6600 Dealership Website Hack? - SpinCar At It Again? Clarivoy "hack the dom"

[Jeffrey Tognetti]

Hello All,

It appears SpinCar may be selling and/or diverting your website visitor data (maybe even lead data) to multiple 3rd parties AGAIN. And guess what, many of these 3rd parties may also be reselling and/or using your visitor data against you. Using Builtwith there are 6,600 instances of this script:

integrator.swipetospin.com

To put in English what I believe is going on:

Dealerships spend significant $$$ on Paid Search and other Digital Advertising to establish a presence in a local market. A dealership then hires SpinCar for its "SpinCar Product," but also gets a Trojan Horse. The base SpinCar product "collects" without your dealership's knowledge all the website visitor data and potentially visitors' personal information from lead submissions and possibly other forms.

Then they allow various 3rd party companies (many of which work with 1000's of dealers inclusive of your competitors) to have access to the illegitimately collected data, without your dealership's consent.

Clarivoy's script being one of the most egregious:

u.clarivoy.wait_for_dom_hack_data()

Wait for Dom Hack Data? Really? AKA "Wait For The Domain Data To Hack The Data ???"

Also, they share analytics across stores collectively?

But wait there's more.

Criteo is a Retargeting Company. Our clients aren't using SpinCar's retargeting service so why would their scripts load on our clients' pages that aren't using SpinCar's retargeting service? Umh...maybe to collect dealership website visitor data without permission?

And Liquidus ..and... and...

More to come.

 

[Alex Snyder]

Oh boy. Is this Version 2 of the last SpinCar thread? https://forum.dealerrefresh.com/threads/busted-spincar-caught-selling-dealer-data.5914/

 

[John.H]

 

[Rick Buffkin]

 

[csabatka1]

Can you post or link that entire criteo js file?

You might be claiming it's sending data, but when it's actually not. It looks like they include this file by default to push events to an account only if the account ID is setup and not null.

Your first yellow highlight...
U.criteo.send=function() only sends data if there is a valid account ID. Which is coded as if(u.criteo.account_id). If that is blank nothing happens or is sent.

Also, can you post the url or domain that you pulled these files? Finding out what is stored in the "u" variable is key to what data is collected and sent to various portions of the script. For non-coders, see how all code has "u.", example u.criteo.account_id. "u" is what's called a variable which is storing information and data from the user and setup of spin car. So u.criteo.account_id retrieves the data stored for that dealers criteo id.

Pretty big claim, yet breaking down the code you might be alleging something that is not true. Just because files or scripts are included doesn't mean they're actually firing or sending data.

 

[Jeffrey Tognetti]

Can you post or link that entire criteo js file?

You might be claiming it's sending data, but when it's actually not. It looks like they include this file by default to push events to an account only if the account ID is setup and not null.

Your first yellow highlight...
U.criteo.send=function() only sends data if there is a valid account ID. Which is coded as if(u.criteo.account_id). If that is blank nothing happens or is sent.

Also, can you post the url or domain that you pulled these files? Finding out what is stored in the "u" variable is key to what data is collected and sent to various portions of the script. For non-coders, see how all code has "u.", example u.criteo.account_id. "u" is what's called a variable which is storing information and data from the user and setup of spin car. So u.criteo.account_id retrieves the data stored for that dealers criteo id.

Pretty big claim, yet breaking down the code you might be alleging something that is not true. Just because files or scripts are included doesn't mean they're actually firing or sending data.

Chad,

As for "Criteo" my statement was clear:

Our clients aren't using SpinCar's retargeting service so why would their scripts load on our clients' pages that aren't using SpinCar's retargeting service? Umh...maybe to collect dealership website visitor data without permission?

1) There is NO statement as to what "Criteo" is doing. Or what anyone else is doing with these scripts. These are questions.
2) Criteo's script was found across every instance of the install. Being in Adtech there's no reason for this. Can you think of one? Or explain? Are you going to say because it's hardcoded? Why not add it to the GTM on a use basis - not across dealerships not using it. At best it's sloppy, at worst... well you can come up with your own thoughts.
3) If I pay for a "Digital Merchandising Product" why am I getting a multitude of 3rd party tracking scripts with it?, One of which is named "wait for domain hack data" - Clarivoy
4) Even if you look at the script, it doesn't tell you what it does after it loads. Our gripe is simple, our clients requested these scripts to be removed in the past when there was a similar instance with eXelate - they were removed and now mysteriously they're back and many more of them now - All without permission.
5) Way-Back-In-Time-Machine can simply give anyone clarity as to what was in a script in case it changes (For any reason).

I simply posted "What IS Happening" - non required data capture and/or tracking scripts are loading and anyone can draw their own conclusions as to why.

 

[Steve Saorta]

As a 30 year IT leader and SpinCar CTO, I can tell you that the claim that "SpinCar may be selling and/or diverting website visitor data to 3rd parties" is categorically false and purposefully misleading. The title of the post "Dealership Website Hack . . . Hack the dom, Hack the Domain", as well as the contents of the post, demonstrate a fundamental lack of understanding of how JavaScript code works. (The term DOM is a reference to HTML Document Model, not "hacking a dealer website domain" as the author erroneously suggests.)

SpinCar partners with a number of third parties to deliver value-added services to auto dealers, including attribution reporting and ad retargeting. In order to deliver these services to dealers, we use JavaScript code to enable integration that is necessary for them to work. Not surprisingly, this code includes references to those third-party companies (e.g. Clarivoy) in variable names and code comments. This does not mean that the third party's pixels or tags are loaded, nor that any data is transmitted to those third parties. In fact, no third party scripts of any kind are loaded onto a dealer's website without their express consent.

SpinCar's code is used to confirm whether or not a particular customer has opted-in to one of these services that require third party support. Tracking pixels, tags or data that is necessary for the operation of these third-party services are only activated for those customers who have explicitly opted-in to one of these specific services. They are not used for any dealer who has not given explicit permission to do so.

The innuendos and inaccuracies posted by the author are misinformed and truly disappointing, and in no way reflect the reality of how SpinCar's script code works, nor the company's business practices. As a matter of policy, we will not be engaging in further conversation on this forum. If the author wishes to understand the actual operation of our code, we are more than willing to speak directly via phone.

 

[craigh]

I looked into the script that Clarivoy is loading as an example.
http://tags-cdn.clarivoy.com/spincar/td/tva/loader.js

This script is sending data to be captured by https://www.treasuredata.com



At the very least, they're tracking every page view of every customer in their own database.

Diving in a bit deeper, this Clarivoy pageview object contains the following data.
I'm running this in a private session from a local file, so some of the data like host and referrer is going to be blank, but it does try and track this data from page to page.



This Clarivoy script, on its own, throws the following trackers:

 

[Alex Snyder]

As a matter of policy, we will not be engaging in further conversation on this forum. If the author wishes to understand the actual operation of our code, we are more than willing to speak directly via phone.

Steve - thanks for speaking up for SpinCar :thumbup:

The absolute BEST threads are the ones that begin in controversy and end in understanding. The companies who have been transparent with their resolutions have prospered in reputation.

You are obviously free to follow whatever policy you have, but I would advise taking a different approach with this community. When you leave the narrative to your opponent you allow the audience to imagine anything they wish.

 

[Steve White]

Regretfully, the initial post of this thread misstates Clarivoy's data practices. We offer this post to clarify any misunderstanding.

Let me start by making something very clear. We do not sell any dealer’s data.

I would like to set the record straight on a couple of fronts:

1. The function “u.clarivoy.wait_for_dom_hack_data()” is not part of the Clarivoy code. It is an integration point within the SpinCar code to determine if the dealer has opted-in to have the Clarivoy tracking code loaded onto the website.
2. “DOM” is not Domain, it stands for Document Object Model. Please see this...The first result when you search Google for DOM. https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction
3. Developers often use the word hack interchangeably to mean a workaround. In this instance, the workaround is designed to fully wait for the DOM to load versus the standard DOMContentLoaded event.

In closing, Clarivoy has never sold dealer data and has always strived to provide trusted, unbiased information to dealers about solution providers and third-party listing sites to help dealers make the most informed decision about their marketing.