Why does Google +1 record my mouse movements? [closed]

It appears to be seeding a random number generator with your mouse movements.

The mouse move handler itself does something along the lines of the following:

var b = ((event.X << 16) + event.Y) * (new Date().getTime() % 1000000);
c = c * b % d;
if (previousMouseMoveHandler) previousMouseMoveHandler.call(arguments);

d is (screen.width * screen.width + screen.height) * 1000000, and c is a variable that starts out as 1.

All of this is wrapped in the scope of an anonymous function, which itself is immediately evaluated to return a function that is assigned to a property named "random". That returned function looks something like this:

var b = c;
b += parseInt(hash.substr(0,20), 16);
hash = MD5(hash);
return b / (d + Math.pow(16, 20));

hash, BTW, is a variable that starts out as the MD5 hash of the page's cookies, location, the new Date().getTime(), and Math.random().

(Note, of course, that Google may change the script returned at any time and hence invalidate this analysis)


The actual code that is being executed is derived from the Shindig code found here:

http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shindig.random/random.js

A secure random number is needed to ensure that the secure postMessage channel created here cannot be compromised by scripts on the page to execute arbitrary actions.

Here's an article that explains why using Math.random() is bad:

http://baagoe.com/en/RandomMusings/javascript/


If you can get your script loaded first, you could hook addEventListener and log everyone who is setting addEventListener and see who's doing it and then, by looking at the relevant code, see what they're doing.

Put this in place before the Google code loads:

var oldListener = document.addEventListener;
document.addEventListener = function(type, listener, capture) {
    if (type == "mousedown" || type == "mouseup" || type == "mousemove") {
        console.log("type=" + type + " listener=" + listener.toString().slice(0, 80));
    }
    return (oldListener.apply(this, arguments));
}

To see what was listening to window.onmousemove, you'd have to do it afterwards because it's just a variable assignment, not a function that you can intercept. So sometimes after the initialization code of the page runs, you would do this to log what was hooked up to it:

if (window.onmousemove) {
    console.log(window.onmousemove.toString().slice(0,80));
}

In the uncluttered code as of Jul 22, you'll notice the onmousemove is part of the Gb.random class:

Gb.random = function () {
    function a(a) {
        var b = Jb();
        b.update(a);
        return b.ib()
    }
    var b = la.random(),
        c = 1,
        d = (screen[za] * screen[za] + screen[J]) * 1E6,
        e = i.onmousemove || Db();
    i.onmousemove = function (a) {
        if (i.event) a = i.event;
        var b = a.screenX + a.clientX << 16;
        b += a.screenY + a.clientY;
        b *= (new Date)[Ta]() % 1E6;
        c = c * b % d;
        return e[G](i, ka[x][Aa][G](arguments))
    };
    var f = a(k.cookie + "|" + k[B] + "|" + (new Date)[Ta]() + "|" + b);
    return function () {
        var b = c;
        b += ia(f[cb](0, 20), 16);
        f = a(f);
        return b / (d + la.pow(16, 20))
    }
}();

It's multiplying sum of x and y by 2^16 using bitshift, then adding some other dimensions and multiplying all this by time in milliseconds mod 1000000. This definitely looks like a randomizing algorithm.

I'm not sure why the page would need something like this, perhaps it's using a cookie, preventing automated +1 clicking? When you click the "+1" the login screen that pops up appears to have a random number appended as the hash, the url ends with "&hl=en-US#RANDOMNUMBER"


I bet you its "In-Page Analytics" Beta. Making a cursor and click heat-map.