Do Google Ads secretly track Stack Overflow users?
A user by the name greggman has discovered a bug on Stack Overflow’s devtools website. Today, while working on his browser’s devtools website, he noticed the following message:
Image source: Stack Overflow Meta website
greggman then raised the query “Why is Stack Overflow trying to start audio?” on the Stack Overflow Meta website, which is intended for bugs, features, and discussion of Stack Overflow for its users. He then found out that the above message appears whenever a particular ad is appearing on the website. The ad is from Microsoft via Google.
Image source: Stack Overflow Meta Website
Later another user, TylerH did an investigation and revealed some intriguing information about the identified bug. He found out that the Google Ad is employing the audio API, to collect information from the users’ browser, in an attempt to fingerprint it.
He says that “This isn’t general speculation, I’ve spent the last half hour going though the source code linked above, and it goes to considerable lengths to de-anonymize viewers. Your browser may be blocking this particular API, but it’s not blocking most of the data.”
TylerH claims that this fingerprint tracking of users is definitely not done for legitimate feature detection. He adds that this technique is done in aggregate to generate a user fingerprint, which is included along with the advertising ID, while recording analytics for the publisher. This is done to detect the following :
- Users’ system resolution and accessibility settings
- The audio API capabilities, supported by the users’ browser
- The mobile browser-specific APIs, supported by the users’ browser
TylerH states that this bug can detect many other details about the user, without the users’ consent. Hence he issues a warning to all Stack Overflow users to “Use an Ad blocker!”
As both these findings gained momentum on the Stack Overflow Meta website, Nick Craver, the Architecture Lead for Stack Overflow replied to greggman and TylerH, “Thanks for letting us know about this. We are aware of it. We are not okay with it.”
Craver also mentioned that Stack Overflow has reached out to Google, to obtain their support. He also notified users that “This is not related to ads being tested on the network and is a distinctly separate issue. Programmatic ads are not being tested on Stack Overflow at all.”
Users are annoyed at this response by Craver. Many are not ready to believe that the Architecture Lead for Stack Overflow did not have any idea about this and is now going to work on it.
A user on Hacker News comments that this response from Craver “encapsulates the entire problem with the current state of digital advertising in 1 simple sentence.”
Few users feel like this is not surprising at all, as all websites use ads as tracking mechanisms.
A HN user says that “Audio feature detection isn’t even a novel technique. I’ve seen trackers look at download stream patterns to detect whether or not BBR congestion control is used, I have seen mouse latency based on the difference between mouse ups and downs in double clocks and I have seen speed-of-interaction checks in mouse movements.”
Another comment reads, “I think ad blocking is a misnomer. What people are trying to do when blocking ads is prevent marketing people from spying on them. And the performance and resource consumption that comes from that.
Personal opinion: Laws are needed to make what advertisers are doing illegal. Advertisers are spying on people to the extent where if the government did it they’d need a warrant.”
While there is another user, who thinks that the situation is not that bad, with Stack Overflow at least taking responsibility of this bug.
The user on Hacker News wrote, “Let’s be adults here. This is SO, and I imagine you’ve used and enjoyed the use of their services just like the rest of us. Support them by letting passive ads sit on the edge of the page, and appreciate that they are actually trying to solve this issue.”
Approx. 250 public network users affected during Stack Overflow’s security attack
Stack Overflow confirms production systems hacked
Facebook again, caught tracking Stack Overflow user activity and data
- Google releases patches for two high-level security vulnerabilities in Chrome, one of which is still being exploited in the wild
- Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2
- An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack
*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Vincy Davis. Read the original post at: https://hub.packtpub.com/do-google-ads-secretly-track-stack-overflow-users/