1. Stop being a LURKER - join our dealer community and get involved. Sign up and start a conversation.
    Dismiss Notice

6600 Dealership Website Hack? - SpinCar At It Again? Clarivoy "hack the dom"

Discussion in 'I'm Angry and Need to GRIPE!' started by Jeffrey Tognetti, Oct 10, 2019 at 2:48 PM.

This forum sponsored by...
  1. Jeffrey Tognetti

    Jeffrey Tognetti
    Expand Collapse
    Getting Refreshed

    First Name:
    Jeff
    Dealer or Company Name:
    DealerX
    Twitter Handle:
    @DataMarketers
    Joined:
    Nov 15, 2011
    Messages:
    64
    Likes Received:
    34
    Location:
    Key Biscayne, Florida
    Hello All,

    It appears SpinCar may be selling and/or diverting your website visitor data (maybe even lead data) to multiple 3rd parties AGAIN. And guess what, many of these 3rd parties may also be reselling and/or using your visitor data against you. Using Builtwith there are 6,600 instances of this script:

    integrator.swipetospin.com

    To put in English what I believe is going on:

    Dealerships spend significant $$$ on Paid Search and other Digital Advertising to establish a presence in a local market. A dealership then hires SpinCar for its "SpinCar Product," but also gets a Trojan Horse. The base SpinCar product "collects" without your dealership's knowledge all the website visitor data and potentially visitors' personal information from lead submissions and possibly other forms.

    Then they allow various 3rd party companies (many of which work with 1000's of dealers inclusive of your competitors) to have access to the illegitimately collected data, without your dealership's consent.


    Clarivoy's script being one of the most egregious:

    u.clarivoy.wait_for_dom_hack_data()

    Wait for Dom Hack Data? Really? AKA "Wait For The Domain Data To Hack The Data ???"


    [​IMG]

    Also, they share analytics across stores collectively?

    But wait there's more.

    Criteo is a Retargeting Company. Our clients aren't using SpinCar's retargeting service so why would their scripts load on our clients' pages that aren't using SpinCar's retargeting service? Umh...maybe to collect dealership website visitor data without permission?

    [​IMG]

    And Liquidus ..and... and...

    More to come.
     
    #1 Jeffrey Tognetti, Oct 10, 2019 at 2:48 PM
    Last edited: Oct 10, 2019 at 7:15 PM
    • Like Like x 3
    • Useful Useful x 2
  2. This forum sponsored by...
  3. Alex Snyder

    Alex Snyder
    Expand Collapse
    President Skroob

    First Name:
    Alex
    Dealer or Company Name:
    DealerRefresh
    Twitter Handle:
    axsnyder
    Joined:
    May 1, 2006
    Messages:
    2,759
    Likes Received:
    1,041
    Location:
    Vermont
    • Funny Funny x 1
  4. John.H

    John.H
    Expand Collapse
    Getting Refreshed

    First Name:
    John
    Joined:
    Nov 12, 2018
    Messages:
    69
    Likes Received:
    37
    Location:
    Chicago, Illinois
    [​IMG]
     
    Collapse Signature Expand Signature
    • Funny Funny x 2
  5. Rick Buffkin

    Rick Buffkin
    Expand Collapse
    Sausage King of Chicago

    First Name:
    Rick
    Dealer or Company Name:
    Beaman Automotive Group
    Joined:
    Oct 29, 2009
    Messages:
    585
    Likes Received:
    256
    Location:
    America
    [​IMG]
     
    Collapse Signature Expand Signature
    • Funny Funny x 3
  6. csabatka1

    csabatka1
    Expand Collapse
    Refresher

    First Name:
    Chad
    Dealer or Company Name:
    Steering Innovation
    Twitter Handle:
    csabatka1
    Joined:
    Jan 7, 2013
    Messages:
    141
    Likes Received:
    63
    Can you post or link that entire criteo js file?

    You might be claiming it's sending data, but when it's actually not. It looks like they include this file by default to push events to an account only if the account ID is setup and not null.

    Your first yellow highlight...
    U.criteo.send=function() only sends data if there is a valid account ID. Which is coded as if(u.criteo.account_id). If that is blank nothing happens or is sent.

    Also, can you post the url or domain that you pulled these files? Finding out what is stored in the "u" variable is key to what data is collected and sent to various portions of the script. For non-coders, see how all code has "u.", example u.criteo.account_id. "u" is what's called a variable which is storing information and data from the user and setup of spin car. So u.criteo.account_id retrieves the data stored for that dealers criteo id.

    Pretty big claim, yet breaking down the code you might be alleging something that is not true. Just because files or scripts are included doesn't mean they're actually firing or sending data.
     
    Collapse Signature Expand Signature
    #5 csabatka1, Oct 11, 2019 at 8:40 AM
    Last edited: Oct 11, 2019 at 8:53 AM
  7. Jeffrey Tognetti

    Jeffrey Tognetti
    Expand Collapse
    Getting Refreshed

    First Name:
    Jeff
    Dealer or Company Name:
    DealerX
    Twitter Handle:
    @DataMarketers
    Joined:
    Nov 15, 2011
    Messages:
    64
    Likes Received:
    34
    Location:
    Key Biscayne, Florida

    Chad,

    As for "Criteo" my statement was clear:

    Our clients aren't using SpinCar's retargeting service so why would their scripts load on our clients' pages that aren't using SpinCar's retargeting service? Umh...maybe to collect dealership website visitor data without permission?

    1) There is NO statement as to what "Criteo" is doing. Or what anyone else is doing with these scripts. These are questions.
    2) Criteo's script was found across every instance of the install. Being in Adtech there's no reason for this. Can you think of one? Or explain? Are you going to say because it's hardcoded? Why not add it to the GTM on a use basis - not across dealerships not using it. At best it's sloppy, at worst... well you can come up with your own thoughts.
    3) If I pay for a "Digital Merchandising Product" why am I getting a multitude of 3rd party tracking scripts with it?, One of which is named "wait for domain hack data" - Clarivoy
    4) Even if you look at the script, it doesn't tell you what it does after it loads. Our gripe is simple, our clients requested these scripts to be removed in the past when there was a similar instance with eXelate - they were removed and now mysteriously they're back and many more of them now - All without permission.
    5) Way-Back-In-Time-Machine can simply give anyone clarity as to what was in a script in case it changes (For any reason).

    I simply posted "What IS Happening" - non required data capture and/or tracking scripts are loading and anyone can draw their own conclusions as to why.
     
  8. Steve Saorta

    Steve Saorta
    Expand Collapse
    Noob

    First Name:
    Steve
    Dealer or Company Name:
    SpinCar
    Joined:
    Friday
    Messages:
    1
    Likes Received:
    0
    As a 30 year IT leader and SpinCar CTO, I can tell you that the claim that "SpinCar may be selling and/or diverting website visitor data to 3rd parties" is categorically false and purposefully misleading. The title of the post "Dealership Website Hack . . . Hack the dom, Hack the Domain", as well as the contents of the post, demonstrate a fundamental lack of understanding of how JavaScript code works. (The term DOM is a reference to HTML Document Model, not "hacking a dealer website domain" as the author erroneously suggests.)

    SpinCar partners with a number of third parties to deliver value-added services to auto dealers, including attribution reporting and ad retargeting. In order to deliver these services to dealers, we use JavaScript code to enable integration that is necessary for them to work. Not surprisingly, this code includes references to those third-party companies (e.g. Clarivoy) in variable names and code comments. This does not mean that the third party's pixels or tags are loaded, nor that any data is transmitted to those third parties. In fact, no third party scripts of any kind are loaded onto a dealer's website without their express consent.

    SpinCar's code is used to confirm whether or not a particular customer has opted-in to one of these services that require third party support. Tracking pixels, tags or data that is necessary for the operation of these third-party services are only activated for those customers who have explicitly opted-in to one of these specific services. They are not used for any dealer who has not given explicit permission to do so.

    The innuendos and inaccuracies posted by the author are misinformed and truly disappointing, and in no way reflect the reality of how SpinCar's script code works, nor the company's business practices. As a matter of policy, we will not be engaging in further conversation on this forum. If the author wishes to understand the actual operation of our code, we are more than willing to speak directly via phone.
     
    • Not sure I agree Not sure I agree x 1
  9. craigh

    craigh
    Expand Collapse
    Super Moderator

    First Name:
    Craig
    Dealer or Company Name:
    Vicimus Inc
    Twitter Handle:
    craighooghiem
    Joined:
    May 19, 2011
    Messages:
    1,654
    Likes Received:
    678
    Location:
    Ontario, Canada
    I looked into the script that Clarivoy is loading as an example.
    http://tags-cdn.clarivoy.com/spincar/td/tva/loader.js

    This script is sending data to be captured by https://www.treasuredata.com

    upload_2019-10-11_9-43-37.png

    At the very least, they're tracking every page view of every customer in their own database.

    Diving in a bit deeper, this Clarivoy pageview object contains the following data.
    I'm running this in a private session from a local file, so some of the data like host and referrer is going to be blank, but it does try and track this data from page to page.

    upload_2019-10-11_9-49-42.png

    This Clarivoy script, on its own, throws the following trackers:

    upload_2019-10-11_9-56-0.png
     
    Collapse Signature Expand Signature
    #8 craigh, Oct 11, 2019 at 10:02 AM
    Last edited: Oct 11, 2019 at 10:10 AM
    • Useful Useful x 2
  10. Alex Snyder

    Alex Snyder
    Expand Collapse
    President Skroob

    First Name:
    Alex
    Dealer or Company Name:
    DealerRefresh
    Twitter Handle:
    axsnyder
    Joined:
    May 1, 2006
    Messages:
    2,759
    Likes Received:
    1,041
    Location:
    Vermont
    :hello: Steve - thanks for speaking up for SpinCar :thumbup:

    The absolute BEST threads are the ones that begin in controversy and end in understanding. The companies who have been transparent with their resolutions have prospered in reputation.

    You are obviously free to follow whatever policy you have, but I would advise taking a different approach with this community. When you leave the narrative to your opponent you allow the audience to imagine anything they wish.
     
    • Like Like x 1
  11. Steve White

    Steve White
    Expand Collapse
    Noob

    First Name:
    Steve
    Dealer or Company Name:
    Clarivoy
    Twitter Handle:
    stevewhite
    Joined:
    Friday
    Messages:
    1
    Likes Received:
    0
    Regretfully, the initial post of this thread misstates Clarivoy's data practices. We offer this post to clarify any misunderstanding.

    Let me start by making something very clear. We do not sell any dealer’s data.

    I would like to set the record straight on a couple of fronts:
    1. The function “u.clarivoy.wait_for_dom_hack_data()” is not part of the Clarivoy code. It is an integration point within the SpinCar code to determine if the dealer has opted-in to have the Clarivoy tracking code loaded onto the website.
    2. “DOM” is not Domain, it stands for Document Object Model. Please see this...The first result when you search Google for DOM. https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction
    3. Developers often use the word hack interchangeably to mean a workaround. In this instance, the workaround is designed to fully wait for the DOM to load versus the standard DOMContentLoaded event.
    In closing, Clarivoy has never sold dealer data and has always strived to provide trusted, unbiased information to dealers about solution providers and third-party listing sites to help dealers make the most informed decision about their marketing.
     
    • Not sure I agree Not sure I agree x 1

Share This Page

This forum sponsored by...