chrispederick.com
Mar
09
Designed For Good, Used For Evil
- User Agent Switcher
- 8 Comments
- 3 years ago
I started noticing recently a few web sites in my referrer logs that mentioned Surf Junky. I had no idea what Surf Junky was so I opened the sites to see what they were talking about and why they were linking to chrispederick.com. It turns out that Surf Junky is a service that pays you to surf the web. It works by popping up advertisements every 30 seconds and you can earn up to 75 cents an hour.
Now 75 cents an hour does not seem like much, but if you use the service 24 hours a day, seven days a week it can total over $500 a month. This, however, would require closing the popup ads every 30 seconds and so people have been looking for ways to scam the system and this is where my site comes in.
My Extensions
Apparently, the Surf Junky popup ads can be blocked using Firefox and because of this Surf Junky now block this browser. However, with my User Agent Switcher extension you can fool them into thinking that you are browsing with Internet Explorer. Combine this with an extension that reloads the page on a regular basis and you have a pretty efficient way of abusing the Surf Junky system.
Let me make it clear that I am not condoning or recommending the use of this technique in any way, but it does raise a couple of interesting points.
Firstly, there has already been an article about the possibility of the Web Developer extension getting me into trouble by "inducing" people to reverse-engineer a website's functionality. If anything the Surf Junky situation appears more serious, as in this case it is directly taking revenue from the company. Is it beyond the realm of possibility that Surf Junky may look not only to take action against the individuals that are trying to abuse their system, but also against the software that is helping those individuals?
Other Extensions
And what about the role that extensions are going to play as Firefox becomes more and more popular. There are already extensions that change specific web sites - such as BetterSearch that "enhances search engines" - as well as extensions that allow the changing of any web site - such as GreaseMonkey that allows "you to add user scripts to any web page to change it's behavior". We have already seen strong opinions - both for and against - about the AutoLink feature in Google's new toolbar. How will companies feel as they hear more and more about extensions that allow everything from the design to the behavior of their web sites to be changed?
Judging by the numbers in my referrer logs it does not take much for people to look for ways to exploit the revenue model of a web site. Of course, this is nothing new as there have always been programs designed to exploit systems, but the ease with which Firefox extensions can be created and the growing popularity of the browser could make unethical extensions easier to both create and distribute.
Honest Extensions
Extensions that are designed purely for "evil" purposes should be simple enough to target and the authors prosecuted, but what about those - such as User Agent Switcher - that are designed for legitimate uses and are then used (possibly in conjunction with other genuine extensions) to exploit a web site? Will we begin to see companies apply legal pressure to the authors of such honest extensions?
Only time will tell...
Update: CNET News.com discusses this topic focusing on the GreaseMonkey extension and the possibility of malicious scripts.
8 Comments
True - as does Opera, which is what the User Agent Switcher was originally based on.
However, the User Agent Switcher is just one of the extensions that make this exploit possible and Opera and Safari (as well as Internet Explorer) just don't have the same ease of adding in extra functionality through extensions that Firefox offers.
Also, Safari only runs on the small number of systems running Mac OS X, whereas Firefox runs on Windows, Mac OS X and Linux giving it a much wider audience.
Scripts that do this kind of thing are very common and very easy to write. Build yourself a website, sign up for any pay to surf affiliate program, write yourself a perl script that crawls the paid links submitting requests with a a list of open proxy IPs, Common User Agents and list of query terms and you have an instant click fraud revenue stream. If you're feeling even more ambitious, get it installed on a couple of million machines via a trojan horse and you're laughing.
'However, the User Agent Switcher is just one of the extensions that make this exploit possible '
I think the use of the term exploit in this case is too negative in its connotations, as well as really lessening what would normally be considered an exploit.
Are those users scamming Surf Junky, or is surf junky scamming them:
http://edge.i-hacked.com/archives/216
You should read that before you start getting worried about them apply legal pressure.
Also it's the same trick can be done in Opera with even less effort than the Firefox version.
I really dont think you should worry about it so much, eat some ice-cream and have an early night! The swither is - and was - obviously designed as a force for 'good' for the benefit of legit users. If Surf Junkey want to exploit Mammon's horney handiwork then they must take responsibility for the holes, get arounds, and basic design floors in their system. As others have mentioned here, if one has a mind to then it is quite easy to abuse the silly 'click-for -cash' systems by any number of means. If it does go pear-shaped then i will be the first to donate to http://www.freechrispederick.com. Keep up the good work.
P.S. Nice shoes!!!
Actually, it is the popup blocking function that is "evil" in the eyes of the greedy. One is built into firefox, so they banned it. Your extention is just a way for some to get around that ban, whether one enables the popup blocking function or not. There are popup blockers available for ie and opera as well. The pay to surf outfits will just have to build their own closed (locked) source browser and try to find users to try it.
The pay to surf outfits are, i presume, scaming the advertisers. Who would pay to advertise to an audience that has such popup fatigue as an ad every 30 seconds would induce?
I hope that tools such as yours, popup blocking, adblock, flash block, bugmenot, and noscript will help steer the internet to be less commercial and more respectful of users.
Feaverish
3 years ago
March 9, 2005
Safari also has a user agent switcher built in (though by default it is in the hidden Debug menu).