My old familiar hacker Bo0oM, against the backdrop of the vulnerability story, at MaximTelecom combined several tools and techniques to visualize how easy it is to collect the maximum amount of user data simply by opening the page in the browser. Below is a link to the site that demonstrates the work of these integrated techniques: open from the desktop at your own peril, but Bo0oM claims that the data displayed there does not store and does not use (and it’s not very clear why they need it).
I do not understand much about these techniques, but Bo0oM says it uses a modified version of p0f from ValdikSS, the previously known technique for finding torrent downloads, a social network detector via favicon, the detection of a local IP address via Webrtc, and integration with DMP Facetz, whose API key was publicly available.
In my case, the site showed a small history of website visits, full information about the IP and the operating system, and in the basement of the site there were several useful links to the information that Google, YouTube and Twitter tools had already collected.
It turned out not very impressive, but according to Bo0oM, I, apparently, rarely use “VKontakte” – and so demoservice can show even specific downloads of porn from torrents, photos, favorite pages in “VKontakte” and the history of changes in IP-addresses. With mobile Chrome and Safari service for some reason did not work.
Who else is surprised by the data leaks, can see what is usually visible to the site owner when visiting the user. The site combines various techniques for data collection, which even without the clickjacking methods for de-naming social networks is enough to reflect.
According to the hacker, there is no anonymity on the Internet: all sites record at least minimal information about visiting users, and then share them with other sites through various services and scripts – advertising banners, social network widgets, statistical services, plug-in fonts. And even if you erase your cookies, change your IP and go online with a washing machine with a console, the data on visits is from the provider, and too much effort for your own deannonization can also attract the attention of stakeholders.