Stealing Phorm Cookies

April 22nd, 2008 at 17:49 UTC by Richard Clayton

Last week I gave a talk at the 80/20 Thinking organised “town hall meeting” about the Phorm targeted advertising system. You can see my slides here, and eventually there will be some video here.

One of the issues I talked about was the possibility of stealing Phorm’s cookies, which I elaborate upon in this post. I have written about Phorm’s system before, and you can read a detailed technical explanation, but for the present, what it is necessary to know is that through some sleight-of-hand, users whose ISPs deploy Phorm will end up with tracking cookies stored on their machine, one for every website they visit, but with each containing an identical copy of their unique Phorm tracking number.

The Phorm system strips out these cookies when it can, but the website can access them anyway, either by using some straightforward JavaScript to read their value and POST it back, or by the simple expedient of embedding an https image ( <img = "https://.... ) within their page. The Phorm system will not be able to remove the cookie from an encrypted image request.

Once the website has obtained the Phorm cookie value, then in countries outside the European Union where such things are allowed (almost expected!), the unique tracking number can be combined with any other information the website holds about its visitor, and sold to the highest bidder, who can collate this data with anything else they know about the holder of the tracking number.

Of course, the website can do this already with any signup information that has been provided, but the only global tracking identifier it has is the visiting IP address, and most consumer ISPs give users new IP addresses every few hours or few days. In contrast, the Phorm tracking number will last until the user decides to delete all their cookies…

A twist on this was suggested by “Barrie” in one of the comments to my earlier post. If the remote website obtains an account at the visitor’s ISP (BT, Talk Talk or Virgin in the UK), then they can construct an advert request to the Phorm system, using the Phorm identifier of one of their visitors. By inspecting the advert they receive, they will learn what Phorm thinks will interest that visitor. They can then sell this information on, or serve up their own targeted advert. Essentially, they’re reverse engineering Phorm’s business model.

There are of course things that Phorm can do about these threats, by appropriate use of encryption and traffic analysis. Whether making an already complex system still more complex will assist in the transparency they say they are seeking is, in my view, problematic.

Entry filed under: Legal issues, News coverage, Privacy technology

19 comments Add your own

  • 1. David Harper  |  April 22nd, 2008 at 20:26 UTC

    If I have understood paragraph 29 of your technical explanation, I can thwart Phorm by instructing my browser not to accept ANY cookies from the webwise.net domain.

    Is that correct?

  • 2. James Firth  |  April 22nd, 2008 at 21:33 UTC

    Richard,

    Just one note on the use of encryption. The encrypted UUID would still be unique. So whilst this would stop the “Barrie” method of learning something about one’s quarry, it would not stop 3rd parties using the Phorm cookie as a global identifier for their own purposes.

  • 3. Pete  |  April 22nd, 2008 at 22:23 UTC

    I’ve already had a crack at coding up some of the scenarios described by Richard (following discussion on UK Crypto and BadPhorm.co.uk).

    See http://www.dephormation.org.uk/web_masters.html for details.

    Rewriting cookies – in particular – is a trivial coding task.

  • 4. Mel  |  April 22nd, 2008 at 23:11 UTC

    Have you considered the possibility of “spammers” capturing the Phorm cookie along with the “phormed” user’s email address by sending them an email containing a variation of a web-bug with a http: image url which redirects to an https url in the same domain?

    This would only work in webmail, unless the user’s email client shares the browser’s cookies.

    The webbug (phormbug) could be an http: image link containing the email address it was sent to (ie your email address) suitably encoded eg:-

    “http://Spammer.con/phormbug_YourEmailAddressHere.jpg”

    If you view the email in webmail, your browser would request the image.

    Phorm would use its triple redirect jiggery-pokery to intercept this request and copy the webwise.net UID to a webwise cookie in the “Spammer.con” domain, and redirect the client so that it resends the original request.

    The spammer’s server would then reply with a redirect to a php script with an https: URL in the same domain. eg

    “https://Spammer.con/phormbug_YourEmailAddressHere.php”

    The email client automatically requests this https: url sending the webwise UID cookie.

    Using https: encryption bypasses phorm’s intercept of the phorm cookie, delivering the UID (cookie) and email address (encoded in the URL) to the spammer.

    Most ISPs provide a free email service with their accounts and also provide a webmail interface. So It might be possible to compile a database of UID + email address by using the spamming equivalent of a “dictionary attack” of common email addresses @The_ISP’s_email_domain.

  • 5. Mel  |  April 23rd, 2008 at 00:20 UTC

    Incidently a full-stop has got into your my slides url my slides here

    And I messed up my own URL :o )

    Phorm-bugs?

  • 6. david M  |  April 23rd, 2008 at 07:09 UTC

    BTW Richard did you see Alexander’s post yet

    http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-299.html#post34535819

    “Kent turned up late”…

    “He said (and I quote) “he [Richard Clayton] thinks Phorm is the best thing to ever happen with online advertising” (I kid you not).”"

  • 7. Jamie Hunter  |  April 23rd, 2008 at 08:28 UTC

    Hi RIchard,

    Thanks for your work on Phorm and for speaking at the public meeting on Tuesday night. I note that 80/20 Thinking have yet to provide any video footage of the event despite it being over a week since the public meeting.

    I was able to film four of the speeches, including yours and have posted these unedited at http://tobymeres.net

  • 8. david M  |  April 23rd, 2008 at 16:00 UTC

    http://www.openrightsgroup.org/2008/04/23/fipr-calls-on-home-office-to-withdraw-misleading-advice-on-phorm/
    FIPR calls on Home Office to withdraw misleading advice on Phorm
    Posted by Becky in Computer Law, Data Protection, Net Neutrality, Privacy, Regulation of Investigatory Powers Act at April 23rd, 2008

  • 9. Barrie Dempster  |  April 24th, 2008 at 08:53 UTC

    I don’t see how encrypting the cookie would help, unless it was encrypted on-the-fly for each request which would probably be quite impractical.

    Tracking this information in cookies effectively injected into another domains cookie space is riddled with problems. There’s just no way Phorm can control the requests and prevent the 3rd parties gathering information.

    Barrie

  • 10. Dennis Jackson  |  April 24th, 2008 at 16:59 UTC

    Have I missed something?

    Looking at the technical description, the Phorm system could easily block me from browsing any web sites. At step 15, my firewall (or content filter such as SurfControl) may not allow access to webwise.net. If my firewall blocks webwise.net then the redirected request will never happen and my attempt to visit http://www.cnn.com will fail. I can only get to desired web sites by changing my firewall to also allow access to webwise.net.

    There are many organisations that implement a whitelist to limit sites that can be browsed at work. Vendors (such as SurfControl) supply dynamic blacklists and whitelists of sites. What is the incentive to include webwise.net in any whitelist?

    Unless I add webwise.net to the whielist in my firewall my access to the Internet is blocked. Transparent – no. Friendly – no. Trivial change to T&C – no.

  • 11. fred  |  April 26th, 2008 at 10:53 UTC

    Phorm counter-measures

    1)

    Edit your ‘Hosts’ file…

    Start –> Run –> Type:

    notepad “c:\windows\system32\drivers\etc\hosts”

    Add the following line to the bottom of the file:

    127.0.0.1 oix.net
    127.0.0.1 oix.com
    127.0.0.1 phorm.com
    127.0.0.1 webwise.net
    127.0.0.1 webwise.com
    127.0.0.1 sysip.net
    127.0.0.1 qkilbdr.net
    127.0.0.1 121media.com
    127.0.0.1 openinternetalliance.com
    127.0.0.1 openinternetalliance.net
    127.0.0.1 youcanoptin.com
    127.0.0.1 youcanoptin.net
    127.0.0.1 youcanoptout.com
    127.0.0.1 youcanoptout.net

    File –> Save

    File –> Exit

    (You may, at first, have go into the file’s temporary and untick the ‘Read-only’ box).

    (HEY MOD! Have I got the first bit right, this time)?

    2)

    Visit http://www.dephormation.org.uk/ and Download the Dephormation v1.6 Firefox Add On.

    “The Dephormation Add On ensures that your decision to permanently opt out of Phorm profiling cannot be undone in Firefox.

    Optionally, the Add On can also alert you to sites using Phorm/ Webwise/ OIX profile based advertising.

    With each page you view in your browser, a Phorm ‘opt out’ cookie is set automatically, and the Phorm UID cookie is randomised. Even if you delete all your cookies regularly”.

    3)

    Visit http://www.torproject.org/ and install TorBrowser, a Windows Browser Bundle (Containing Tor, Torbutton, Polipo, and Firefox).

  • 12. Richard Clayton  |  April 26th, 2008 at 14:53 UTC

    @fred

    a) your countermeasure using 127.0.0.1 is not recommended by Phorm, will slow down your browsing and BT claim (probably wrongly) will prevent you browsing at all. It’s also rather Windows specific

    b) your other countermeasures will be more effective, but have little to do with the topic of this article.

  • 13. Pete Austin  |  April 29th, 2008 at 16:11 UTC

    @richard
    At home I use a hosts file that maps literally thousands of domains to 127.0.0.1 with no obvious bad effects. I think it speeds up my browsing. Here’s one example:
    http://www.mvps.org/winhelp2002/hosts.htm

    Phorm are in the ad-serving business, and mapping domains in this way blocks adverts, so it’s not surprising that they would not recommend it.

  • 14. Mel  |  May 1st, 2008 at 14:54 UTC

    @Pete Austin, When you navigate to a website, Phorm’s system will redirect your browser to webwise.net (unless it has already forged a tracking cookie in that website’s domain).

    Webwise.net is also used to ask if you want to opt-in or “opt-out”.

    So if you block webwise.net in the hosts file, when you attempt to visit any website your browser will try to open 127.0.0.1, and report an error.

    See Richard Clayton’s account of how phorm works- The phorm webwise system

    I’m no artist (far from it in fact), but I’ve previously had a stab at drawing a diagram in an attempt to show how webwise works –
    Phorm Webwise Diagram if it is of any help.

    I’m also not convinced that using public proxies as a work around is a good idea. There’s no guarantee the proxy/exit node isn’t using Phorm. In fact one of the forum posts that appeared to have been corrupted with javascript as a result of the early sysip.net tests had “I.PUBLICPROXY” as the ISP variable.

    (my appologies for the O/T post.)

  • 15. John Doe  |  June 30th, 2008 at 09:17 UTC

    I would think the answer here is obvious. No one likes Phorm and the implications for the intrusion into privacy, so if Phorm is an optional service, why doesn’t everyone just deliberately opt out – visit the website webwise.net and select to opt-out.

    I don’t know whether opting out is honoured, I expect that it would be illegal to continue to monitor someone when they have explicitely opted out – perhaps someone can indicate whether phorm does actually stop?

    Perhaps some people might be willing to go ahead, if phorm offered an incentive like for example a share of the profits, since this system is designed to generate reveneue, and in many cases is actually costing the subscriber money by furthur depleting the available volume of data available to capped users. Such money should in my opinion be provided on the basis of the volume of data/cookies injected into a particular “victims” IP address – To cover the cost, the advertisers should then pay not just the normal fees, but to compensate the persons subjected to their advertising.

    I’m kind of curious – since most adverts these days appear in the form of an image or an animated/streamed video with various formats, filtering on URL’s is one method of preventing advertising, since most embeded adverts are pulled from another location, but has anyone given any thought to how to block adverts that are embeded from the same URL as the URL requested? If it is possible to “invisibly” inject cookies, code and other things into a HTML site, what is to stop the ISP/phorm from simply reformating the Web Page on the fly to embed the adverts directly to hide their origin?

    The use of monitoring browsing habits remotely could in principle make old methods using cookies redundant, so many of the traditional counter-measures would be redundant.

    The only way to counter selective advertising would be to automate random browsing, or design software filters to identify objects containing adverts, for example the image or video and to eliminate these or to opt out where this is possible

    I also think ISP should be compelled by law to provide a mechanism to opt in and out and to assume by law that a subscriber does not give consent unless they explicitly opt in – i.e. the default is disabled.

  • 16. Martin Allen  |  October 9th, 2009 at 17:22 UTC

    Hi Guys,

    Stumbled across you postings here and I have a some question.

    In plain English, Can I and how can I stop this phorm rubbish popping up all the time? I’ve read your postings and for the average simpleton like myself have no idea what you are talking about. Sorry for being so dense.

  • 17. Richard Clayton  |  October 9th, 2009 at 17:59 UTC

    @Martin

    Can I and how can I stop this phorm rubbish popping up all the time?

    Avoid going to Korea… at the present time (Autumn 2009) Phorm’s system is not going to be deployed in the UK. They’ve been testing it with a Korean ISP — but don’t expect to see it in the UK any time soon, if at all.

  • 18. Martin Allen  |  October 9th, 2009 at 18:31 UTC

    Hi Richard,

    Thanks for the quick reply.

    More info please?

    While having my broadband provided by Virgin Media I started to recieve various adds for Insurance, Ugg boots, iPhones, shirts from T.M Lewins etc. They appear in my open window bar at the bottom of the screen. When I click to close them they open the tab into full screen mode and then I can close them. I’ve since left Vigrin and have a BT line through Sky. According to Wikepedia both Virgin and Bt have trailed phorm but offer no way of stopping this from happening.

    Is what I describe the phorm advertising that appears on my screen? I run Windows Defender and Stopzilla to stop pop ups but still get the ads. I’m now unsure wether I have phorm or another problem….any ideas please?

  • 19. Richard Clayton  |  October 9th, 2009 at 19:41 UTC

    @Martin

    While having my broadband provided by Virgin Media I started to recieve various adds [..]. They appear in my open window bar at the bottom of the screen.

    Sounds like adware to me: You want to follow the advice, and or discuss it further on a specialist site:

    http://www.stopbadware.org/home/badware_remove

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

April 2008
M T W T F S S
« Mar   May »
 123456
78910111213
14151617181920
21222324252627
282930