Browser hijackings upset security pundits

Web surfers are struggling for control of their home page settings, fighting off tactics by Net businesses and online marketers aimed at commandeering first rights to consumers' browsers.

Stefanie Olsen Staff writer, CNET News
Stefanie Olsen covers technology and science.
Stefanie Olsen
6 min read
Web surfers are in a tug-of-war for control of their home page settings, fighting off increasingly aggressive tactics by Net businesses and online marketers aimed at commandeering first rights to consumers' browsers.

Unsuspecting consumers who install software, open attachments or merely visit certain Web sites can find themselves tethered to an unwanted start page every time they log on to the Net. Security experts say the practice is on the rise, but few people are technically savvy enough to understand what's actually going on when browser settings are switched.

"This is crossing the line when you start messing with people's home page preferences. At minimum, it's pretty rude," said Richard Smith, chief technology officer at the Privacy Foundation.

Pressed by tightening competition and a slowdown in online advertising dollars, some Web companies are stepping up efforts to boost traffic figures by any means necessary. Tactics pioneered in the online porn industry, such as launching pop-up windows and disabling a browser's "back" button, are finding increasing favor among mainstream sites.

While Web surfers may find such come-ons annoying, few are as intrusive as the practice of home page hijacking.

Not all home page switches are controversial. Installing new browser software or signing up with a new Internet service provider frequently triggers such changes without causing much of a fuss. More recently, however, companies have begun tinkering with browser settings in unexpected ways, angering surprised end users.

Just this week, for example, United Parcel Service apologized to some 200,000 customers over software provided by the delivery giant that took the liberty of switching home page settings to the UPS Web site.

Hacker techniques exploited
That's just the tip of the iceberg, according to security experts, who say they are turning up even more troubling examples of how settings can be quietly tweaked.

"We're now seeing Internet marketing companies using the same techniques that hackers use...to try to get more traffic," Smith said.

In one example turned up late last year, security company F-Secure reported a Web site apparently took advantage of a vulnerability in Internet Explorer 5.0 to cause people's home page preferences to be reset. F-Secure said the site appeared to use a Trojan virus dubbed "seeker" to drop a file in a person's Windows start-up folder when someone visited an adult site.

The operators of the site could not immediately be reached for comment. The company reportedly discontinued the practice after it became known.

Microsoft issued a security patch for the bug, dubbed "scriplet/Eyedog," in mid-1999, but the exploit hasn't gone away.

Just this week, online entertainment Web site PassThisOn.com acknowledged it had knocked out the home page preferences of some consumers over an unspecified period using the same bug.

PassThisOn co-founder Sanford Wallace, who won Internet fame in a previous career as the self-professed "King of Spam," acknowledged use of the bug. However, he said it was unintentional and that he fixed the code himself after learning of it.

Although the problem was corrected, it demonstrates how easy it is for Web sites to override a person's preferred home page--and the difficulty in restoring the original page.

According to Wallace, the home page switches were caused by a test he was conducting to garner more site traffic without redirecting Web surfers away from their original home pages.

"We were experimenting with a script that would not change your home page, but redirect your home page through our servers to your intended home page," he said. The test was an attempt to determine, "if we have them go through our server, would it change our traffic metrics?"

Security experts, who contacted CNET News.com with details of the bug this week, responded that the explanation was troubling because by routing pages through its servers, PassThisOn could potentially monitor individuals' surfing habits.

"If you allow the page to completely load, it's saving a file to your start-up folder," said Brian High, a network administrator at a scientific lab in Portland, Ore., and one of a handful of computer specialists who investigated the code at PassThisOn. "That script is executed the next time you reboot your machine and it changes the Internet Explorer start page" to PassThisOn.

"Before (Thursday), this all happened without the users' consent."

Software specialists said the exploit was functioning Wednesday under a file called "music.js," but by Thursday it had apparently been turned off.

Specifically, the file contained about 1.6K of data Wednesday night, software analysts say, but by Thursday it held only 1 byte of information. "It looks like they turned it off," High said.

When the code is written to a person's machine with or without consent, security experts say it resembles a Trojan horse virus. With consent, it is still questionable because instructions aren't given to get rid of the code--which continually resets the person's home page to PassThisOn's chosen address once a computer is rebooted even if the person has changed his or her start page preferences. Security experts say the only way to undo it is to remove the "reg.hta" file in the start-up folder.

Building traffic
PassThisOn is a highly visited viral marketing site that encourages visitors to pass on jokes and silly pictures. The company asks consumers via reoccurring pop-up windows whether they want to change their home page, a question that is always posed with a more enticing offer, such as "Do you like freebies?" or "Do you want to win something every time you open your browser?"

If consumers agree, they are ushered to PassThisOn or one of its partner sites every time they open their browser--a sure-fire way to build viewership.

Wallace defended the practice, saying the site discloses everything and acts only after it receives permission from Web surfers.

A statement at the bottom of PassThisOn's home page reads: "PassThisOn.com prompts and changes consumers' browser behaviors to offer a better user experience and a more targeted advertiser-to-consumer communication system."

Still, Wallace admitted he had received complaints from "certain users with certain browsers" whose settings were being changed without their consent.

"This was an Internet Explorer hole, but since then we made changes and now nothing like that occurs," he said. "It only happens now with users' permission."

However, critics question whether the opt-in feature adequately discloses enough information about how the user's preferences will be changed and the difficulty in restoring the previous settings.

"The way they've arranged it is that you're not exactly saying yes to change your home page but saying yes to getting all these freebies, so the wording is contradictory. They're playing games here," said Smith. "Is PassThisOn.com going to let users know how to opt out?"

Similar to virus technology
Security experts compared PassThisOn's code to the KakWorm virus, which uses a "known security vulnerability in Outlook Express...that creates a file 'kak.hta' to the Windows Startup directory," according to a description of the virus.

The difference, specialists say, is that PassThisOn's code relies on people sending the code to friends. "It's similar to the KakWorm, but instead of it automatically mailing itself to everyone in your address book, its service is relying on everyone to send the code to their friends," High said.

"It's just expecting users to pass along these cute comics to each other. It's like a spam virus, except that humans are the ones sharing the code," he added.

Adam Lane, a software professional living in Seattle who discovered the code in the last couple of weeks, said that consumers using Windows 98 SE--the last version of Windows 98 before the new Windows Millennium Edition software was released--are using a browser version that is susceptible to the exploit.

Lane downplayed the significance of the home page switch, saying the real danger lies in the browser security hole, which could create the opportunity for more damaging mischief.

"What scares me is not that (Wallace) is changing my home page, but the idea that he's hacking into my machine and placing a file there," Lane said. "He could put anything, including a virus, in there."