vb.org Archive - Administrative and Maintenance Tools - Cookie Stuffing Detector [Inside- What is Cookie Stuffing and Why you Should Care]

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vBulletin 3.7 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=228)

- - Administrative and Maintenance Tools - Cookie Stuffing Detector [Inside- What is Cookie Stuffing and Why you Should Care] (https://vborg.vbsupport.ru/showthread.php?t=189979)

Cookie Stuffing Detector [Inside- What is Cookie Stuffing and Why you Should Care]

This modification will help protect your boards against cookie stuffing scams.

What is Cookie Stuffing
From Wikipedia:

Quote:

Cookie stuffing or cookie dropping is a Blackhat technique used to generate fraudulent affiliate sales. It involves placing an affiliate tracking cookie on a website visitor's computer without their knowledge, which will then generate revenue for the person doing the cookie stuffing. Income is generated when the affected user visits the target affiliate site and either creates an account or makes a purchase, depending on the terms of the affiliate agreement. This not only generates fraudulent affiliate sales, but also has the potential to overwrite legitimate affiliates' cookies, essentially stealing their legitimately earned commissions.

Operators of websites that allow user-generated content, such as forums that allow users to post, should be aware of this technique in order to protect their visitors from this attack. Cookie stuffing can be accomplished with as little as including an image in a forum post.

People can use your boards for this illegitimate practice if you don't protect yourself
There are several techniques for cookie stuffing, one of which works on most vBulletin forums. I'll put the following in code tags so only licensed vB owners can read it.

Code:

A user can add an [img] bbcode in a post and put an 

affiliate page as the URL.  That's all it takes to plant a 

cookie with their affiliate tracking code on the computers 

of everyone who views that post.

If you don't want people doing this, read on.

What this mod does

Code:

This modification inserts some Javascript on each 

thread page when a moderator or admin is viewing 

the thread.  This Javascript counts how many [IMG] 

tags are in each post, and then tries to check if a 

given image is a valid image.  If there is a mismatch, 

it will display a warning message at the top of the 

post alerting the mod/admin to the fact.  There is the 

possibility of false positives if an image takes an 

inordinate amount of time to load.  If you want to 

check for that possibility, there is a "recheck" link in 

the message, whereby you can recheck the images 

in that post.

Installation
Import the product XML file in your Product Manager, then visit the Options group "Cookie Stuffing Detector Options".

After installation, you can check if this is working by creating a post and ....

Code:

including an image with an invalid URL, such as: 

[img]http://example.com/adslkdfaslkjdsfkjldfsakjlsdfakj/[/img]

which should show up as a cookie stuffing attempt.

Future development
I am planning to expand this mod to:

Scan all posts in the database for possible cookie stuffing attempts.
Check posts when the user submits them for cookie stuffing attempts, and reject the post.

Known issues / Caveats

Broken images will cause false positives
This is marked as a 3.7.x mod, because that is what I developed it on and what I use it on. It has a good chance of working on 3.6.x as well, but I haven't tested that.
All admins and mods (even when viewing a forum they are not a mod in) will see the message in a post if it is a possible cookie stuffing attempt. This is by design.

Tested in... (on Windows XP)

Firefox 3
Internet Explorer 7
Opera 9.5
Safari 3
Google Chrome?!

awesome stuff.

I heard about the cookie stuffing issues at DP and ebay.

Good to see, there is a way to protect ourselves!

thanks a bunch.

This only works on bbcode that has a non image as image.
But you can use any image remotely hosted in the img tag and that img can be forced to be executed as a php file.

The remote image is actually php code that sets a cookie with the affiliate code, and then sets the mime via header and returns a real image.

example: http://floris.vbulletin.com/stuff/vborgtest.jpg

The img above is http://floris.vbulletin.com/stuff/vborgtest.jpg[/img] which is actually a php file that sets a cookie for floris.vbcom with user 'vborgtest'

hence: stuffing.

This plugin doesn't seem to check for real cookie stuffing, unless I am mistaken?

Right, except that's not really what we're talking about since there is no monetary gain in that.

Code:

The cookie stuffing we are talking about is for example: Say 

I have a Commission Junction account and am an affiliate 

for eBay.  For me to get paid, I have to send people to 

http://www.ebay.com?affiliateid=12345

When someone visits that URL, an ebay.com cookie is set on 

their machine.  Then if they sign up/ make a purchase etc 

within 60 days then I get a commission.  You can't set an 

ebay.com cookie from floris.vbulletin.com  You could have 

floris.vbulletin.com/stuff/vborgtest.jpg be a php script that 

redirects with a 301 redirect to ebay.com?affiliateid=12345

but then my Javascript would still catch that, since it's not 

a valid image. Cookie stuffing works because even though the 

image isn't valid and isn't displayed, the headers that are 

received get acted upon by the browser, setting a cookie.  

The only two ways of stuffing affiliate cookies is via an 

iframe or via an image that references the target affiliate 

site. These of course can be obfuscated using javascript 

tricks.  The only vulnerability for vBulletin is the [IMG] 

code, assuming that you don't have html turned on.

Thanks..

Installed on 3.7.3 and when I checked "Print debug output" I can't browse to any thread.. IE7 loads the thread then I get a notice can't find the page and I go to 404

I used Google Chrome and its fine and see at the buttom it says
6 of 6 posts on this page checked for cookie stuffing

but why IE stuffed with the setting?

Thanks

so it just can happen if User post an image using [img] tag and that image has url ?!!

Gonna keep an eye on this one :D

Quote:

Originally Posted by Merjawy (Post 1614222)

Installed on 3.7.3 and when I checked "Print debug output" I can't browse to any thread.. IE7 loads the thread then I get a notice can't find the page and I go to 404
I used Google Chrome and its fine and see at the buttom it says
6 of 6 posts on this page checked for cookie stuffing
but why IE stuffed with the setting?

I don't think this mod can cause 404 not found errors and the like. It's just a bit of Javascript added to the page after it loads. I think the source of your problem lies elsewhere.

Quote:

Originally Posted by Mecho (Post 1614264)

so it just can happen if User post an ....

My reply is in [code] tags so that only license holders can see it.

Code:

A user can force cookies on all your visitors by linking 

to their affiliate page using the [img] tags.  No image 

will appear in the post obviously.

Quote:

Originally Posted by ArnyVee (Post 1614296)

Gonna keep an eye on this one :D

ditto :up:

This sounds good, and I'm considering installing it, but one question... wouldn't this flag up vBulletin album images because the image format is something like picture.php?id= or something?

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (5)bbcode_code_printable (4)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01168 seconds Memory Usage 1,750KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (5)bbcode_code_printable (4)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: