Hijacking affiliate links

[foxfirefey]

I've been given a heads up that has done some excellent sleuthing and investigation into hijacked LJ affiliate links:

What is LJ doing to my links?
What is LJ doing to my links? Part 2
What is LJ doing to my links? Part 3

Expect this post to be update through the day as I find out more and come up with a good summary.

ETA: No good summary, but

Comments

*Growl*

[flexor]

Just when I was considering sticking the occasional blog post up here again...

As far as I understand it, there's sites that'll give you cookies if you refer people to them. (Like, "I just bought this great book at WeSellBooks.com" and this is the link...) and if you stick a number in, then WeSellBooks.com will know it's you and hand you a cookie.

LiveJournal wants a cookie, too.

So they remove your number and substitute their own. Hence, they get a cookie and you don't. So their script stole your cookie. The intended behaviour was to add their number to the list of cookie-worthy people, presumably so you wouldn't mail WeSellBooks.com going "Where's my cookie, bitch?"

They screwed up.

As I understand it, their Javascript changes the behaviour of your browser from "Follow this link", to "Follow this other link instead, modify the original slightly, then follow it." Words cannot express my loathing of this technique. For them to modify links in situ while even faking the link indicator in your browser when you hover over it, is

Re: *Growl*

[mskala]

"As far as I understand it, there's sites that'll give you cookies if you refer people to them."

"Cookie" may not be the best term for this because it has a very different technical meaning in the context of the Web. What these sites generally give you is money.

Re: *Growl*

[flexor]

Yeah, or vouchers, money off, credits, dates with supermodels. Goods. Discussing this with my wife, she held that LJ may have the right to do this, as we're on their servers. But that's only true if they put in their TOS that they will take a portion (in this case 100%) of your taking if you make money off your journal. Doing it without asking, behind our backs, is definitely not on.

Re: *Growl*

[foxfirefey]

There's a lot of other comments on this post discussing the TOS aspects, if you're so inclined--people posting affiliate links and making money off of them is a gray area heavily shaded to black, and LJ making money is greenlighted throughout, so.

[elisa_rolle]

I have a theory (and considering what happened, maybe it's neither so strange): mine was the first support request to LiveJournal

Syndicated feed accounts

[matgb]

I read a number of bookbloggers. Many of them post affiliate links. Other bloggers post charity affiliate codes &c.

Being skint, haven't personally bought anything recently, but I'm guessing others have.

It's not just LJ users that have lost out, it's bookbloggers who's feeds are syndicated here. Some of these people won't even know of the existence of the syndication.

Explaining to some bloggers that an LJ feed is just like a Google Reader pickup is hard enough as it is, this pretty much tips it over the edge.

I cannot believe they did this without testing it to make sure it worked as advertised.

Re: Syndicated feed accounts

[foxfirefey]

You're right, I didn't even think about that!

Re: Syndicated feed accounts

[matgb]

Occured to me as a book review came past my friends page. Which had more entries than normal to skip past as I'd just finished reading all the comments on the news post.

So not just a breach of Amazon's TOS, but also a breach of the copyright of everyone they syndicate onto here. Wonder how many of the other sites have restrictions that make this wrong? Bet eBay does; is someone already looking?

[trixieleitz]

Some of the commentary I've seen has wondered if the opt-out was deliberately included as part of the present code, and therefore indicates something more sinister about it. I've finally managed to track down this and related pages, which indicate that the opt-out was there long ago.

Also, I (and probably many others) had set the opt-out way back when and forgotten about it. So those munged links would have looked fine to Support volunteers looking at the relevant requests, if they had also set and forgotten the opt-out. That would have hampered the investigation as well, especially if no-one involved knew about the hinky code.

None of which excuses the whole stinking mess, but it might go some way to clarifying a couple of details :)

[foxfirefey]

Yeah, that sounds like a good explanation. I don't the Support volunteers got notified about this change to the code base, either, and it didn't show up in changelog or anything.

[enigel]

I don't have the time to investigate more, but I've just noticed something new which screams "shady" to me.

I use Opera, have a permanent account. And yet, some entries that I've opened today (in paid journals) execute a script that makes the browser go through a wd.sharethis.com link (it appears in the browser's back button history) via a googleadservices.com link. (The latter appears in my browser's history.)

I've never used the "Share this!" javascript link that has replaced "tell a friend". I don't think it's right that I should be made to visit googleadservices.

I don't know if this is another case of a script doing what it wasn't supposed to, an Opera bug or what. I was hoping to enlist specialised web detectives like you for this. ;)

One possibility is that I came to those paid journals via a plus community, but now that I've blocked those sites I see this page trying to reload too (and failing because of blockages), and I can't imagine something less "plus" than this community.

[foxfirefey]

I think the Share This javascript interacts badly with Opera--I've seen support requests come up about it before. I think you should report to Support, so they know what's going on at least--they haven't been able to replicate it, but you are not the only person it is happening to:

http://news.livejournal.com/123520.html?thread=81843328&format=light#t81843328