Stealing user’s data in creative ways

Posted on under English

Beware! This post is more than 3 years old, it may be outdated or incorrect! Please check elsewhere for accurate information!

I needed a way to track users and collect their information, for a client’s project. I remembered that back in 2010 I made a tracking system that could list and collect user’s browsing history by injecting a bunch of links in a hidden div and checking their color. If they were visited, the color was purple, if they weren’t, the color was blue. Then I would send that information via AJAX and remember it into a cookie so I could better target ads to users.

This doesn’t work anymore, unfortunately (fortunately for everyone concerned for their privacy). You can read the post on Mozilla Security blog here.

Today I was tinkering with an idea that I could list all links on the page, mask them as game elements and then make a user click on them. I would then collect the data and it’s usually correct.

I made a demo called “Activity Analyzing Algorithmic System”. You can try it out here. If you look into the source code, you’ll see that the boxes are actually links. Then when you click on a box it’ll remember the link and category in a variable and when you finish it’ll send it via AJAX. Now, this is just a proof of concept and it’s really useless for any commercial application, since it takes a lot of time to complete.

But... What if you could make a fake CAPTCHA that tricked the user into thinking it was real. Then the user would click on the boxes and all the data would be sent via AJAX. And you could show this CAPTCHA every time a user posts a comment, for example, and randomize the links so you cover much more of the user’s history… Yes, that does seem interesting.

So I made an example of that CAPTCHA, located here. This CAPTCHA also doesn’t do anything except tell you what you selected, but with a little bit of creativity it could be used to do much more. You could also insert random fake boxes that are gray and and if clicked they would invalidate the captcha, so you could rule out most of the cheating.

NOTE: These methods aren’t ethical and I neither condemn nor condone the use of these methods for collecting user data. This is just my research and an education-only concept.


This post was last updated on June 5th, 2014.