<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.96 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<!-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Malware in Webpages
- GNU Project - Free Software Foundation</title>
<link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" />
<!--#include virtual="/proprietary/po/malware-webpages.translist" -->
<!--#include virtual="/server/banner.html" -->
<div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
 <img id="side-menu-icon" height="32"
      src="/graphics/icons/side-menu.png"
      title="Section contents"
      alt=" [Section contents] " />
</a>

<p class="breadcrumb">
 <a href="/"><img src="/graphics/icons/home.png" height="24"
    alt="GNU Home" title="GNU Home" /></a> /
 <a href="/proprietary/proprietary.html">Malware</a> /
 By product /
</p>
</div>
<!--GNUN: OUT-OF-DATE NOTICE-->
<!--#include virtual="/server/top-addendum.html" -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width">
<h2>Malware in Webpages</h2>

<div class="infobox">
<hr class="full-width" />
<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers and manufacturers often exercise
that power to the detriment of the users they ought to serve.</p>

<p>This typically takes the form of malicious functionalities.</p>
<hr class="full-width" />
</div>

<div class="article">
<p>This page lists web sites containing proprietary JavaScript programs that spy
on users or mislead them. They make use of what we call
the <a href="/philosophy/javascript-trap.html">JavaScript Trap</a>. Of course,
many sites collect information that the user sends, via forms or otherwise, but
here we're not talking about that.</p>

<div class="important">
<p>If you know of an example that ought to be in this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to serve as specific substantiation.</p>
</div>

<div class="column-limit" id="malware-webpages"></div>

<ul class="blurbs">
  <li id="M202204280">
    <!--#set var="DATE" value='<small class="date-tag">2022-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The US government <a
    href="https://themarkup.org/pixel-hunt/2022/04/28/applied-for-student-aid-online-facebook-saw-you">sent
    personal data to Facebook</a> for every college student that applied
    for US government student aid. It justified this as being for a
    “campaign.”</p>

    <p>The data included name, phone number and email address.  This shows
    the agency didn't even make a handwaving attempt to anonymize the
    student.  Not that anonymization usually does much good—but
    the failure to even try shows that the agency was completely blind
    to the issue of respecting students' privacy.</p>
  </li>

  <li id="M202009220">
    <!--#set var="DATE" value='<small class="date-tag">2020-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Markup investigated 80,000 popular web sites and <a
    href="https://themarkup.org/blacklight/2020/09/22/blacklight-tracking-advertisers-digital-privacy-sensitive-websites">
    reports on how much they snoop on users</a>.  Almost 70,000 had
    third-party trackers. 5,000 fingerprinted the browser to identify
    users.  12,000 recorded the user's mouse clicks and movements.</p>
  </li>

  <li id="M201811270">
    <!--#set var="DATE" value='<small class="date-tag">2018-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Many web sites use JavaScript code <a
    href="http://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081">
    href="https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081">
    to snoop on information that users have typed into a
    form but not sent</a>, in order to learn their identity. Some are <a
    href="https://www.manatt.com/insights/newsletters/advertising-law/sites-illegally-tracked-consumers-new-suits-allege">
    getting sued</a> for this.</p>

    <p>The chat facilities of some customer services use the same sort of
    malware to <a
    href="https://gizmodo.com/be-warned-customer-service-agents-can-see-what-youre-t-1830688119">
    read what the user is typing before it is posted</a>.</p>
  </li>

  <li id="M201807190">
    <!--#set var="DATE" value='<small class="date-tag">2018-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>British Airways used <a
    href="https://www.theverge.com/2018/7/19/17591732/british-airways-gdpr-compliance-twitter-personal-data-security">nonfree
    JavaScript on its web site to give other companies personal data on
    its customers</a>.</p>
  </li>

  <li id="M201805170">
    <!--#set var="DATE" value='<small class="date-tag">2018-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Storyful program <a
    href="https://www.theguardian.com/world/2018/may/17/revealed-how-storyful-uses-tool-monitor-what-journalists-watch">spies
    on the reporters that use it</a>.</p>
  </li>

  <li id="M201805080">
    <!--#set var="DATE" value='<small class="date-tag">2018-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A cracker used an exploit in outdated software to <a
    href="https://www.pcmag.com/news/360968/400-websites-secretly-served-cryptocurrency-miners-to-visito">
    href="https://www.pcmag.com/news/400-websites-secretly-served-cryptocurrency-miners-to-visitors">
    inject a “miner” in web pages</a> served to visitors. This
    type of malware hijacks the computer's processor to mine a
    cryptocurrency.</p>

    <p><small>(Note that the article refers to the infected software
    as “content management system”. A better term would be
    “<a href="/philosophy/words-to-avoid.html#Content">website
    revision system</a>”.)</small></p>

    <p>Since the miner was a nonfree JavaScript program,
    visitors wouldn't have been affected if they had used <a
    href="/software/librejs/index.html">LibreJS</a>. Some
    browser extensions that <a
    href="https://www.cnet.com/tech/computing/how-to-stop-sites-from-using-your-cpu-to-mine-coins/">
    specifically block JavaScript miners</a> are also available.</p>
  </li>

  <li id="M201712300">
    <!--#set var="DATE" value='<small class="date-tag">2017-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some JavaScript malware <a
    href="https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research">
    swipes usernames from browser-based password managers</a>.</p>
  </li>

  <li id="M201711150">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some websites send
    JavaScript code to collect all the user's input, <a
    href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/">which
    can then be used to reproduce the whole session</a>.</p>

    <p>If you use LibreJS, it will block that malicious JavaScript
    code.</p>
  </li>

  <li id="M201701060">
    <!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>When a page uses Disqus
    for comments, the proprietary Disqus software <a
    href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook">loads
    href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook/">loads
    a Facebook software package into the browser of every anonymous visitor
    to the page, and makes the page's URL available to Facebook</a>.</p>
  </li>

  <li id="M201612064">
    <!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Online sales, with tracking and surveillance of customers, <a
    href="https://www.theguardian.com/commentisfree/2016/dec/06/cookie-monsters-why-your-browsing-history-could-mean-rip-off-prices">enables
    businesses to show different people different prices</a>. Most of
    the tracking is done by recording interactions with servers, but
    proprietary software contributes.</p>
  </li>

  <li id="M201611160.1">
    <!--#set var="DATE" value='<small class="date-tag">2016-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A <a
    href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
    href="https://research.csiro.au/isp/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
    research paper</a> that investigated the privacy and security of
    283 Android VPN apps concluded that “in spite of the promises
    for privacy, security, and anonymity given by the majority of VPN
    apps—millions of users may be unawarely subject to poor security
    guarantees and abusive practices inflicted by VPN apps.”</p>

    <p>Here are two examples, taken from the research paper, of 
    proprietary VPN apps that use JavaScript to track users and infringe
    their privacy:</p>

    <dl class="compact">
      <dt>VPN Services HotspotShield</dt>
      <dd>Injects JavaScript code into the HTML pages returned to the
      users. The stated purpose of the JS injection is to display ads. Uses
      roughly five tracking libraries. Also, it redirects the user's
      traffic through valueclick.com (an advertising website).</dd>

      <dt>WiFi Protector VPN</dt>
      <dd>Injects JavaScript code into HTML pages, and also uses roughly
      five tracking libraries. Developers of this app have confirmed that
      the non-premium version of the app does JavaScript injection for
      tracking the user and displaying ads.</dd>
    </dl>
  </li>

  <li id="M201603080">
    <!--#set var="DATE" value='<small class="date-tag">2016-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>E-books can contain JavaScript code, and <a
    href="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds">
    href="https://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds">
    sometimes this code snoops on readers</a>.</p>
  </li>

  <li id="M201310110">
    <!--#set var="DATE" value='<small class="date-tag">2013-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Flash and JavaScript are used for <a
    href="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/">
    href="https://arstechnica.com/information-technology/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/">
    “fingerprinting” devices</a> to identify users.</p>
  </li>

  <li id="M201210240">
    <!--#set var="DATE" value='<small class="date-tag">2012-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Many web sites rat their visitors to advertising
    networks that track users.  Of the top 1000 web sites, <a
    href="https://www.law.berkeley.edu/research/bclt/research/privacy-at-bclt/web-privacy-census/">84%
    (as of 5/17/2012) fed their visitors third-party cookies, allowing
    other sites to track them</a>.</p>
  </li>

  <li id="M201208210">
    <!--#set var="DATE" value='<small class="date-tag">2012-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Many web sites report all their visitors
    to Google by using the Google Analytics service, which <a
    href="http://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/">
    href="https://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/">
    tells Google the IP address and the page that was visited</a>.</p>
  </li>

  <li id="M201200000">
    <!--#set var="DATE" value='<small class="date-tag">[2012]</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Many web sites try to collect users' address books (the user's list
    of other people's phone numbers or email addresses).  This violates
    the privacy of those other people.</p>
  </li>

  <li id="M201110040">
    <!--#set var="DATE" value='<small class="date-tag">2011-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Pages that contain “Like” buttons <a
    href="https://www.smh.com.au/technology/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html">
    enable Facebook to track visitors to those pages</a>—even users
    that don't have Facebook accounts.</p>
  </li>

  <li id="M201003010">
    <!--#set var="DATE" value='<small class="date-tag">2010-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Flash Player's <a
    href="https://web.archive.org/web/20200808151607/http://www.imasuper.com/2008/10/09/flash-cookies-the-silent-privacy-killer/">
    cookie feature helps web sites track visitors</a>.</p>
  </li>
</ul>
</div>

</div>
<!--#include virtual="/proprietary/proprietary-menu.html" -->
<!--#include virtual="/server/footer.html" -->
<div id="footer" role="contentinfo">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and contributing translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and contributing translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.
     
     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).
     
     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2017-2021 2017-2022 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2022/08/22 10:03:05 $
<!-- timestamp end -->
</p>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>