Monday, February 21, 2005 |
Tech Rant: The Undead Popup Ad
Chagrined
After spending column space Thursday raving about Firefox, I now have to be a little chagrined, because just after I wrote that, I started getting barraged by more popup ads. Wuzza? Turns out the sneaky popup advertisers have struck again, and have started taking advantage of certain loopholes. Slashdot caught hold of this yesterday; there appear to be two main issues that I'll discuss in the next section. Non-geeks can safely skip ahead without harm; I'll get to the actual fixing of things in a bit.The Two Vulnerabilities
First, a little background on how popups and popunders work. Most of the time, these are simply requests run with a given page's onload event, attached to the body. Early popup blocking technology, therefore, focused primarily on that interaction, and it was generally successful. However, some requests to create new external windows are legitimate, and so blocking popups wasn't quite as straightforward. In general, the modern popup/under blocking strategy is to deny popups except in cases where the user has specifically clicked something.This, too, has its problems. Consider this Javascript, kindly provided in the aforementioned Slashdot thread. (You can see this in action here.)
The other issue -- and a far more pernicious one -- seems to be Javascript DOM crawling. The DOM -- the Document Object Model -- describes how the guts of a webpage are supposed to be rendered. Internal to that are the events that can cause popups and popunders. Even if a link doesn't have an onclick event attached to it, a DOM crawler can create one and execute it when you link out -- thereby bypassing popup blocking. (Thanks to this link for the info.)<html> <head> <title>Test Page</title> <script type="text/javascript"> function goLink(t1, t2){ window.open(t1, "pop1", "name=a1,width=400,height=400,left=10,top=10"); window.open(t1, "pop2", "name=a2,width=400,height=400,left=40,top=40"); window.open(t1, "pop3", "name=a3,width=400,height=400,left=70,top=70"); window.open(t1, "pop4", "name=a4,width=400,height=400,left=100,top=100"); window.open(t1, "pop5", "name=a5,width=400,height=400,left=130,top=130"); window.location = t2; } </script> </head> <body> <A HREF="javascript:goLink('http://www.google.com', 'http://www.google.com')">Go To Google.com</A> </body> </html>
Of course, another cause of popups/unders is spyware; for that you need to use AdAware, but if you've already got malware on your machine, you may have to do what I ended up doing and reinstall Windows -- or better still, ditch your Microsoft desktop and go to Linux.
Needless to say, this sudden burst of success has gotten the advertisers going all Pavlovian again. Paypop, one of the earliest agencies to discover DOM crawling, has this to say on their FAQ page:
Q. I am also tracking the stats myself, why there is count discrepancy?They're out there, they're selling it, and they're mean. (Thanks to this Mozillazine thread for that link.) They know they're being antisocial jerks, they don't care, and they want to make money by annoying you. How rotten is that?
A. Generally, there are some factors that may affect the counting: 1. Internet surfer's connection speed. 2. How the publisher setup their codes. 3. Network issues 4. Pop killer/blocker for popunders. However, popunder's count discrepancy is usually about 15%-35% (due to pop blockers, we have already by passed windows SP2, google toolbar,MSN and norton internet security,Gecko/Firefox,Netscape,Opera), in-page banner is about 5%-10%, and popin banner/interstitial is about 7-15%. If you are seeing a count discrepancy greater than 25%, please contact our publisher support immediately because that is un-normal....
Q. Can your popunder code by pass pop blockers?
A. Yes, our system is capable of bypassing SP2 and most of the pop-up blocker out there. However there are still some new pop-up blockers that we may not recognize, please inform us those pop-up blockers so we can improve our system.
What To Do?
So at this moment, the bottom line is that Firefox's anti-popup blocking tech is a little behind the times. I don't expect it to stay that way for long; if anything, Firefox is much more user-driven than IE. Until DOM crawling can be shut down, here's some things you can do:- Use Adblock to prohibit loading of Javascript from known popunder sellers. You can build a list of these on an ad-hoc basis (i.e., as you find offenders), or you can rely on other peoples' lists. Here's one at process-of-elimination.net; and another at geocities.net. This can be a lot of work, though, and while it works for me (this is for now how I've chosen to deal with popups), like spam, it's obviously puts you in the position of fighting a war of attrition with people with a commercial motivation. Question: do you have more or less spam in your inbox than five years ago? I thought so.
- Use Firefox prefs to eliminate non-whitelisted popup events. In the Slashdot thread mentioned above, this user provides a method to do this:
1) Type about:config in the URL bar
Of course, this means non-malicious popups will get axed, too, but it will defeat the bad guys.
2) find dom.popup_allowed_events
3) change the value to the empty stringNow no events allow popups by default. That means if you want to let a site pop up a window from Javascript you will have to whitelist it.
- Use AdAware to lose malware. As mentioned above, a lot of popups come from malware such as Claria's Gator, which take over your PC by using sneaky shrinkwrap licenses and tricky installation dialogues. That Claria has had to change their name (they used to be called Gator) and sued PC Pitstop to get them to stop calling their "product" spyware should tell you just how low these guys are. (Disclosure: my employer at one time took legal action against then-Gator because of their activities against our site, which included redirecting users to our online competition.) Of course, ditching Microsoft wholesale and running Linux can also get rid of all malware.
Labels: tech
Newer› ‹Older
Post a Comment
Note: Only a member of this blog may post a comment.