6600 Dealership Website Hack? - SpinCar At It Again? Clarivoy "hack the dom"

[Jeffrey Tognetti]

The funny thing is that the SpinCar script has just been taken down, where's there's smoke there's fire?

 

[Jeffrey Tognetti]

Regretfully, the initial post of this thread misstates Clarivoy's data practices. We offer this post to clarify any misunderstanding.

Let me start by making something very clear. We do not sell any dealer’s data.

I would like to set the record straight on a couple of fronts:

1. The function “u.clarivoy.wait_for_dom_hack_data()” is not part of the Clarivoy code. It is an integration point within the SpinCar code to determine if the dealer has opted-in to have the Clarivoy tracking code loaded onto the website.
2. “DOM” is not Domain, it stands for Document Object Model. Please see this...The first result when you search Google for DOM. https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction
3. Developers often use the word hack interchangeably to mean a workaround. In this instance, the workaround is designed to fully wait for the DOM to load versus the standard DOMContentLoaded event.

In closing, Clarivoy has never sold dealer data and has always strived to provide trusted, unbiased information to dealers about solution providers and third-party listing sites to help dealers make the most informed decision about their marketing.

Steve,

I know what "Dom" is. And I'm sure you know I know. For the crowd It is a HTML/Javascript term which referrers to the Object Model - However the object model is part of a website's syntax. And KNOW ONE this day and age uses the word hack in a script (unless maybe they're laughing to themselves because most people don't understand whats going on?)

Your'e obfuscating the issue with semantics.

Look at CraigH's post

 

[Alex Snyder]

I'm sure it's totally unrelated, but all my SpinCar clients just broke.
None of the Spins are showing up because https://integrator.swipetospin.com is currently offline.

Whoa whoa whoa whoa whoa. Hold on. This thread was posted yesterday and was obviously noticed today. All of a sudden the script is removed .....ummmmmm

 

[csabatka1]

Chad,

As for "Criteo" my statement was clear:

Our clients aren't using SpinCar's retargeting service so why would their scripts load on our clients' pages that aren't using SpinCar's retargeting service? Umh...maybe to collect dealership website visitor data without permission?

1) There is NO statement as to what "Criteo" is doing. Or what anyone else is doing with these scripts. These are questions.
2) Criteo's script was found across every instance of the install. Being in Adtech there's no reason for this. Can you think of one? Or explain? Are you going to say because it's hardcoded? Why not add it to the GTM on a use basis - not across dealerships not using it. At best it's sloppy, at worst... well you can come up with your own thoughts.
3) If I pay for a "Digital Merchandising Product" why am I getting a multitude of 3rd party tracking scripts with it?, One of which is named "wait for domain hack data" - Clarivoy
4) Even if you look at the script, it doesn't tell you what it does after it loads. Our gripe is simple, our clients requested these scripts to be removed in the past when there was a similar instance with eXelate - they were removed and now mysteriously they're back and many more of them now - All without permission.
5) Way-Back-In-Time-Machine can simply give anyone clarity as to what was in a script in case it changes (For any reason).

I simply posted "What IS Happening" - non required data capture and/or tracking scripts are loading and anyone can draw their own conclusions as to why.

My post entirely speculative in nature, but here's what I see:

1. I covered Criteo script. It's literally not doing anything, unless an account id is supplied. If that account_id is null (blank), nothing happens. It skips that entire section of code. The only way that fires if there is an account id in the u variable. I need a sample site and I can get you an exact answer.


2. Developers can get "lazy" in rollouts, especially ones in which there are thousands of integrations of code across dozens of website platforms. I don't use lazy in a negative connotation, they just pick the easiest routes. It is easy and quicker to include any and all scripts in one integrations and not one-off including scripts on various sites - it's too hard to control what is where at that point. With this to the untrained eye it might look like it's doing something its not. This scripts adds a few lines of code and is extremely lightweight. Including it does no harm.

3. You're gravely mistaking on what wait_for_dom_hack_data means. DOM does not equal domain. DOM is Document Object Model, this is an object of the web page in which you can control via JavaScript. Hack to a programmer is not hack as a lay person knows it. Hack simply means 'work around'. This wait_for_dom_hack_data probably means something like this "wait for the DOM to load, then perform a work around to grab data from DOM."

4. Which is why I asked for a website to use as an example. We don't know exactly what is happening without seeing the script execute on the website.
Here

 

[Jeffrey Tognetti]

Regretfully, the initial post of this thread misstates Clarivoy's data practices. We offer this post to clarify any misunderstanding.

Let me start by making something very clear. We do not sell any dealer’s data.

I would like to set the record straight on a couple of fronts:

1. The function “u.clarivoy.wait_for_dom_hack_data()” is not part of the Clarivoy code. It is an integration point within the SpinCar code to determine if the dealer has opted-in to have the Clarivoy tracking code loaded onto the website.
2. “DOM” is not Domain, it stands for Document Object Model. Please see this...The first result when you search Google for DOM. https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction
3. Developers often use the word hack interchangeably to mean a workaround. In this instance, the workaround is designed to fully wait for the DOM to load versus the standard DOMContentLoaded event.

In closing, Clarivoy has never sold dealer data and has always strived to provide trusted, unbiased information to dealers about solution providers and third-party listing sites to help dealers make the most informed decision about their marketing.

Steve
Semantics again, know one knows your'e collecting their website visitor data if they're not a client of yours. And.. maybe your are not selling it, but there are scripts which you sync with which maybe - Selling it.

It's a matter of DISCLOSURE

Further, Why are you collecting data from websites that you have nothing to do with?

 

[csabatka1]

Unfortunately, they took their script offline in a totally not suspicious manner so we can't see a live example.
From the code I saw, it loads the Clarivoy script no matter what - it's using a document.write to add the script to the page and I see no if statement before that.

If someone has the original, I'm happy to dive in.

EDIT: Duh.
https://web.archive.org/web/20191007024042/https://integrator.swipetospin.com/

Also need the data that is stored in "u" that this script references.

It may load the script, but it might not execute it. There are a lot of if statements that I'm seeing that only execute scripts and functions or send data if specific data is contained within "u".

Easiest example is this if statement

if(u.criteo.account_id) {}

if there is is no account_id, this entire criteo section doesn't execute.

 

[Jeffrey Tognetti]

Also need the data that is stored in "u" that this script references.

It may load the script, but it might not execute it. There are a lot of if statements that I'm seeing that only execute scripts and functions or send data if specific data is contained within "u".

Easiest example is this if statement

if(u.criteo.account_id) {}

if there is is no account_id, this entire criteo section doesn't execute.

But again, why incorporate the script at all?
There are many more script's than just Criteo
Also you don't know what Criteo's script does, when it loads (past loading as part of the SpinCar script) or doesn't (unless you worked there and/or designed the script)
Finally read CraigH's post

 

[craigh]

It's loading for me now - not sure what happened there

I am diving in on some of the code, but it's pretty easy to test here.
Load just the integrator script on an empty page - not on any dealer site.
I immediately get a cookie set on my machine by treasuredata.com, who I have never heard of.



Anyways, I'll step back and let the discussion move forward.
I'm more than happy to understand what's going on here and why treasuredata is getting the pageviews.

 

[Jeffrey Tognetti]

It's loading for me now - not sure what happened there

I am diving in on some of the code, but it's pretty easy to test here.
Load just the integrator script on an empty page - not on any dealer site.
I immediately get a cookie set on my machine by treasuredata.com, who I have never heard of.

View attachment 4365

Anyways, I'll step back and let the discussion move forward.
I'm more than happy to understand what's going on here and why treasuredata is getting the pageviews.

It's a CDP (An iteration of a DMP but a bit different) - An aggregator of profile data for an end user(s)

 

[csabatka1]

But again, why incorporate the script at all?
There are many more script's than just Criteo
Also you don't know what Criteo's script does, when it loads or doesn't (unless you worked there and/or designed the script)
Finally read CraigH's post

You're not reading the why. I posted it already. It's easier to include these scripts one master file, then various one-offs. If a change has to be made to any of the script, they would have to do thousands of rollouts. Keeping it all in a single master file is easiest. These scripts literally do nothing on most sites.


It's actually really easy to read through line by line and understand what it does. A programmer doesn't have to work there or have designed the script to know what it's doing. I added notes in red. Again, this only happens if there is an criteo account id provided. The 3 sites I visited with spin car did not provide this ID. So this script does not send data.


u.criteo = {}, u.criteo.send = function() {
if (u.criteo.account_id) { /// This only occurs if there is an account_id, if not no criteo scripts run
if ("0" === u.criteo.account_id && (u.criteo.account_id = o(), !u.criteo.account_id)) return; // returns IDs from function o(), which are buy-here-pay-here dealerships -- 1 in IL, VA, KY, NY, 2 in UT, 5 in WV.
if ("00" === u.criteo.account_id && (u.criteo.account_id = p(), !u.criteo.account_id)) return; // returns IDs for domains coolsprings and murfreeboro
if ("000" === u.criteo.account_id && (u.criteo.account_id = i(), !u.criteo.account_id)) return; //returns IDs for domains carite-of-chesterfield, carite-of-eastpointe, carite-of-fort-pierce, carite-of-garden-city, carite-of-indianapolis, carite-of-madison-heights, carite-of-memphis, carite-of-taylor
var t = [];
if ("srp" === u.page_type) //if the page the visitor is on, page type is SRP
for (t = u.srp_vins.slice(0, 3); t.length < 3 t.push("");
else "vdp" === u.page_type && t.push(g.trim(u.criteo_vin) || u.vin);
if (-1 !== ["53066", "44592", "57299"].indexOf(u.criteo.account_id))
for (var a = 0; a < t.length; a++) t[a] = "1"; //if these IDs match those above, run this loop.
c.log("spincar adtech", u.criteo.account_id, u.page_type, t);
var r = /iPad/.test(n.userAgent) ? "t" : /Mobile|iP(hone|od)|Android|BlackBerry|IEMobile|Silk/.test(n.userAgent) ? "m" : "d"; //sets user device
if (e.criteo_q = e.criteo_q || [], e.criteo_q.push({//push events
event: "setAccount", //sets account id for push event
account: u.criteo.account_id
}, {
event: "setSiteType",
type: r
}), "homepage" === u.page_type) e.criteo_q.push({
event: "viewHome" //if that visitor was on homepage, sets the homepage as page type
});
else if ("srp" === u.page_type) e.criteo_q.push({//push events for
event: "viewList",
item: t
});
else {
if ("vdp" !== u.page_type) return;
e.criteo_q.push({
event: "viewItem",
item: t[0]
})
}
g.getScript("//static.criteo.net/js/ld/ld.js"), u.criteo_audit = {
account_id: u.criteo.account_id,
page_type: u.page_type,
vins: t,
type: r
}, u.analytics2.criteo_audit = u.criteo_audit;
var s = new Image;
s.onload = s.onerror = function() {
s = null
}, s.src = "https://sqs.us-east-1.amazonaws.com/505055843994/prod_counter_onetag?Action=SendMessage&MessageBody=" + 1 * new Date + "&Version=2012-11-05", D()
}
}

u.criteo = {}, u.criteo.send = function() {
                            if (u.criteo.account_id) { /// This only occurs if there is an account_id, if not no criteo scripts run
                                if ("0" === u.criteo.account_id && (u.criteo.account_id = o(), !u.criteo.account_id)) return; // returns IDs from function o(), which are buy-here-pay-here dealerships -- 1 in IL, VA, KY, NY, 2 in UT, 5 in WV.
                                if ("00" === u.criteo.account_id && (u.criteo.account_id = p(), !u.criteo.account_id)) return; // returns IDs for domains coolsprings and murfreeboro
                                if ("000" === u.criteo.account_id && (u.criteo.account_id = i(), !u.criteo.account_id)) return; //returns IDs for domains carite-of-chesterfield, carite-of-eastpointe, carite-of-fort-pierce, carite-of-garden-city, carite-of-indianapolis, carite-of-madison-heights, carite-of-memphis, carite-of-taylor
                                var t = [];
                                if ("srp" === u.page_type) //if the page the visitor is on, page type is SRP
                                    for (t = u.srp_vins.slice(0, 3); t.length < 3;) t.push("");
                                else "vdp" === u.page_type && t.push(g.trim(u.criteo_vin) || u.vin);
                                if (-1 !== ["53066", "44592", "57299"].indexOf(u.criteo.account_id))
                                    for (var a = 0; a < t.length; a++) t[a] = "1"; //if these IDs match those above, run this loop.
                                c.log("spincar adtech", u.criteo.account_id, u.page_type, t);
                                var r = /iPad/.test(n.userAgent) ? "t" : /Mobile|iP(hone|od)|Android|BlackBerry|IEMobile|Silk/.test(n.userAgent) ? "m" : "d";
                                if (e.criteo_q = e.criteo_q || [], e.criteo_q.push({//push events
                                        event: "setAccount",
                                        account: u.criteo.account_id
                                    }, {
                                        event: "setSiteType",
                                        type: r
                                    }), "homepage" === u.page_type) e.criteo_q.push({
                                    event: "viewHome"
                                });
                                else if ("srp" === u.page_type) e.criteo_q.push({//push events
                                    event: "viewList",
                                    item: t
                                });
                                else {
                                    if ("vdp" !== u.page_type) return;
                                    e.criteo_q.push({
                                        event: "viewItem",
                                        item: t[0]
                                    })
                                }
                                g.getScript("//static.criteo.net/js/ld/ld.js"), u.criteo_audit = {
                                    account_id: u.criteo.account_id,
                                    page_type: u.page_type,
                                    vins: t,
                                    type: r
                                }, u.analytics2.criteo_audit = u.criteo_audit;
                                var s = new Image;
                                s.onload = s.onerror = function() {
                                    s = null
                                }, s.src = "https://sqs.us-east-1.amazonaws.com/505055843994/prod_counter_onetag?Action=SendMessage&MessageBody=" + 1 * new Date + "&Version=2012-11-05", D()
                            }
                        }