Pornhub Bypasses Web Socket Ad Blockers

An engineer from BugReplay found a great way to demonstrate how his screencast service works with recording network traffic and showing errors, including WebSockets and JavaScript. He recorded a Pornhub download screencast showing a traffic log that is synchronized with the video. So, in this demo you can clearly see how Pornhub bypasses ad blockers and pushes ads using web sockets.

Pornhub works very competently. When you visit the site, it checks for a blocker. If this is found, the site opens a new WebSocket connection, which acts as a backup advertising delivery mechanism .

On a screencast with a network logYou can see many requests blocked by uBlock Origin. They are marked as Failed in network traffic.

http://cdn1b.static.pornhub.phncdn.com/www-static/js/ph-tracking.js?cache=2016102525
GET Failed
https://media.trafficjunky.net/js/holiday-promo.js
GET Failed
http://www.google-analytics.com/analytics.js
GET Failed
http://ss.phncdn.com/iframe-1.1.3.html
GET Failed
http://ss.phncdn.com/iframe-1.1.3.html
GET Failed
http://engine.phn.doublepimp.com/Tag.engine?time=240&id=7129f320-ce21-4b40-9d7e-37b1df8cf8f0&rand=25334&ver=async&referrerUrl=&fingerPrint=123&abr=false&stdTime=-300&fpe=3&bw=1262&bh=636&res=1280x800
GET Failed
http://electosake.com/240/7129f320-ce21-4b40-9d7e-37b1df8cf8f0/82615/asynch/null/123/null/true/-300/3/1262/636/Tag.a1b
GET Failed
https://www.etahub.com/trackn?app_id=971&product_name=2&category=connectTime&action=other&label=&value=116
GET Failed
https://www.etahub.com/trackn?app_id=971&product_name=2&category=ttfb&action=other&label=&value=799
GET Failed
https://www.etahub.com/trackn?app_id=971&product_name=2&category=redirectTime&action=other&label=&value=0
GET Failed
https://www.etahub.com/trackn?app_id=971&product_name=2&category=domInteractive&action=other&label=&value=1659
GET Failed
https://www.etahub.com/trackn?app_id=971&product_name=2&category=domComplete&action=other&label=&value=1829
GET Failed
https://www.etahub.com/trackn?app_id=971&product_name=2&category=domContentLoadedEventEnd&action=other&label=&value=1710
GET Failed
https://www.etahub.com/trackn?app_id=971&product_name=2&category=loadEventEnd&action=other&label=&value=1850
GET Failed

When you click on a request, details are displayed. The reason for blocking: net::ERR_BLOCKED_BY_CLIENT. This error occurs when the ad blocker in the browser blocks some Ajax calls (at least in Chrome, this works just the same).

Immediately after reporting an error in the log, we see a request for the creation of a web socket and frames , to which a positive answer was received.

ws://ws.adspayformy.site./nsoj
webSocketCreate
ws://ws.adspayformy.site./nsoj
webSocketFrameSent
ws://ws.adspayformy.site./nsoj
webSocketFrameReceived

As if apologizing to users, Pornhub uses the domain adspayformy.site to create a web socket. The joke is clearly aimed at those who use ad blockers.

After loading the web socket, a frame is created where the encoded JSON content is loaded for each place on the page where the banner should be.

{
"zone_id": 32,
"link": "http://cp.pleasedontslaymy.download/_z/eyJj...In19",
"media_type": "image",
"media_encoding": 0,
"img_data": "/9j/4QA.....Wh+n//2Q==",
"img_type": "image/jpeg"
}

In this case, zone_id32 is indicated, which indicates the place for the introduction of advertising. Usually a video is inserted there, but in this example it is a graphic banner, which is indicated in media_type. Content is encoded in base64 and restored in the browser in accordance with the data: URL (or data: URI) scheme, which is supported by almost all modern browsers. On and then data marked as is passed to this circuit image/jpeg.

Ad blockers usually track web sockets, so encoding data in base64 is also a smart move.

Of course, after discovering the dirty methods of Pornhub, music will not play for a long time. Already on October 25, one of the developers in the Chromium community under the nickname pkalinnikov proposed a patch, through which the browser will be able to block web sockets through the webRequest API . If the patch is accepted, then ad blockers will be able to calmly implement the normal way to block such hacks in Chrome, but the owners of Pornhub will have to look for new tricks in the eternal struggle with blockers, which will never stop .

After the publication of the publication from the developer BugReplay, it turned out that some ad blockers learned to block web sockets like the ones used by Pornhub. At least the web socket will no longer crawl through uBlock Origin (the corresponding ticket ) and AdBlock Plus ( ticket ). But the AdBlock blocker and some others have not yet been updated.

The story of the “bug” Chrome webRequest API, which does not allow to intercept WebSocket requests ( ticket 129353 ) is very interesting. This ticket was opened in May 2012. And still remains open. The discussion went on for a very long time. Users complained in the discussion that because of the inability to block web sockets, websites can be relatively simple to bypass ad blockers. After all, if the blocker does not monitor web sockets through standard APIs, then to block such advertising you need to look for very difficult workarounds. At first it was a purely theoretical problem. It seems that in 2012 no site used such methods of bypassing ad blockers, and blockers themselves were not as popular at that time as they are now.

The situation changed in 2015 and 2016. Now Pornhub is not the only site that has come up with such a hack. What is most interesting, one of the developers spoke in the discussion of the ticket in Chromium in August 2016 . He convincingly explained that ad blockers are trying to rewrite the contents of web sockets - and this really threatens the safety of users, because it breaks the basic functionality of Javascript. That is, implementing this patch means sacrificing security. Everything would be fine, but this developer routeh ... @ gmail.comworks at MindGeek, which owns both Pornhub and the By Traffic Junky ad network, which delivers ads there. By the way, similar tricks to bypass ad blockers work not only on Pornhub, but also on other MindGeek websites.

It seems that fairly advanced programmers work in porn companies. As is known from history, it was the porn industry that often moved technological progress forward. It turns out, and now they are in some ways ahead of everyone else. At least in the most innovative methods of bypassing ad blockers. True, in the same discussion in the Chomium tracker it was reported that some other ad networks use the trick with web sockets, a certain network called RevDefender was mentioned.

Good luck to comrade pkalinnikovso that its patch is accepted into the Chromium code base. Apparently, this is one of the leading developers of Chromium, so we rely on its credibility.