Could someone (or multiple people) go to http://ads.auctionads.com/pagead/show_ads.js and paste back in here exactly what is returned? That's the javascript used by AuctionAds to display your ads. I'll tell everyone exactly why as soon as someone pastes in here and confirms the results to me. Thanks. This will be really interesting.
AuctionAds - Favor Needed
- Thread starter jdq
- Start date
- Status
Perfect, see that part that starts with the eval(function(p,a,c,k,e,d)...? It's javascript, but you can't really tell what it does because it's obfuscated (that's where you take a language that is passed as source, like javascript, php, java byte code, etc., and in order to keep people from knowing what it's doing, you make it purposely hard to read by passing it through an obfuscation algorithm). I wondered why it was obfuscated, as no one else who uses the javascript ad technique does it, not Google, Yahoo!, no one. So I used the technique here (Yet Another Infosec Blog: Defeating Dean Edwards' Javascript Packer) to un-obfuscate the javascript and it turns out it's a series of functions for grabbing search engine keywords. If the referring page is search engine, the functions extract the keywords used for the serch and pass it with the ad request to AuctionAds.
To me it is a bit odd. I can see two reasons why AuctionAds would need the search phrase that leads to a website. They might use it to further target the ad, but to me that sounds weak. They would do a better job if they scanned the page for context than grabbing the search query. The second reason is if AA is collecting keywords for some kind of giant keyword database--like having your own overture keyword tool. Both are harmless to the AA user, but when you try to hide what is actually happening by obfuscating the code, it makes me suspicious.
Anyway, I wanted someone else to paste the code in case my post caused AA to quickly remove the javascript and I was left looking like an idiot.
To me it is a bit odd. I can see two reasons why AuctionAds would need the search phrase that leads to a website. They might use it to further target the ad, but to me that sounds weak. They would do a better job if they scanned the page for context than grabbing the search query. The second reason is if AA is collecting keywords for some kind of giant keyword database--like having your own overture keyword tool. Both are harmless to the AA user, but when you try to hide what is actually happening by obfuscating the code, it makes me suspicious.
Anyway, I wanted someone else to paste the code in case my post caused AA to quickly remove the javascript and I was left looking like an idiot.
How many posts does someone have to have before posts don't have to be checked by a moderator?
Oh, never mind, it must have to do with including URLs in the posts and me having fewer than 10 total posts or something.
I posted an explanation as to why I needed the javascript, but the urls in it got it flagged. We have to wait for a mod to post it now.
Oh, never mind, it must have to do with including URLs in the posts and me having fewer than 10 total posts or something.
I posted an explanation as to why I needed the javascript, but the urls in it got it flagged. We have to wait for a mod to post it now.
Last edited:
Okay, well apparently my original message isn't going to be posted so I'll just write it again without URLs.
See the 2nd line down that starts with eval(function(p,a,c,k,e,d){...? That's javascript, but you can't tell what it does because it has been obfuscated. Obfuscation is where you take programming source and run it through an algorithm that makes it as difficult to read as possible (for a human) while still producing programatically the same result (to a computer). Google 'obfucate' for more info, I'd post a link but I can't. Anyway, you obfuscate when you don't want people to know what the code is doing. This particular bit of javascript was obfuscated with Dean Edwards Javascript Packer.
The interesting part is that the method of obfuscation is 100% reversible. There is a great post on Yet Another Infosec Blog (I'll post the link when I finally can post URLS) that describes how. When you un-obfuscate the code you find a few functions that are used to extract the search query from the referrer if the referrer was a search engine. I.e. if someone found your site by coming through a search engine, the keywords they used to are extracted from the referrer and passed to AuctionAds when the ad server is called.
Why would AA want the keywords? I can think of two reasons.
1. They might argue that they further target your ad based on what is searched for, but that isn't a very good method. If it was, Google, Yahoo, MSN, etc. would use it. Instead they use page context (text). Also, that method only works when someone comes from a search engine.
2. AuctionAds might be building a keyword database--their own private Overture keyword tool. That would be interesting. The exact phrases people use when searching and the pages they go to. You can get all kinds of useful stats from that.
Now, extracting the referrer keywords and passing them to AA doesn't hurt the AA user at all. Personally I am indifferent if they do it, but why hide it? You could argue that obfuscating the code makes it shorter so they use less bandwidth, but in actuality, it makes the code longer (by 170 characters - why not obfuscate ALL the javascript? Why just the search engine stuff?). I would love to have access to the database as well. Talk about a goldmine of information. If you wanted to do a campaign for red bicycles, just check the keywords used to get to all the red bicycle sites that run AuctionAds. That's golden.
Anyway, I don't know if I'm just being paranoid or if there is a good reason to try to hide what is going on in the javascript. Thoughts?
See the 2nd line down that starts with eval(function(p,a,c,k,e,d){...? That's javascript, but you can't tell what it does because it has been obfuscated. Obfuscation is where you take programming source and run it through an algorithm that makes it as difficult to read as possible (for a human) while still producing programatically the same result (to a computer). Google 'obfucate' for more info, I'd post a link but I can't. Anyway, you obfuscate when you don't want people to know what the code is doing. This particular bit of javascript was obfuscated with Dean Edwards Javascript Packer.
The interesting part is that the method of obfuscation is 100% reversible. There is a great post on Yet Another Infosec Blog (I'll post the link when I finally can post URLS) that describes how. When you un-obfuscate the code you find a few functions that are used to extract the search query from the referrer if the referrer was a search engine. I.e. if someone found your site by coming through a search engine, the keywords they used to are extracted from the referrer and passed to AuctionAds when the ad server is called.
Why would AA want the keywords? I can think of two reasons.
1. They might argue that they further target your ad based on what is searched for, but that isn't a very good method. If it was, Google, Yahoo, MSN, etc. would use it. Instead they use page context (text). Also, that method only works when someone comes from a search engine.
2. AuctionAds might be building a keyword database--their own private Overture keyword tool. That would be interesting. The exact phrases people use when searching and the pages they go to. You can get all kinds of useful stats from that.
Now, extracting the referrer keywords and passing them to AA doesn't hurt the AA user at all. Personally I am indifferent if they do it, but why hide it? You could argue that obfuscating the code makes it shorter so they use less bandwidth, but in actuality, it makes the code longer (by 170 characters - why not obfuscate ALL the javascript? Why just the search engine stuff?). I would love to have access to the database as well. Talk about a goldmine of information. If you wanted to do a campaign for red bicycles, just check the keywords used to get to all the red bicycle sites that run AuctionAds. That's golden.
Anyway, I don't know if I'm just being paranoid or if there is a good reason to try to hide what is going on in the javascript. Thoughts?
If this is what the program is doing, I think it's REALLY bad idea to use auction ads. Now they would know what keywords brought you to the site, which keywords click on auction ads and which of those keywords convert to sales.
Perfect, now he has better information than you do and can now compete with you using adwords, taking all your business.
That's IF... I'm not speculating that's what is actually happening... but based on your post, THAT is how they could use the data.
Perfect, now he has better information than you do and can now compete with you using adwords, taking all your business.
That's IF... I'm not speculating that's what is actually happening... but based on your post, THAT is how they could use the data.
Well, it seems that the eval()ed JS is incorrect; the obfuscater returns a missing parenthetical error, as does my JavaScript debugger.
Jason
Jason
What do you mean? Are you sure you cut and pasted it all? It runs just fine for me.
Code:
var qstr='q';function rc(){try{var ref=document.referrer.toUpperCase();if(ref.indexOf('GOOGLE.COM')>0){qstr='q';return true}if(ref.indexOf('MSN.COM')>0){qstr='q';return true}if(ref.indexOf('YAHOO.COM')>0){qstr='p';return true}if(ref.indexOf('LOCALHOST')>0){qstr='q';return true}}catch(exception){}return false}function getkw(){if(rc()==false){}var keywords=new Array();var ref=document.referrer;var pair;var qIndex=0;var qs;var prm;try{qIndex=ref.indexOf('?');if(qIndex<1){return keywords}ref=repl(ref,'%22','');qs=ref.substring(qIndex+1,ref.length);prm=qs.split('&');for(i=0;i<prm.length;i++){pair=prm[i].split('=');temp=unescape(pair[0]).split('+');name=temp.join(' ');if(name!=qstr){continue}temp=unescape(pair[1]).split('+');for(k=0;k<temp.length;k++){keywords.push(temp[k])}}}catch(exception){}return keywords}function repl(OrgVal,SearchVal,ReplaceVal){var Val;var RegExp=eval("/"+SearchVal+"/g");if(OrgVal.indexOf(SearchVal)<1){return OrgVal}Val=OrgVal.replace(RegExp,ReplaceVal);return Val}keywords=getkw();Jason
EDIT: Beat me to it
Wow. This is a great find. I'm surprised more people aren't jumping all over this...
I just did a quick writeup, but if I were Chitika I'd be getting this everywhere I possibly could (assuming, of course, that Chitika isn't doing something similar).
I just did a quick writeup, but if I were Chitika I'd be getting this everywhere I possibly could (assuming, of course, that Chitika isn't doing something similar).
Actually, without resorting to paranoia, this is a geniis idea.
Basically, this targets the ads based on what people were LOOKING FOR when they come to your site vs. WHAT IS THERE.
It is also easier (by a magnitude of n) to just use the keywords the user gives you than trying to extract meaning from a page.
:2twocents:
::emp::
Basically, this targets the ads based on what people were LOOKING FOR when they come to your site vs. WHAT IS THERE.
It is also easier (by a magnitude of n) to just use the keywords the user gives you than trying to extract meaning from a page.
:2twocents:
::emp::
I hope that is what it is for. There are a couple problems with this method, if indeed this is what it is for. 1. Not everyone comes to a site from a search engine. 2. The search keyword(s) used may have nothing to do with the content of the site or the chosen eBay keywords of the site owner.
Also, if it is just a clever way to target the ads, why try to hide it by obfuscating the javascript?
Also, if it is just a clever way to target the ads, why try to hide it by obfuscating the javascript?
1) The code is packed to reduce size. The reduction is significant.
2) Even though executed, the resulting keywords aren't passed to the server at this time. See kw=
3) See #2. The keyword string is reset to empty right after the packed code.
4) Even if they were sent to the server, logging would be prohibitive. At 10M+ hits/day the database would increase by millions of rows a day.
5) Using this method in the future is many magnitudes simpler than trying to determine page context via scraping or indexing.
As for why its there.... we did testing with shoemoneyads with referal based ad targeting... meaning that users could select to let keywords override what they specified to target ads.
2) Even though executed, the resulting keywords aren't passed to the server at this time. See kw=
3) See #2. The keyword string is reset to empty right after the packed code.
4) Even if they were sent to the server, logging would be prohibitive. At 10M+ hits/day the database would increase by millions of rows a day.
5) Using this method in the future is many magnitudes simpler than trying to determine page context via scraping or indexing.
As for why its there.... we did testing with shoemoneyads with referal based ad targeting... meaning that users could select to let keywords override what they specified to target ads.
I concur that letting google's algorithm take precedence over your own is definitely a smart decision. I wouldn't rely solely on that, but it certainly a great way to utilize an existing resource.
By the way, great work jdq. I'm giving you +rep for figuring it out and posting an explanation, I enjoyed reading it (I guess I'm a geek at heart, huh?)
- Status