This modification will help protect your boards against cookie stuffing scams.


What is Cookie Stuffing
From Wikipedia (http://en.wikipedia.org/wiki/Cookie_stuffing):
Cookie stuffing or cookie dropping is a Blackhat technique used to generate fraudulent affiliate sales. It involves placing an affiliate tracking cookie on a website visitor's computer without their knowledge, which will then generate revenue for the person doing the cookie stuffing. Income is generated when the affected user visits the target affiliate site and either creates an account or makes a purchase, depending on the terms of the affiliate agreement. This not only generates fraudulent affiliate sales, but also has the potential to overwrite legitimate affiliates' cookies, essentially stealing their legitimately earned commissions.

Operators of websites that allow user-generated content, such as forums that allow users to post, should be aware of this technique in order to protect their visitors from this attack. Cookie stuffing can be accomplished with as little as including an image in a forum post.
People can use your boards for this illegitimate practice if you don't protect yourself
There are several techniques for cookie stuffing, one of which works on most vBulletin forums. I'll put the following in code tags so only licensed vB owners can read it.
A user can add an bbcode in a post and put an
affiliate page as the URL. That's all it takes to plant a
cookie with their affiliate tracking code on the computers
of everyone who views that post. If you don't want people doing this, read on.


What this mod does

This modification inserts some Javascript on each
thread page when a moderator or admin is viewing
the thread. This Javascript counts how many [IMG]
tags are in each post, and then tries to check if a
given image is a valid image. If there is a mismatch,
it will display a warning message at the top of the
post alerting the mod/admin to the fact. There is the
possibility of false positives if an image takes an
inordinate amount of time to load. If you want to
check for that possibility, there is a "recheck" link in
the message, whereby you can recheck the images
in that post.

Installation
Import the product XML file in your Product Manager, then visit the Options group "Cookie Stuffing Detector Options".

After installation, you can check if this is working by creating a post and ....
including an image with an invalid URL, such as:
[img]http://example.com/adslkdfaslkjdsfkjldfsakjlsdfakj/
which should show up as a cookie stuffing attempt.
Future development
I am planning to expand this mod to:
Scan all posts in the database for possible cookie stuffing attempts.
Check posts when the user submits them for cookie stuffing attempts, and reject the post.
Known issues / Caveats
Broken images will cause false positives
This is marked as a 3.7.x mod, because that is what I developed it on and what I use it on. It has a good chance of working on 3.6.x as well, but I haven't tested that.
All admins and mods (even when viewing a forum they are not a mod in) will see the message in a post if it is a possible cookie stuffing attempt. This is by design.

Tested in... (on Windows XP)
Firefox 3
Internet Explorer 7
Opera 9.5
Safari 3
Google Chrome?!

awesome stuff.

I heard about the cookie stuffing issues at DP and ebay.

Good to see, there is a way to protect ourselves!

thanks a bunch.

This only works on bbcode that has a non image as image.
But you can use any image remotely hosted in the img tag and that img can be forced to be executed as a php file.

The remote image is actually php code that sets a cookie with the affiliate code, and then sets the mime via header and returns a real image.

example: http://floris.vbulletin.com/stuff/vborgtest.jpg

The img above is http://floris.vbulletin.com/stuff/vborgtest.jpg[/img] which is actually a php file that sets a cookie for floris.vbcom with user 'vborgtest'

hence: stuffing.

This plugin doesn't seem to check for real cookie stuffing, unless I am mistaken?

Right, except that's not really what we're talking about since there is no monetary gain in that.


The cookie stuffing we are talking about is for example: Say
I have a Commission Junction account and am an affiliate
for eBay. For me to get paid, I have to send people to
http://www.ebay.com?affiliateid=12345
When someone visits that URL, an ebay.com cookie is set on
their machine. Then if they sign up/ make a purchase etc
within 60 days then I get a commission. You can't set an
ebay.com cookie from floris.vbulletin.com You could have
floris.vbulletin.com/stuff/vborgtest.jpg be a php script that
redirects with a 301 redirect to ebay.com?affiliateid=12345
but then my Javascript would still catch that, since it's not
a valid image. Cookie stuffing works because even though the
image isn't valid and isn't displayed, the headers that are
received get acted upon by the browser, setting a cookie.
The only two ways of stuffing affiliate cookies is via an
iframe or via an image that references the target affiliate
site. These of course can be obfuscated using javascript
tricks. The only vulnerability for vBulletin is the [IMG]
code, assuming that you don't have html turned on.

Thanks..

Installed on 3.7.3 and when I checked "Print debug output" I can't browse to any thread.. IE7 loads the thread then I get a notice can't find the page and I go to 404

I used Google Chrome and its fine and see at the buttom it says
6 of 6 posts on this page checked for cookie stuffing

but why IE stuffed with the setting?

Thanks

so it just can happen if User post an image using [img] tag and that image has url ?!!

Gonna keep an eye on this one :D

Installed on 3.7.3 and when I checked "Print debug output" I can't browse to any thread.. IE7 loads the thread then I get a notice can't find the page and I go to 404
I used Google Chrome and its fine and see at the buttom it says
6 of 6 posts on this page checked for cookie stuffing
but why IE stuffed with the setting?
I don't think this mod can cause 404 not found errors and the like. It's just a bit of Javascript added to the page after it loads. I think the source of your problem lies elsewhere.

so it just can happen if User post an ....
My reply is in tags so that only license holders can see it.
[code]
A user can force cookies on all your visitors by linking
to their affiliate page using the [img] tags. No image
will appear in the post obviously.

Gonna keep an eye on this one :D

ditto :up:

This sounds good, and I'm considering installing it, but one question... wouldn't this flag up vBulletin album images because the image format is something like picture.php?id= or something?

... wouldn't this flag up vBulletin album images because the image format is something like picture.php?id= or something?
Nope :)

Well,, as soon I check the second option "Print Debug Outpit" I pop up says can't find the page and throws me into page can not be displayed . (just like 404)

as soon I uncheck it, forum goes back to normal

Well,, as soon I check the second option "Print Debug Outpit" I pop up says can't find the page and throws me into page can not be displayed . (just like 404)

as soon I uncheck it, forum goes back to normal
Can you tell me what the exact message in the popup is? Also, can you copy the page source code for a page that cannot be display and PM it to me or post it here? That will help me get to the bottom of this.

Great job mate!
I installed this - SECURITY GOES FIRST! :)

cheers

//edit

I posted the Test-Link wich you?ve offered at the top with a [img] tag in my forums,
but I dont get a Warning - just the checked information at the bottom:
1 of 1 posts on this page checked for cookie stuffing.

Great concept, and will keep an eye on this one as it progresses.

PossumX <<TAGS>> mod.

Installed this and get the message that "1 post has been checked for cookie stuffing" after posting a false image URL, not that there was an attempt at cookie stuffing.

Great job mate!
I installed this - SECURITY GOES FIRST! :)

cheers

//edit

I posted the Test-Link wich you?ve offered at the top with a [img] tag in my forums,
but I dont get a Warning - just the checked information at the bottom:
1 of 1 posts on this page checked for cookie stuffing.

Installed this and get the message that "1 post has been checked for cookie stuffing" after posting a false image URL, not that there was an attempt at cookie stuffing.
What browser are you using?

*subscribes*

What browser are you using?

Opera : Version
9.52
Build
10108
Platform
Win32
System
Windows NT 6.0
Java
Sun Java Runtime Environment version 1.6

also tried it in IE8 and FF3........... same result.

Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

@CareyCrew and FiMeTi: So you're getting the message at the very bottom of the page x of x posts on this page checked for cookie stuffing.But none of the posts on the page are displaying the "Possible cookie stuffing!" warning? Try posting the following code in a post and then reload the thread.
https://vborg.vbsupport.ru/


I just re-tested in Opera 5.52, Firefox 3.0.1, Safari 3.1.2, and Internet Explorer 7, and the post containing the above code was correctly marked with the "Possible cookie stuffing!" warning.

There is the possibility that you have other mods installed that is conflicting with the Javascript in this modification. Also, depending on how modified your style is, there could be conflicts displaying the warning message.

Please try viewing the thread using the default vBulletin style to see if the message shows up. You can create one by creating a new style and selecting no parent.

When I make a new Post with the code you provide, I get a totally blank post.
I see nothing, no image, no text and no warning. :)

vBulletin 3.7.3 Patch Level 1 with Default Style.

When I make a new Post with the code you provide, I get a totally blank post.
I see nothing, no image, no text and no warning. :)

vBulletin 3.7.3 Patch Level 1 with Default Style.
Do you get a message at the very bottom of the page about how many posts were checked for possible cookie stuffing?

Like the idea but no matter what I do I get no error message. Tried a unmodded style, different browsers... I do get the message on the bottom.

Like the idea but no matter what I do I get no error message. Tried a unmodded style, different browsers... I do get the message on the bottom.
On last thing to try would be with all other modifications disabled. Failing that, if you want to give me a user/pass (with mod permissions) for your boards, I could try to debug this.

Wouldnt this slow down the loading of a thread if the thread was 15 pages of images? Say there were 10 posts on every page, wouldn't it slow it down if that thread happened to be all images posted?

@CareyCrew and FiMeTi: So you're getting the message at the very bottom of the page But none of the posts on the page are displaying the "Possible cookie stuffing!" warning? Try posting the following code in a post and then reload the thread.
http://example.com/non-existent-file/


I just re-tested in Opera 5.52, Firefox 3.0.1, Safari 3.1.2, and Internet Explorer 7, and the post containing the above code was correctly marked with the "Possible cookie stuffing!" warning.

There is the possibility that you have other mods installed that is conflicting with the Javascript in this modification. Also, depending on how modified your style is, there could be conflicts displaying the warning message.

Please try viewing the thread using the default vBulletin style to see if the message shows up. You can create one by creating a new style and selecting no parent.

Nope, turned off all mods but this one,went to a new default style ,added your image code to a test post and el zippo,no "stuffing attempt" message anywhere, just the "checked" message.

same here. ;/
deinstalled for now, but stays on my favorite list ;)

great..but i will wait to install!

How does one do this "cookie stuffing" thing? I've had a couple new members who registered and never came on the board. Is that how it's done?

Nice idea, doesn't work on my 3.7.2 installation with VBSEO, just get the 16 of 16 posts on this page checked for cookie stuffing., but will watch the progress in the thread, uninstalling for the present.

Mhhh thanks will install later.

So in the situation where someone is stuffing users on my site, is this what they are doing????

Code wrapped for members only...
direct referral link code from partner similar to http://rover.ebay.com/rover/1/361-600000-199995-0/1?type=1&campid=54321935265&toolid=10001&customid=

I'm trying to get a better idea of what is being served.

I tagged this, and look forward to watching its progression.

We have affiliate adverts of our own on our sites, would this affect those in any way?

thanx:)
could u tell when we can have its gold form?:)

I'm having the same prob as the others - no alert.

I'll wait this one out patiently. Looking forward to implementing this.

This is an interesting concept. :cool: I'm unable to find anything else that performs a function similar to this, and there are no plug-ins for browsers I've turned up either. :eek:

I did temporarily install it on my v3.8.6 board and it works after a fashion, but did not correctly detect the actual cookie stuffing code that was given as an example to try. :(

Would be nice if the coder could re-visit this MOD, or if someone else could successfully implement the concept in a similar modification.

Overall, nice try! I'll be following this thread to see if anything ever develops of it.

P.S. Thanxx :up: for the education about Cookie Stuffing, I'd never even heard of it before.