[linux-elitists] doubleclick.net cookies for all!

Don Marti dmarti@zgp.org
Sun Jul 2 11:24:57 PDT 2000


So, I woke up this morning and wondered "how am I going to fuck 
with Doubleclick today?"  Thinking of Mojo Nixon and his "foo-foo
haircut" I decided that I, Don Marti, would get a doubleclick.net
cookie.

So I pointed my copy of lynx at one of their banner ads and this
is what I got:

$ lynx -head -source http://ad.doubleclick.net/ad/homepgtable.av.com/fullbanner;sz=468x60;ord=1933827584?
HTTP/1.0 302 Moved Temporarily
Content-Length: 0
Date: Sun, 02 Jul 2000 16:56:34 GMT
Location: http://m.doubleclick.net/viewad/380992-music_banner_09baa4.gif
Cache-Control: private, max-age=0, no-cache
Set-Cookie: id=A; path=/; domain=.doubleclick.net; expires=Wed, 09-Nov-2030 23:59:00 GMT

Holy Shit! My doubleclick.net id is "A". That's like getting the
license plate "1" (which the Governor gets in most states, I think).
I'll keep that cookie. Let's try it again, though, just to get a regular
peon cookie to throw away.

$ lynx -head -source http://ad.doubleclick.net/ad/homepgtable.av.com/fullbanner;sz=468x60;ord=1933827584?
HTTP/1.0 302 Moved Temporarily
Content-Length: 0
Date: Sun, 02 Jul 2000 16:59:33 GMT
Location: http://m.doubleclick.net/viewad/380992-music_banner_09baa5.gif
Cache-Control: private, max-age=0, no-cache
Set-Cookie: id=A; path=/; domain=.doubleclick.net; expires=Wed, 09-Nov-2030 23:59:00 GMT

Damn. They're giving the "A" out to everyone. Hmmm. There must be a
reason for it. I have a hypothesis. What if real ids are expensive for
them to generate. Maybe they have to make a whole new record in their
database, with space for your dental records, iris scan, anal probe
data, and credit history. So it makes sense that they aren't cooking up
a new id every tenth of a second for anyone who knows lynx and while.
They want to know that you'll accept a cookie before they generate
an id.

I modified Randal Schwartz's simple web proxy
(http://web.stonehenge.com/merlyn/WebTechniques/) to spew all
the headers being exchanged between Netscape on my box and
ad.doubleclick.net. As we might have guessed -- no wait, as we _did_
guess -- ad.doubleclick.net only sends the big long "id" (as seen in
cookie files) when the browser sends the Cookie: header with "id=A" to
indicate that it accepts cookies. So let's try to get a real id another
way. I don't know how to stick arbitrary headers into a lynx request, so
we'll do this:

#! /usr/bin/env python

import httplib

adhost = 'ad.doubleclick.net'
adurl = '/ad/homepgtable.av.com/fullbanner;sz=468x60;ord=1933827584?'

request = httplib.HTTP(adhost)
request.putrequest ('GET', adurl)
request.putheader('Cookie', 'id=A')
request.endheaders()
result, errormsg, headers = request.getreply()
print result, errormsg
print headers

We run it and this is what we get:
$ ./getid.py 
302 Moved Temporarily
Content-Length: 0
Date: Sun, 02 Jul 2000 17:14:17 GMT
Location: http://m.doubleclick.net/viewad/431478-av_70555_drive_v2_dy5.gif
Cache-Control: private, max-age=0, no-cache
Set-Cookie: id=8000000070819df; path=/; domain=.doubleclick.net; expires=Wed, 09-Nov-2030 23:59:00 GMT

Aha! A real cookie!  I'm a real doubleclick.net user after all!  I feel so
special.  Maybe one more:

$ ./getid.py 
302 Moved Temporarily
Content-Length: 0
Date: Sun, 02 Jul 2000 17:17:11 GMT
Location: http://m.doubleclick.net/viewad/451145-icast_003101b.gif
Cache-Control: private, max-age=0, no-cache

Well, it won't issue a new id to the same IP address too soon. We
mustn't be greedy.  BTW, notice that all these responses are HTTP
Redirects -- the img src is "ad.doubleclick.net" but ad.doubleclick.net
just gives you a cookie and redirects you somewhere else for the
actual image.  So the lesson for ad blockers is -- don't just
"view image" and block it.  You could be hiding the ad but leaving
the tracking.

Go back and read that if you were skimming. You _must_ look at the HTML
source, or a proxy log, to do ad blocking correctly.  (I can see
how an advertiser might register one domain for banners and its own
web site, then a _different_ domain for img src.  That would get by
almost all the ad blocking out there.)

Back to getting doubleclick.net cookies. Here's a little Python script
to get a while bunch of doubleclick "id"s and spew them out in Netscape
cookie file format: http://zgp.org/~dmarti/warez/getid.py 

Rotating, sharing, or otherwise using them is left as an exercise for
the reader.  (They will be collector's items when doubleclick.net
is dead.)

-- 
Don Marti                                No haiku patents
dmarti@zgp.org                           means I've no incentive to
http://zgp.org/~dmarti/         
whois DM683     Software patent reform now: http://burnallgifs.org/



More information about the linux-elitists mailing list