Mar. 4th, 2010

egypturnash: (wtf?)
Alright, I've been fiddling around some more with this stuff. I signed up for Amazon's affiliate program to see what this Javascript would do to an affiliate link.

While I was on vacation, I picked up a copy of Pynchon's latest book, Inherent Vice. It was much more in the vein of The Crying of Lot 49 than Mason & Dixon, ie, actually fun to read.

If you have the 'dRev.js' script blocked, you'll end up at a page on Amazon with "&tag=egypturna-20" as part of the URL.

If you're not blocking the 'dRev.js' script... you'll end up at the same page on Amazon, with "&tag=5336432744-20" as part of the URL instead.

Guess what the "&tag=something" is used for? Telling Amazon which affiliate account to give credit to. If you buy that book by clicking on that link (or, I think, something else if you keep wandering Amazon from there), I'm supposed to get a kickback. But now someone else gets it. Livejournal? Who knows? And this thing is firing on links to about 150 different e-commerce sites, like eBay, iTunes, Newegg, Borders,, and lllllots more.

This code is also sloppy; it will try to do its work on any link whose end matches something it wants to play with. So gets turned into an URL, which redirects to a link with "&campid=5336432744" in it (hey, that number sure looks familiar!), which then ends up on the front of eBay, presumably because it's not actually providing a valid item link or something.

This code is definitely being inserted by Livejournal. If you go do something with LJ's very obscure Admin Console it will stop showing up. I don't think someone sneaking this into LJ would be bothering to wire it to a switch like that.

TL;DR: dRev.js is not only tracking your e-commerce links; it is actively removing any affiliate IDs and substituting its own. This is not a malicious third party; this is something LJ is doing on their servers.

Also any link dRev.js works its "magic" on now opens in a new window, which is a behavior I really, really hate.

I opened a support request on this.
egypturnash: (POW!)
So I was looking at some of the other LJ support requests involving I came across this support request, in which [ profile] dstroy provides a Target link that was completely mangling for her.

Well, seems to have been upgraded, because it worked for me when I clicked on it. Since all LJ pages now include the Javascript that does this (even your profile page! even the front page!), it went through their redirector.

I looked at the URL for an affiliate ID.



Now, view the source of this page. Or any other LJ page. Down by the bottom, you'll find the <script> tags that load and invoke the dRev.js code.

var DR_id = '1111'; // Is this a real ID or we'll be asked to change it? :)

I think I have an answer for this anonymous web developer's question!

I will let you do the math on how much money outboundlink/drivingrevenue* is making off of this lack of communication on ID changing.

(Of course, there is the chance that they're keeping track of all their redirects, and paying out some percentage to their clients like LJ. Maybe.)

I could mmmmmaybe let this slide if they only added affiliate IDs to unaffiliated links. But they don't; they rip your affiliate ID off and substitute their own. To make matters worse, untangling just who is owed what in stolen affiliate-link juice will be a nightmare - they grab, and presumably save, the referring URL, but how many people clicking on links are doing them from their friends page?

I smell lawyermeat here.

[ edit: I can easily come up with narratives for this happened that are just a comedy of errors rather than malicious money-grubbing on LJ's part. But this is really making Dreamwidth look better and better; this is far from the first time LJ's pulled shortsighted bottom-line shit like this. The test Amazon link in the previous post is the first and only time I've linked to an e-commerce site here, but the whole underhandedness of this whole thing is really pissing me off. They'd better have a damn good explanation. And a damn good apology. ]

* I am now 99% certain that is part of Driving Revenue's system - they're running off the same IP address, the function that activates it is called "drivingRevenue()", and now this plaintext Target affiliate ID?
egypturnash: (Default)
If anyone's curious, here's the unpacked, de-obfuscated code in dRev.js.

code )

The two bits I find most amusing are "if it's before 6AM where you are, we add to the list of URLs we fiddle with" and "oh maybe we shouldn't steal people's affiliate links but we only bother checking for 'AFFCODE' which is one of the many, many possibilities", both to be found in the main DrivingRevenue() function.

Oh, and of course I'm also amused by
var DR_id = '1111'; // Is this a real ID or we'll be asked to change it? :)
which can be found in every single page LJ's serving unless you've opted out of this stuff. *grin*
egypturnash: (Default)
So yeah, the official word is that this script is gonna get pulled and that it's been displaying "several things that were not intended behaviors". like giving all the affiliate juice to the linkjacking company instead of lj</snark>

No comment on the fact that it was rolled out silently a month or two ago, of course.

And that's really what's got me pissed. The lack of transparency on something that's rewriting my content.

I wonder if I'll see anything about this in [ profile] news when they've shut it down?

edit: Heh. I went and looked at support requests again. All the other questions are answered with a cut-and-paste statement and closed as of an hour or so ago; my more pointed question is still open. I wonder if I'll get a personally-crafted answer?

edit 2: Script is still being included, but now it's just one line in the file: /* this code is removed until we can get it off all our pages */ So yay for a response measured in hours. But boo for rolling it out silently in the first place. Because, I mean, "intended behavior" of this thing would still be "silently paste our affiliate code on lots of outgoing links without ever telling our userbase we were gonna monetize them this way". Even if it was super-scrupulous about never touching links with an existing affiliate code and had been tested on a big enough pile of links to notice the "" problem. which is beyond trivial to solve once you notice it exists but i think i have far better things to do with my life than debug shady code. like draw pornographic comic books. And the "intended behavior" is still feeling real likely to make me spend some time tomorrow giving Dreamwidth some dollars and migrating over there.

Most Popular Tags

Expand Cut Tags

No cut tags
Page generated Jul. 20th, 2017 06:41 pm
Powered by Dreamwidth Studios