regulated only when it is beneficial for someone (yes, we all know what laws worth remembering here).
Let's analyze it on the example of one service, which for me turned out to be an absolutely unknown area of darkness, but has existed since 2015. We will not mention its name in the article, but this can be easily done.
')
So, one day my friend received a message inviting him to familiarize himself with the product line of the yacht club. The wording “ Some time ago, you were a guest of our site ” especially attracts attention. Therefore, it is time to roll up your sleeves and plunge into the world of Internet stalking and at least a little to figure out how everything works.
Companies like Google and Yandex have a rather strict approach to storing personal data that uniquely identifies a user on the network ( namely, Google prohibits the transfer of such data through its Google Analytics and Google Tag Manager services. Failure to follow these rules leads to the prevention or blocking of violators' accounts ) however, this is not true for everyone. There are some generally accepted “ rules ” of data storage, but like a pirated code, these are not strict laws, but only a set of recommendations. We all know that stalking is a bad thing, but when people pay for such things well, some people have a reason, if not to do it right away, then at least to think about it a little.
If you look at the sources of the ill-fated site, you can find an interesting set of scripts for a very suspicious service (you can easily see the selected file on the screen).
OK, there is a deviation from the standard set of Analytics and Metric codes. There is a suspect!
The next logical step would be to search the source code for the combination " vk ", which could indicate a piece of code responsible for identifying the user on the site. Let's do it in the file “pixel / index.php? Img =” :
So, we see that there is some link to the VK application. It will be logical to assume that with its help the visitor’s profile is identified, if, of course, he was logged in. The application address is passed to the vkPr (link) function, its code is shown below:
Here we see that the installation of the pixel and cookies. The pixel at the same time logs into the visitor's account, and at this stage the user's deanon should occur. Next, examine the file from the callback folder and find in it an appeal to vk_id and the installation of cookies with terrible prefixes “ hunter ”. The data set is very rich: from phone number to email and VK identifier.
The hunt has begun:
This file stores the tracker core, through which data is transmitted to the server of the service and further actions with them are already unknown.
If you follow the link of the application, which at the time of publication of the article is already blocked, you can find an interesting application " Hello ", which has access to your personal data. It does not require installation in your account.
It contains the application developer page and it would be interesting to go to it too.
Here we see an empty account, which, obviously, was created as a service account and is filled just enough to attract attention. The last entry was made at 21:17, which makes you think about a very long working day in the company that created this application.
Not being able to track specific methods for identifying users, one can only assume that using the main functionality of VK applications, a link to the user is received and transferred to the bot, who writes a message to the site visitor in a rather “ creepy ” format “ I know what you did this evening ” . In the widgets folder there is an appeal to a third-party service , through which, in fact, all communication goes:
Interestingly, the dialogues with the bot were initially clearly indicated, but later they were removed. Here is a clipping from the object, with conversation options:
Looks familiar, right? Part of the code that is responsible for communicating with children looks particularly nice, as they are asked to call their parents ( these conclusions are made on the basis of the names of the methods to which they apply ).
On this part, dedicated to the code ends. Next, just look in Google for the URL from which the js-files were downloaded.
It was simple and the very first result leads to a service that directly reports that it is searching for accounts of those who have visited the site:
Here on the original image ( I had to gloss over the names of these services so that no one seemed to be such an original way of promotion ) we already see the familiar combination of words with the presence of vk , and in the title is the name of the developer company of thebounty hunter tracker.
Further searches led to the fact that it turned out that this company has existed since 2015 and has provided services to many clients, some of whom are very well known with a good reputation: from banks to cellular operators. Over its long history of Internet surfing in a non-anonymous mode, I have never written bots with offers to get acquainted with the product catalog, so it looks rather doubtful, but I can be wrong.
In fact, this service can be used to blackmail users. It should be placed, for example, on porn and one bad day a bot can write someone a message of happiness “ I know your favorite videos and tell them all ”. Dubious pleasure, whoever you are. It is also possible to apply this in order to track down the frequent visitors of some undesirable publication and use it as a powerful tool of censorship.
In the "Privacy Policy Vkontakte" in paragraph 5.1.4 indicated that:
That is, the work with data is carried out according to the rules for the placement of VK applications.
The same rules in Clause 2 state:
This shows that clauses 2.3 and 2.4 are violated, which report that user data cannot be transferred to third parties. In fact, it is very similar to the story with FindFace , but there is a nuance that FindFace is not intended ( formally ) to advertise and transfer your data to someone else for profit. Here the situation is radically different.
In general, the collection of data about users of sites is not something bad. Even if not anonymously, you can simply ask to ask permission from the user if it can be deanonymized. Of course, it would be reasonable to simply offer everyone to surf the net in anonymous mode and not experience such problems, but this will not be the solution. Anonymous data allows you to get an idea about your audience and more effectively build your business and its promotion. And the most fun in this story is that there was a clear slip past its target audience, because ordinary students of 20-25 years hardly have the opportunity to buy a yacht.
Also, after contacting VK support service with a message about the activities of this service and questions about their attitude to such behavior, this application was blocked. Something tells me that such applications are developed in batches with minimal changes for a specific client, so one problem was solved, but globally, unfortunately, nothing has changed. Perhaps they drew attention to the activities of the company as a whole, and it is worthwhile to expect further changes in the future, but all that remains is to guess.
The help desk answers can be seen below, they are very minimalist:
With this, I will finish my story about how many of us can be found on the open spaces of the network without our knowledge. Stay safe, stay strong.
Let's analyze it on the example of one service, which for me turned out to be an absolutely unknown area of darkness, but has existed since 2015. We will not mention its name in the article, but this can be easily done.
')
So, one day my friend received a message inviting him to familiarize himself with the product line of the yacht club. The wording “ Some time ago, you were a guest of our site ” especially attracts attention. Therefore, it is time to roll up your sleeves and plunge into the world of Internet stalking and at least a little to figure out how everything works.
What is the point?
Companies like Google and Yandex have a rather strict approach to storing personal data that uniquely identifies a user on the network ( namely, Google prohibits the transfer of such data through its Google Analytics and Google Tag Manager services. Failure to follow these rules leads to the prevention or blocking of violators' accounts ) however, this is not true for everyone. There are some generally accepted “ rules ” of data storage, but like a pirated code, these are not strict laws, but only a set of recommendations. We all know that stalking is a bad thing, but when people pay for such things well, some people have a reason, if not to do it right away, then at least to think about it a little.
If you look at the sources of the ill-fated site, you can find an interesting set of scripts for a very suspicious service (you can easily see the selected file on the screen).
OK, there is a deviation from the standard set of Analytics and Metric codes. There is a suspect!
The next logical step would be to search the source code for the combination " vk ", which could indicate a piece of code responsible for identifying the user on the site. Let's do it in the file “pixel / index.php? Img =” :
So, we see that there is some link to the VK application. It will be logical to assume that with its help the visitor’s profile is identified, if, of course, he was logged in. The application address is passed to the vkPr (link) function, its code is shown below:
function vkPr(link) { var vkprimg = (window.Image ? (new Image()) : document.createElement('img')); vkprimg.onload = function() { setCookiePr('XFZDGF1FQEpQVV5cSh1DRw==', link); } vkprimg.onerror = function() { getOther(); } vkprimg.src = 'https://vk.com/login?u=2&to=aW1hZ2VzL2ljb25zL2hlYWRfaWNvbnMucG5n'; } Here we see that the installation of the pixel and cookies. The pixel at the same time logs into the visitor's account, and at this stage the user's deanon should occur. Next, examine the file from the callback folder and find in it an appeal to vk_id and the installation of cookies with terrible prefixes “ hunter ”. The data set is very rich: from phone number to email and VK identifier.
The hunt has begun:
This file stores the tracker core, through which data is transmitted to the server of the service and further actions with them are already unknown.
If you follow the link of the application, which at the time of publication of the article is already blocked, you can find an interesting application " Hello ", which has access to your personal data. It does not require installation in your account.
It contains the application developer page and it would be interesting to go to it too.
Here we see an empty account, which, obviously, was created as a service account and is filled just enough to attract attention. The last entry was made at 21:17, which makes you think about a very long working day in the company that created this application.
Not being able to track specific methods for identifying users, one can only assume that using the main functionality of VK applications, a link to the user is received and transferred to the bot, who writes a message to the site visitor in a rather “ creepy ” format “ I know what you did this evening ” . In the widgets folder there is an appeal to a third-party service , through which, in fact, all communication goes:
Interestingly, the dialogues with the bot were initially clearly indicated, but later they were removed. Here is a clipping from the object, with conversation options:
{ "exitWeTreasure": { "head-name": "— #{name}, ,", "head": "— ,", "text-free": " ! ?", "text_worktime": " ! <br/>#{countdown} ((||)):countdown ?", "text_off": " ! , .", "action_callLater": " ", "action_call": ", !", "action_text": " " }, "didCallSucceed": { "head-name": "— #{name},", "head": "— ,", "text-name": ", ?", "text": " ?", "action_yes": "", "action_no": "" } } Looks familiar, right? Part of the code that is responsible for communicating with children looks particularly nice, as they are asked to call their parents ( these conclusions are made on the basis of the names of the methods to which they apply ).
On this part, dedicated to the code ends. Next, just look in Google for the URL from which the js-files were downloaded.
Who is stalking me?
It was simple and the very first result leads to a service that directly reports that it is searching for accounts of those who have visited the site:
Here on the original image ( I had to gloss over the names of these services so that no one seemed to be such an original way of promotion ) we already see the familiar combination of words with the presence of vk , and in the title is the name of the developer company of the
Further searches led to the fact that it turned out that this company has existed since 2015 and has provided services to many clients, some of whom are very well known with a good reputation: from banks to cellular operators. Over its long history of Internet surfing in a non-anonymous mode, I have never written bots with offers to get acquainted with the product catalog, so it looks rather doubtful, but I can be wrong.
What next?
In fact, this service can be used to blackmail users. It should be placed, for example, on porn and one bad day a bot can write someone a message of happiness “ I know your favorite videos and tell them all ”. Dubious pleasure, whoever you are. It is also possible to apply this in order to track down the frequent visitors of some undesirable publication and use it as a powerful tool of censorship.
In the "Privacy Policy Vkontakte" in paragraph 5.1.4 indicated that:
The personal data of the Users is not transferred to any third parties, except as expressly provided for by these Rules.
When specifying a user or with the user's consent, it is possible to transfer user personal data to third party counterparties of the Site Administration with the condition that such counterparties assume obligations to ensure confidentiality of the information received, in particular when using applications.
Applications used by users on the Site are hosted and maintained by third parties ( developers ) who operate independently of the Site Administration and do not act on behalf of or on behalf of the Site Administration. Users are required to independently familiarize themselves with the rules for the provision of services and the privacy policy of such third parties ( developers ) before using the respective applications.
The actions of such third parties ( developers ) are governed by the official document of the Site Administration by the Conditions for placing applications.
That is, the work with data is carried out according to the rules for the placement of VK applications.
The same rules in Clause 2 state:
2. Work with data
2.1. It is prohibited to collect and store user data, including User ID, for purposes not related to the operation of the application. The requested data should be used only in the context of the application.
2.2. Applications hosted on vk.com should have a privacy policy. If it does not exist, the standard VK privacy policy is used.
2.3. It is forbidden to transfer any user data that is automatically obtained through the API (including the User ID) to third-party services (for example, advertising), either directly or through intermediaries.
2.4. It is forbidden to use user data in any advertisements.
This shows that clauses 2.3 and 2.4 are violated, which report that user data cannot be transferred to third parties. In fact, it is very similar to the story with FindFace , but there is a nuance that FindFace is not intended ( formally ) to advertise and transfer your data to someone else for profit. Here the situation is radically different.
Instead of completion
In general, the collection of data about users of sites is not something bad. Even if not anonymously, you can simply ask to ask permission from the user if it can be deanonymized. Of course, it would be reasonable to simply offer everyone to surf the net in anonymous mode and not experience such problems, but this will not be the solution. Anonymous data allows you to get an idea about your audience and more effectively build your business and its promotion. And the most fun in this story is that there was a clear slip past its target audience, because ordinary students of 20-25 years hardly have the opportunity to buy a yacht.
Also, after contacting VK support service with a message about the activities of this service and questions about their attitude to such behavior, this application was blocked. Something tells me that such applications are developed in batches with minimal changes for a specific client, so one problem was solved, but globally, unfortunately, nothing has changed. Perhaps they drew attention to the activities of the company as a whole, and it is worthwhile to expect further changes in the future, but all that remains is to guess.
The help desk answers can be seen below, they are very minimalist:
With this, I will finish my story about how many of us can be found on the open spaces of the network without our knowledge. Stay safe, stay strong.
Source: https://habr.com/ru/post/331222/
All Articles