MyBlogLog Tracks Your Visitors Ad Clicks

I know we said we’d never mention MyBlogLog again, but that was before this discovery.

Maybe all the recent MBL exploits recently didn’t bother you. Maybe they seemed trivial. I don’t think people should feel the same way about this one. This isn’t even an exploit, but something that MBL is actively doing with their blog widget. If you’re not interested in the long technical version, skip to the bottom.

The first thing that happens when the browser loads the MyBlogLog javascript is the loading of another javascript file.

document.write(‘scr+ipt language=”javascript” src=”http://track3.mybloglog.com/js/jsserv.php?mblID=2006112922074849″>

I started looking at this code, and I noticed something odd. Why were the urls to google adsense and YPN servers in the code? This is the piece that caught my attention. Notice that it’s ripped from a Mint plug-in that tracks ad click stats.

//start IFrame ad tracking
//from http://www.digitalmediaminute.com/article/1715/adsense-click-pepper
var m_px=0,m_py=0,m_as_frms=new Array(),is_ie=document.all?true:false;
function m_as_init() {
var ad=document.getElementsByTagName(‘iframe’);
for(var i=0;i-1){
m_as_frms[m_as_frms.length]=new Array(ad[i], ‘http://pagead2.googlesyndication.com’, ‘Google AdSense’);
if(is_ie){ad[i].onfocus=m_trk_as;}
} else if(ad[i].src.indexOf(‘ypn-js.overture.com’) > -1) {
m_as_frms[m_as_frms.length]=new Array(ad[i], ‘http://ypn-js.overture.com’, ‘Yahoo! Publisher Network’);
if(is_ie){ad[i].onfocus=m_trk_as;}
} else {}
}

Upon further investigation, it looked like the MBL was tracking clicks and reporting them back. But this couldn’t be possible. So I made a test page. On it, I placed the MBL widget, an adsense block, and a link.

I loaded up the page, turned ieHTTPHeaders on, and clicked my external link. This is what I found at the top of my header log:

GET /tr/urltrk.php?t=2&u=http%3A//www.alnk.org/mybloglogsucks&
te=will%20mybloglog%20track%20this%20link%3F&i=2006090110210818
&now=1172264766637&d=20070223
&db=&v=N2007022315034055 HTTP/1.1
Accept: */*
Referer: http://www.dellanave.com/test.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
 5.1; SV1; .NET CLR 1.1.4322; Alexa Toolbar)
Host: track2.mybloglog.com

OK, so they’re tracking external links. Well this kinda makes sense, as they try to build a picture of who is browsing who’s communities. What about if I click the adsense ad though?

GET /tr/urltrk.php?t=2&u=http%3A//pagead2.googlesyndication.com
%23160x600&
te=Google%20AdSense%20%28160x600%29&i=2006090110210818&
now=1172264934262
&d=20070223&db=&v=N2007022315034055 HTTP/1.1
Accept: */*
Referer: http://www.dellanave.com/test.php

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
 5.1; SV1; .NET CLR 1.1.4322; Alexa Toolbar)
Host: track2.mybloglog.com

The bottom line is that MyBlogLog is tracking AdSense and YPN clicks too. (Update: They do show you ads clicks in MBL Pro. Not having Pro does NOT stop the tracking from loading.) Who else gets this data? I don’t know about you, but I’d rather keep my ad click stats to myself. So in your own word Eric, “On what planet is that not a bannable offense?”.

There’s more as always, but I think this is enough for one day (or year). I think I’ve assured I’ll never be hired by Yahoo!

Here’s a link to the javascript for when they pull it or change it:

MyBlogLog Tracking Javascript

MyBlogLog Ad Tracking Video