<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.83 1.92 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<!-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Malware in Webpages
- GNU Project - Free Software Foundation</title>
<style
<link rel="stylesheet" type="text/css" media="print,screen"><!--
li dl { margin-top: .3em; }
li dl dt { margin: .3em 0; font-weight: normal; font-style: italic; }
li dl dd { margin: 0 3%; }
--></style> href="/side-menu.css" media="screen,print" />
<!--#include virtual="/proprietary/po/malware-webpages.translist" -->
<!--#include virtual="/server/banner.html" -->
<div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
 <img id="side-menu-icon" height="32"
      src="/graphics/icons/side-menu.png"
      title="Section contents"
      alt=" [Section contents] " />
</a>

<p class="breadcrumb">
 <a href="/"><img src="/graphics/icons/home.png" height="24"
    alt="GNU Home" title="GNU Home" /></a> /
 <a href="/proprietary/proprietary.html">Malware</a> /
 By product /
</p>
</div>
<!--GNUN: OUT-OF-DATE NOTICE-->
<!--#if expr="$OUTDATED_SINCE" --><!--#else -->
<!--#if expr="$LANGUAGE_SUFFIX" -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="no" -->
<!--#include virtual="/server/top-addendum.html" -->
<!--#endif -->
<!--#endif -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width">
<h2>Malware in Webpages</h2>

<p><a href="/proprietary/proprietary.html">Other examples of proprietary
    malware</a></p>

<div class="highlight-para">
  <p>
    <em>Malware</em> means class="infobox">
<hr class="full-width" />
<p>Nonfree (proprietary) software designed is very often malware (designed to function in ways that
mistreat or harm the user.  (This does not include accidental errors.)
  </p>
  
  <p>
    Malware and nonfree software are two different issues.  The difference
    between <a href="/philosophy/free-sw.html">free software</a> and
    nonfree user). Nonfree software is controlled by its developers,
which puts them in
    <a href="/philosophy/free-software-even-more-important.html">
      whether the users have control of the program or vice versa</a>.  It's
    not directly a question position of what power over the program <em>does</em> when it
    runs.  However, in practice nonfree software users; <a
href="/philosophy/free-software-even-more-important.html">that is often malware, because the developer's awareness
basic injustice</a>. The developers and manufacturers often exercise
that power to the detriment of the users would be powerless they ought to fix any
    malicious functionalities tempts serve.</p>

<p>This typically takes the developer to impose some.
  </p> form of malicious functionalities.</p>
<hr class="full-width" />
</div>

<div class="article">
<div class="italic">
<p>This page lists web sites containing proprietary JavaScript programs that spy
on users or mislead them. They make use of what we call
the <a href="/philosophy/javascript-trap.html">JavaScript Trap</a>. Of course,
many sites collect information that the user sends, via forms or otherwise, but
here we're not talking about that.</p>

<ul>
  <li>
</div>

<div class="important">
<p>If you know of an example that ought to be in this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to serve as specific substantiation.</p>
</div>

<div class="column-limit" id="malware-webpages"></div>

<ul class="blurbs">
  <li id="M201811270">
    <p>Many web sites use JavaScript code <a
    href="http://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081">
    to snoop on information that users have typed into a
    form but not sent</a>.
    </p> sent</a>, in order to learn their identity. Some are <a
    href="https://www.manatt.com/Insights/Newsletters/Advertising-Law/Sites-Illegally-Tracked-Consumers-New-Suits-Allege">
    getting sued</a> for this.</p>

    <p>The chat facilities of some customer services use the same sort of
    malware to <a
    href="https://gizmodo.com/be-warned-customer-service-agents-can-see-what-youre-t-1830688119">
    read what the user is typing before it is posted</a>.</p>
  </li>

  <li id="M201807190">
    <p>British Airways used <a
    href="https://www.theverge.com/2018/7/19/17591732/british-airways-gdpr-compliance-twitter-personal-data-security">nonfree
    JavaScript on its web site to give other companies personal data on
    its customers</a>.</p>
  </li>

  <li id="M201805170">
    <p>The Storyful program <a
    href="https://www.theguardian.com/world/2018/may/17/revealed-how-storyful-uses-tool-monitor-what-journalists-watch">spies
    on the reporters that use it</a>.</p>
  </li>

  <li id="M201805080">
    <p>A cracker used an exploit in outdated software to <a
    href="https://www.pcmag.com/news/360968/400-websites-secretly-served-cryptocurrency-miners-to-visito">
    inject a “miner” in web pages</a> served to visitors. This
    type of malware hijacks the computer's processor to mine a
    cryptocurrency.</p>

    <p><small>(Note that the article refers to the infected software
    as “content management system”. A better term would be
    “<a href="/philosophy/words-to-avoid.html#Content">website
    revision system</a>”.)</small></p>

    <p>Since the miner was a nonfree JavaScript program,
    visitors wouldn't have been affected if they had used <a
    href="/software/librejs/index.html">LibreJS</a>. Some
    browser extensions that <a
    href="https://www.cnet.com/how-to/how-to-stop-sites-from-using-your-cpu-to-mine-coins/">
    specifically block JavaScript miners</a> are also available.</p>
  </li>

  <li id="M201712300">
    <p>Some JavaScript malware <a
    href="https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research">
    swipes usernames from browser-based password managers</a>.</p>
  </li>

  <li id="M201711150">
    <p>Some websites send
    JavaScript code to collect all the user's input, <a
    href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/">which
    can then be used to reproduce the whole session</a>.</p>

    <p>If you use LibreJS, it will block that malicious JavaScript
    code.</p>
  </li>

  <li id="M201701060">
    <p>When a page uses Disqus
    for comments, the proprietary Disqus software <a
    href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook">loads
    a Facebook software package into the browser of every anonymous visitor
    to the page, and makes the page's URL available to Facebook</a>.</p>
  </li>
  <li>

  <li id="M201612064">
    <p>Online sales, with tracking and surveillance of customers, <a
    href="https://www.theguardian.com/commentisfree/2016/dec/06/cookie-monsters-why-your-browsing-history-could-mean-rip-off-prices">enables
    businesses to show different people different prices</a>. Most of
    the tracking is done by recording interactions with servers, but
    proprietary software contributes.</p>
  </li>

  <li id="M201611160.1">
    <p>A <a
    href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
    research paper</a> that investigated the privacy and security of
    283 Android VPN apps concluded that “in spite of the promises
    for privacy, security, and anonymity given by the majority of VPN
    apps—millions of users may be unawarely subject to poor security
    guarantees and abusive practices inflicted by VPN apps.”</p>
    <p>Following is a non-exhaustive list

    <p>Here are two examples, taken from the research paper, of some 
    proprietary VPN apps from the
      research paper that tracks use JavaScript to track users and infringes infringe
    their privacy:</p>
    <dl>

    <dl class="compact">
      <dt>VPN Services HotspotShield</dt>
      <dd>Injects JavaScript code into the HTML pages returned to the
      users. The stated purpose of the JS injection is to display ads. Uses
      roughly five tracking libraries. Also, it redirects the user's
      traffic through valueclick.com (an advertising website).</dd>

      <dt>WiFi Protector VPN</dt>
      <dd>Injects JavaScript code into HTML pages, and also uses roughly
      five tracking libraries. Developers of this app have confirmed that
      the non-premium version of the app does JavaScript injection for
      tracking the user and displaying ads.</dd>
    </dl>
  </li>
  <li>

  <li id="M201603080">
    <p>E-books can contain JavaScript code, and <a
    href="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds">
    sometimes this code snoops on readers</a>.</p>
  </li>
</ul>

</div><!--

  <li id="M201310110">
    <p>Flash and JavaScript are used for id="content", starts in <a
    href="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/">
    “fingerprinting” devices</a> to identify users.</p>
  </li>

  <li id="M201210240">
    <p>Many web sites rat their visitors to advertising
    networks that track users.  Of the include above top 1000 web sites, <a
    href="https://www.law.berkeley.edu/research/bclt/research/privacy-at-bclt/web-privacy-census/">84%
    (as of 5/17/2012) fed their visitors third-party cookies, allowing
    other sites to track them</a>.</p>
  </li>

  <li id="M201208210">
    <p>Many web sites report all their visitors
    to Google by using the Google Analytics service, which <a
    href="http://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/">
    tells Google the IP address and the page that was visited</a>.</p>
  </li>

  <li id="M201200000">
    <p>Many web sites try to collect users' address books (the user's list
    of other people's phone numbers or email addresses).  This violates
    the privacy of those other people.</p>
  </li>

  <li id="M201110040">
    <p>Pages that contain “Like” buttons <a
    href="https://www.smh.com.au/technology/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html">
    enable Facebook to track visitors to those pages</a>—even users
    that don't have Facebook accounts.</p>
  </li>

  <li id="M201003010">
    <p>Flash Player's <a
    href="http://www.imasuper.com/66/technology/flash-cookies-the-silent-privacy-killer/">
    cookie feature helps web sites track visitors</a>.</p>
  </li>
</ul>
</div>

</div>
<!--#include virtual="/proprietary/proprietary-menu.html" -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and submitting contributing translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and submitting contributing translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.
     
     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).
     
     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2017 2017-2020 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by-nd/4.0/">Creative
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution-NoDerivatives Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2020/06/24 05:37:10 $
<!-- timestamp end -->
</p>
</div>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>