Computer science researchers surveyed 50,000 of the web's most-visited sites and found 485 sites using a history-tracking bug. In all, 63 sites were copying the data it reveals and 46 were found to be hijacking a user's history.
"Many of these websites seem to try to obfuscate what they are doing," UC San Diego researchers wrote in the paper, "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications."
"For example, the inspected URLs on YouPorn.com are listed in the JavaScript source in encoded form and decoded right before they are used. On other websites, the history-sniffing JavaScript is not statically inserted in a web page, but dynamically generated in a way that makes it hard to understand that history sniffing is occurring by just looking at the static code.
"We also found that many of these websites make use of a handful of third-party history-sniffing libraries."
The researchers also looked at other popular techniques that sites use to map and monitor what visitors do.
In the case of YouPorn, operators run scripts that track the trail a user's mouse pointer takes on and across pages.
Operators of YouPorn.com, which is owned by Curacao-based Midstream Media International N.V., did not respond by post time to XBIZ for comment on the findings.
YouPorn operators also own YouPornGay.com and YouPornCocks, which also were on the UC San Diego study's history-sniffing list.
The study also revealed YouPorn's attack code.
Chrome and Safari, researchers said, are not vulnerable to history hijacking and that the most recent version of Firefox has closed loopholes. Internet Explorer users can turn on "private browsing" to stop the flaw from divulging histories.
"Our study shows that popular Web 2.0 applications like mashups, aggregators, and sophisticated ad targeting are rife with different kinds of privacy-violating flows," the researchers wrote.