Now can any site find out the address of your page on VK?

    I came across a service that allows you to place a js-code on your website that determines the visitor’s ID without authorization. The user is completely unaware of this, because ID determination occurs when loading any page of the site without any questions about authorization.

    This opens up great opportunities for marketing, but does not fit into my ideas about the safe transfer of personal data.

    Those. for example, let's say you brought you to some kind of porn site, and after half a minute in contact the bot writes to you in the LAN or on the wall an offer to purchase the product or service recommended to you in accordance with the sections that you visited on the site, or in accordance with search queries through which you came to this site.

    After installing this spy script, any site will know almost everything about its visitors, in the flesh to the phone number, if it is specified. It is clear that users themselves are responsible for what data they post to the public, but going to a third-party site I do not give consent to the processing of my personal data.

    The creators of the service claim: “The service does not carry out any hacking or other illegal actions. We identify the incoming person and accumulate open information. ” But I consider the fact of identification illegal. Correct me if I'm wrong.

    VKontakte retargeting works in a similar way, but it does not give access to profiles that fall into the retargeting group.

    Maybe there is someone among the web security experts who will be able to cover this topic in detail?



    The link to the service itself is not difficult to find. The question is different: how did this even become possible on such a scale?

    I dig into the code, but understood little. Some kind of xss magic with frames.

    UPD
    Uses an invisible authorization widget

    Also popular now: