[OT] Yahoo "Web Beacons"

  • Thread starter Thread starter Jordan
  • Start date Start date
J

Jordan

Yahoo is now using something called "Web Beacons" to track Yahoo
Group users around the net and see what you're doing and where you
are going - similar to cookies. Take a look at their updated privacy
statement:

http://privacy.yahoo.com/privacy/us/pixels/details.html

About half-way down the page, in the section "Outside the Yahoo!
Network", you'll see a little "click here" link that will let
you "opt-out" of their new method of snooping. I strongly recommend
that you do this.

Once you have clicked that link, you are opted out. Notice
the "Success" message the top the next page.

Be careful because on that page there is a "Cancel Opt-out" button
that, if clicked, will *undo* the opt-out. Feel free to forward this
to other groups.
 
Mark said:
Thanks, Jordan. Anybody know if Spywareblaster sets a kill bit for
this? Or does Ad-aware or Spybot detect this?
Click to expand...

You can't. The beacons are just 1x1 pixel GIF images. You can't tell
a browser not to load them, nor can any anti-spyware app stop it. The
only thing you can do is Opt-Out at the URL above (browser-specific,
not user-specific) or tell your browser not to load any GIF images.
 
Jordan said:
Yahoo is now using something called "Web Beacons" to track Yahoo
Group users around the net and see what you're doing and where you
are going - similar to cookies. Take a look at their updated privacy
statement:

http://privacy.yahoo.com/privacy/us/pixels/details.html

About half-way down the page, in the section "Outside the Yahoo!
Network", you'll see a little "click here" link that will let
you "opt-out" of their new method of snooping. I strongly recommend
that you do this.

Once you have clicked that link, you are opted out. Notice
the "Success" message the top the next page.

Be careful because on that page there is a "Cancel Opt-out" button
that, if clicked, will *undo* the opt-out. Feel free to forward this
to other groups.
Click to expand...

What Yahoo calls "Web Beacons" is actually an old idea known as "Web
Bugs". Webwasher filters them out:

http://www.webwasher.com/client/home/index.html?lang=de_EN

But Yahoo is correct when they say that "In general, any electronic
image viewed as part of a web page, including an ad banner, can act as
a web beacon." Still, WebWasher cleans out ads and popups effectively
as hell for me, so I'm not worried. Add to this the fact that Mozilla
filters out ads and popups when configured to do so, and very little
sneaks through.
 
John said:
What Yahoo calls "Web Beacons" is actually an old idea known as "Web
Bugs". Webwasher filters them out
Click to expand...

Doubt it. The very act of loading the image to check its size is enough
for the beacon/bug to do its job (it's been read). The best WebWasher
can do is filter out by filename, but if the beacon/bug doesn't have an
obvious "malicious" name (eg. "beacon.gif", "bug.gif", etc) then the
image will be loaded by the browser and the "hit" will be done.
 
Paul said:
John Corliss wrote:




Doubt it. The very act of loading the image to check its size is enough
for the beacon/bug to do its job (it's been read). The best WebWasher
can do is filter out by filename, but if the beacon/bug doesn't have an
obvious "malicious" name (eg. "beacon.gif", "bug.gif", etc) then the
image will be loaded by the browser and the "hit" will be done.
Click to expand...

You know, I've always wondered if this were so. Oh well.
 
Doubt it. The very act of loading the image to check its size is enough
for the beacon/bug to do its job (it's been read). The best WebWasher
can do is filter out by filename, but if the beacon/bug doesn't have an
obvious "malicious" name (eg. "beacon.gif", "bug.gif", etc) then the
image will be loaded by the browser and the "hit" will be done.
Click to expand...

These web bugs will probably originate from some known domain. Killfile
that and you're done. You could also killfile by image dimension.
 
Rhexis said:
These web bugs will probably originate from some known domain.
Click to expand...

If by domain, directory or filename, then yes, you can prevent them from
being loaded and generating a "hit".
You could also killfile by image dimension.
Click to expand...

Only to prevent showing them in your browser, but not to prevent a "hit"
from occurring (as explained above by myself).
 
If by domain, directory or filename, then yes, you can prevent them from
being loaded and generating a "hit".
Click to expand...

Then what's the problem? No more webbugs, right?
Only to prevent showing them in your browser, but not to prevent a "hit"
from occurring (as explained above by myself).
Click to expand...

No. It's entirely possible to parse the HTML before any images are loaded
provided that the dimensions are specified in the code.

There're also several degress of leakage. You can minimize the problem
by using an agent that doesn't accept cookies, for instance. You can
also do what I do and avoid Yahoo altogether.
 
Rhexis said:
Then what's the problem? No more webbugs, right?
Click to expand...

Exactly right. But a lot of webbugs don't have obvious names, and thus
the browser won't know if it's a bug or legit GIF image. Heck, even a
normal GIF image can be used as a bug, even though it's directly related
to the page (ie. title graphic, etc).
It's entirely possible to parse the HTML before any images are
loaded provided that the dimensions are specified in the code.
Click to expand...

"Provided" being the word. Most bugs I've seen don't use obvious names
and don't have width/height tags in the HTML code.
 
Paul said:
Exactly right. But a lot of webbugs don't have obvious names, and thus
the browser won't know if it's a bug or legit GIF image. Heck, even a
normal GIF image can be used as a bug, even though it's directly related
to the page (ie. title graphic, etc).


"Provided" being the word. Most bugs I've seen don't use obvious names
and don't have width/height tags in the HTML code.
Click to expand...

Good reason to disable HTML in the e-mail program. Look at the incoming
stuff in text only.
 
Doubt it. The very act of loading the image to check its size is enough
for the beacon/bug to do its job (it's been read).
Click to expand...

Surely some proxy like the Proximatron would read the HTML first, re-write
anything it didn't like, then pass it to the browser to render. So in that
case, the image would not be loaded (if you wrote such a filter) - because
the browser never had a link to download for this image.

Dariusz
 
Dariusz said:
Surely some proxy like the Proximatron would read the HTML first,
re-write anything it didn't like, then pass it to the browser to
render. So in that case, the image would not be loaded (if you
wrote such a filter) - because the browser never had a link to
download for this image.
Click to expand...

Correct. But then NO images would be loaded, because the proxy
can't differentiate between legit images and those being used as
beacons (except for the filename and directory issues mentioned).
 
Burp said:
Good reason to disable HTML in the e-mail program. Look at the
incoming stuff in text only.
Click to expand...

(Foreword: In another post I thought you meant e-mail client, as
opposed to Yahoo's e-mail).

As for your comment above: You can still elect to view HTML mail
with Yahoo, because it has a feature to enable/disable images in
such HTML mail, thus rendering beacons useless.
 
| |
| > > What Yahoo calls "Web Beacons" is actually an old idea
known as "Web
| > > Bugs". Webwasher filters them out
| >
| > Doubt it. The very act of loading the image to check its
size is enough
| > for the beacon/bug to do its job (it's been read). The best
WebWasher
| > can do is filter out by filename, but if the beacon/bug
doesn't have an
| > obvious "malicious" name (eg. "beacon.gif", "bug.gif", etc)
then the
| > image will be loaded by the browser and the "hit" will be
done.
|
| These web bugs will probably originate from some known domain.
Killfile
| that and you're done. You could also killfile by image
dimension.
|

Rhexis,

You should get into the habit of reading privacy and terms of use
statements of software that seems to be giving too much away for
free. This is especially important with companies that are
well-known to employ invasive and abusive practices. Already,
you've posted here about two of these companies. Both of them
clearly state what they intend to do to you when you do your part
of their devil's bargain.

For example, Yahoo clearly states that their business partners
use their own web bugs. You may find yourself consumed by being
alert for every one of them to killfile them. It is really
impractical.

Read, Rhexis, Read!

Richard
 
Rhexis,

You should get into the habit of reading privacy and terms of use
statements of software that seems to be giving too much away for
free.
Click to expand...

I usually do. It's just that I don't use any of Yahoo's services,
so it's moot to me. Yahoo is pretty bad even if you don't throw
privacy concerns into the equation.
For example, Yahoo clearly states that their business partners
use their own web bugs. You may find yourself consumed by being
alert for every one of them to killfile them. It is really
impractical.
Click to expand...

Nah, a few regexps here and there coupled with a good proxy should do
the trick. Not visiting Yahoo deals the heaviest blow to their nefarious
schemes though :)

Don't get the impression that I'm sitting here spending loads of time filling
my HOSTS-file with useless crap, because I'm not.
Read, Rhexis, Read!
Click to expand...

"I'm givin' her all she's got Captain!"
 
Rhexis wrote:
| in message |
|| Rhexis,
||
|| You should get into the habit of reading privacy and terms of
|| use statements of software that seems to be giving too much
|| away for free.
|
| I usually do. It's just that I don't use any of Yahoo's
| services,
| so it's moot to me. Yahoo is pretty bad even if you don't throw
| privacy concerns into the equation.
|

Yeah. Now if I could only get my cousin in West Virginia to stop
using it for all his emailing. He has cable internet, and he
believes that Yahoo webmail is his "real" email account!

|| For example, Yahoo clearly states that their business partners
|| use their own web bugs. You may find yourself consumed by
|| being alert for every one of them to killfile them. It is
|| really impractical.
|
| Nah, a few regexps here and there coupled with a good proxy
| should do
| the trick. Not visiting Yahoo deals the heaviest blow to their
| nefarious schemes though :)
|
| Don't get the impression that I'm sitting here spending loads
| of time filling my HOSTS-file with useless crap, because I'm
| not.
|
|| Read, Rhexis, Read!
|
| "I'm givin' her all she's got Captain!"

Hahaha! Warp 9 point what?

Richard
 
Richard said:
Now if I could only get my cousin in West Virginia to stop
using it for all his emailing. He has cable internet, and he
believes that Yahoo webmail is his "real" email account!
Click to expand...

A "real" e-mail account is that which you use on a permanent basis.
What you're talking about is (most likely) his ISP-provided e-mail
address, but that doesn't make it any more official than any other
e-mail service. In fact, relying on your ISP's one is quite risky,
as you'll lose it if you ever decide to change ISPs. I use Yahoo
for my "real" e-mail with the web2pop app so I can send/receive it
through Outlook.
 
Back
Top