<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.96 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<!--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please do not edit <ul class="blurbs">!
Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Malware in Webpages
- GNU Project - Free Software Foundation</title>
<link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" />
<!--#include virtual="/proprietary/po/malware-webpages.translist" -->
<!--#include virtual="/server/banner.html" -->
<div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
<img id="side-menu-icon" height="32"
src="/graphics/icons/side-menu.png"
title="Section contents"
alt=" [Section contents] " />
</a>
<p class="breadcrumb">
<a href="/"><img src="/graphics/icons/home.png" height="24"
alt="GNU Home" title="GNU Home" /></a> /
<a href="/proprietary/proprietary.html">Malware</a> /
By product /
</p>
</div>
<!--GNUN: OUT-OF-DATE NOTICE-->
<!--#include virtual="/server/top-addendum.html" -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width">
<h2>Malware in Webpages</h2>
<div class="infobox">
<hr class="full-width" />
<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers and manufacturers often exercise
that power to the detriment of the users they ought to serve.</p>
<p>This typically takes the form of malicious functionalities.</p>
<hr class="full-width" />
</div>
<div class="article">
<p>This page lists web sites containing proprietary JavaScript programs that spy
on users or mislead them. They make use of what we call
the <a href="/philosophy/javascript-trap.html">JavaScript Trap</a>. Of course,
many sites collect information that the user sends, via forms or otherwise, but
here we're not talking about that.</p>
<div class="important">
<p>If you know of an example that ought to be in this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to serve as specific substantiation.</p>
</div>
<div class="column-limit" id="malware-webpages"></div>
<ul class="blurbs">
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M202204280">
<!--#set var="DATE" value='<small class="date-tag">2022-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The US government <a
href="https://themarkup.org/pixel-hunt/2022/04/28/applied-for-student-aid-online-facebook-saw-you">sent
personal data to Facebook</a> for every college student that applied
for US government student aid. It justified this as being for a
“campaign.”</p>
<p>The data included name, phone number and email address. This shows
the agency didn't even make a handwaving attempt to anonymize the
student. Not that anonymization usually does much good—but
the failure to even try shows that the agency was completely blind
to the issue of respecting students' privacy.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M202009220">
<!--#set var="DATE" value='<small class="date-tag">2020-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Markup investigated 80,000 popular web sites and <a
href="https://themarkup.org/blacklight/2020/09/22/blacklight-tracking-advertisers-digital-privacy-sensitive-websites">
reports on how much they snoop on users</a>. Almost 70,000 had
third-party trackers. 5,000 fingerprinted the browser to identify
users. 12,000 recorded the user's mouse clicks and movements.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201811270">
<!--#set var="DATE" value='<small class="date-tag">2018-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many web sites use JavaScript code <a
href="http://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081">
href="https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081">
to snoop on information that users have typed into a
form but not sent</a>, in order to learn their identity. Some are <a
href="https://www.manatt.com/insights/newsletters/advertising-law/sites-illegally-tracked-consumers-new-suits-allege">
getting sued</a> for this.</p>
<p>The chat facilities of some customer services use the same sort of
malware to <a
href="https://gizmodo.com/be-warned-customer-service-agents-can-see-what-youre-t-1830688119">
read what the user is typing before it is posted</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201807190">
<!--#set var="DATE" value='<small class="date-tag">2018-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>British Airways used <a
href="https://www.theverge.com/2018/7/19/17591732/british-airways-gdpr-compliance-twitter-personal-data-security">nonfree
JavaScript on its web site to give other companies personal data on
its customers</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201805170">
<!--#set var="DATE" value='<small class="date-tag">2018-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Verify browser extension by Storyful program <a
href="https://www.theguardian.com/world/2018/may/17/revealed-how-storyful-uses-tool-monitor-what-journalists-watch">spies
on the reporters that use it</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201805080">
<!--#set var="DATE" value='<small class="date-tag">2018-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A cracker used an exploit in outdated software to <a
href="https://www.pcmag.com/news/360968/400-websites-secretly-served-cryptocurrency-miners-to-visito">
href="https://www.pcmag.com/news/400-websites-secretly-served-cryptocurrency-miners-to-visitors">
inject a “miner” in web pages</a> served to visitors. This
type of malware hijacks the computer's processor to mine a
cryptocurrency.</p>
<p><small>(Note that the article refers to the infected software
as “content management system”. A better term would be
“<a href="/philosophy/words-to-avoid.html#Content">website
revision system</a>”.)</small></p>
<p>Since the miner was a nonfree JavaScript program,
visitors wouldn't have been affected if they had used <a
href="/software/librejs/index.html">LibreJS</a>. Some
browser extensions that <a
href="https://www.cnet.com/tech/computing/how-to-stop-sites-from-using-your-cpu-to-mine-coins/">
specifically block JavaScript miners</a> are also available.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201801260">
<!--#set var="DATE" value='<small class="date-tag">2018-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Google's ad platform enabled advertisers to <a
href="https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/">
run cryptocurrency miner code on the computers of YouTube users through
proprietary JavaScript</a>. Some people noticed this, and the outrage
made Google remove the miners, but the number of affected users was
probably very high.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201712300">
<!--#set var="DATE" value='<small class="date-tag">2017-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some JavaScript malware <a
href="https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research">
swipes usernames from browser-based password managers</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201711150">
<!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some websites send
JavaScript code to collect all the user's input, <a
href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/">which
can then be used to reproduce the whole session</a>.</p>
<p>If you use LibreJS, it will block that malicious JavaScript
code.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201701060">
<!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>When a page uses Disqus
for comments, the proprietary Disqus software <a
href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook">loads
href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook/">loads
a Facebook software package into the browser of every anonymous visitor
to the page, and makes the page's URL available to Facebook</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201612064">
<!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Online sales, with tracking and surveillance of customers, <a
href="https://www.theguardian.com/commentisfree/2016/dec/06/cookie-monsters-why-your-browsing-history-could-mean-rip-off-prices">enables
businesses to show different people different prices</a>. Most of
the tracking is done by recording interactions with servers, but
proprietary software contributes.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201611160.1">
<!--#set var="DATE" value='<small class="date-tag">2016-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A <a
href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
href="https://research.csiro.au/isp/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
research paper</a> that investigated the privacy and security of
283 Android VPN apps concluded that “in spite of the promises
for privacy, security, and anonymity given by the majority of VPN
apps—millions of users may be unawarely subject to poor security
guarantees and abusive practices inflicted by VPN apps.”</p>
<p>Here are two examples, taken from the research paper, of
proprietary VPN apps that use JavaScript to track users and infringe
their privacy:</p>
<dl class="compact">
<dt>VPN Services HotspotShield</dt>
<dd>Injects JavaScript code into the HTML pages returned to the
users. The stated purpose of the JS injection is to display ads. Uses
roughly five tracking libraries. Also, it redirects the user's
traffic through valueclick.com (an advertising website).</dd>
<dt>WiFi Protector VPN</dt>
<dd>Injects JavaScript code into HTML pages, and also uses roughly
five tracking libraries. Developers of this app have confirmed that
the non-premium version of the app does JavaScript injection for
tracking the user and displaying ads.</dd>
</dl>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201603080">
<!--#set var="DATE" value='<small class="date-tag">2016-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>E-books can contain JavaScript code, and <a
href="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds">
href="https://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds">
sometimes this code snoops on readers</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201310110">
<!--#set var="DATE" value='<small class="date-tag">2013-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Flash and JavaScript are used for <a
href="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/">
href="https://arstechnica.com/information-technology/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/">
“fingerprinting” devices</a> to identify users.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201210240">
<!--#set var="DATE" value='<small class="date-tag">2012-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many web sites rat their visitors to advertising
networks that track users. Of the top 1000 web sites, <a
href="https://www.law.berkeley.edu/research/bclt/research/privacy-at-bclt/web-privacy-census/">84%
(as of 5/17/2012) fed their visitors third-party cookies, allowing
other sites to track them</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201208210">
<!--#set var="DATE" value='<small class="date-tag">2012-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many web sites report all their visitors
to Google by using the Google Analytics service, which <a
href="http://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/">
href="https://www.pcworld.com/article/460787/google_analytics_breaks_norwegian_privacy_laws_local_agency_said.html">
tells Google the IP address and the page that was visited</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201200000">
<!--#set var="DATE" value='<small class="date-tag">[2012]</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many web sites try to collect users' address books (the user's list
of other people's phone numbers or email addresses). This violates
the privacy of those other people.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201110040">
<!--#set var="DATE" value='<small class="date-tag">2011-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Pages that contain “Like” buttons <a
href="https://www.smh.com.au/technology/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html">
enable Facebook to track visitors to those pages</a>—even users
that don't have Facebook accounts.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-webpages.html. -->
<li id="M201003010">
<!--#set var="DATE" value='<small class="date-tag">2010-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Flash Player's <a
href="https://web.archive.org/web/20200808151607/http://www.imasuper.com/2008/10/09/flash-cookies-the-silent-privacy-killer/">
cookie feature helps web sites track visitors</a>.</p>
</li>
</ul>
</div>
</div>
<!--#include virtual="/proprietary/proprietary-menu.html" -->
<!--#include virtual="/server/footer.html" -->
<div id="footer" role="contentinfo">
<div class="unprintable">
<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF. Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>
<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
replace it with the translation of these two:
We work hard and do our best to provide accurate, good quality
translations. However, we are not exempt from imperfection.
Please send your comments and general suggestions in this regard
to <a href="mailto:web-translators@gnu.org">
<web-translators@gnu.org></a>.</p>
<p>For information on coordinating and contributing translations of
our web pages, see <a
href="/server/standards/README.translations.html">Translations
README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and contributing translations
of this article.</p>
</div>
<!-- Regarding copyright, in general, standalone pages (as opposed to
files generated as part of manuals) on the GNU web server should
be under CC BY-ND 4.0. Please do NOT change or remove this
without talking with the webmasters or licensing team first.
Please make sure the copyright date is consistent with the
document. For web pages, it is ok to list just the latest year the
document was modified, or published.
If you wish to list earlier years, that is ok too.
Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
years, as long as each year in the range is in fact a copyrightable
year, i.e., a year in which the document was published (including
being publicly visible on the web or in a revision control system).
There is more detail about copyright years in the GNU Maintainers
Information document, www.gnu.org/prep/maintain. -->
<p>Copyright © 2017-2021 2017-2023, 2025 Free Software Foundation, Inc.</p>
<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution 4.0 International License</a>.</p>
<!--#include virtual="/server/bottom-notes.html" -->
<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2025/03/11 14:33:06 $
<!-- timestamp end -->
</p>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>