browser extension and login-leak experiment · the „de-facto” busniess model of the web id=967...
TRANSCRIPT
![Page 1: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/1.jpg)
Gábor György Gulyás Privatics Team, INRIA
http://gulyas.info // @GulyasGG
BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT
IPEN 2017, Vienna Joint work with Nataliia Bielova, Claude
Castelluccia
![Page 2: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/2.jpg)
USER TRACKING ON THE WEB
17-06-09 © Gábor György Gulyás 2
![Page 3: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/3.jpg)
The „de-facto” busniess model of the web
ID=967 User
Advertiser
3 17-06-09 © Gábor György Gulyás
ID=967
cnn.com
Apples on sale!
![Page 4: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/4.jpg)
• Cookies – Flash – HTML5
• Caching in files of – JavaScript – CSS – Images (pixel-level)
• E-tags • Last-mod timestamps • HTTP authentication • HTTP 301 redirect • HSTS caches …
17-06-09 © Gábor György Gulyás 4
Storing the identifier on the client side
![Page 5: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/5.jpg)
• Cross-browser fingp. – Device fingerprint – No plugins, just JS – Concept appears later
in the wild 5
Browser fingerprinting appears (2010-2012) [3]
http://panopticlick.eff.org
17-06-09 © Gábor György Gulyás
• Browser fingerprint – Flash/Java required
(for 95% uniqueness) – Browser dependent
https://fingerprint.pet-portal.eu
![Page 6: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/6.jpg)
17-06-09 © Gábor György Gulyás 6
Fingerprinting penetration (2013-2016)
2013: Alexa TOP 10k. • 20 pages deep • 0,4% adoption (40 sites) • Skype.com, porn and dating • 3 804 less popular sites are
tracked
2016: Alexa TOP 1M.
S. Englehardt, A. Narayanan: Online tracking: A 1-illion-site measurement and analysis (2016)
Nickiforakis et al.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting (2013)
![Page 7: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/7.jpg)
17-06-09 © Gábor György Gulyás 7
Behavioral fingerprinting
Google.com Youtube.com Facebook.com Baidu.com Yahoo.com Wikipedia.org
Google.co.in Qq.com Sohu.com Google.co.jp Taobao.com
Tmall.com Live.com Amazon.com Vk.com Twitter.com
Instagram.com 360.cn
You are what you install to you computer?
Fonts are good indicators of
what is installed.
The list of the sites you have visited also describe you well.
Can be used to de-anonymize
you as a natural person. Su et al.: De-anonymizing Web Browsing Data with Social Networks (2017)
Boda et al.: User Tracking on the Web via Cross-Browser Fingerprinting (2011)
![Page 8: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/8.jpg)
BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT
17-06-09 © Gábor György Gulyás 8
![Page 9: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/9.jpg)
• Extension detection – Detecting extension
resources
• Detecting web logins – Redirection URL
hijacking – Misusing CSP
violation
17-06-09 © Gábor György Gulyás 9
Browser Extension and Login-Leak Experiment
![Page 10: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/10.jpg)
17-06-09 © Gábor György Gulyás 10
Why is this a problem?
Extensions can leak private information!
The more privacy extensions you install, the more identifiable you are!
![Page 11: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/11.jpg)
17-06-09 © Gábor György Gulyás 11
Extension detection history
![Page 12: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/12.jpg)
How does it work?
• Try yourself: http://tinyurl.com/chrome-ghostery
• High precision & coverage:
– Large fraction of extensions covered ~28% – No false-positives (uninstalled extensions not
reported) • Robustness (multiple resources can be checked)
17-06-09 © Gábor György Gulyás 12
chrome-extension://mlomiejdfkolichcflejclcbmpeaniij/app/images/apps_pages/tracker.png
Extension ID (Ghostery)
Local filepath
![Page 13: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/13.jpg)
Other browsers?
• Firefox – Smaller impact: ~7% (direct possibility to manipulate UI) – WebExtensions è same vulnerability as Chrome (but ~5.5%) – Resources leak more information
• Opera
• Brave
– Comes with detectable built-in extensions – Test it here: https://extensions.inrialpes.fr/brave/
• Edge – It is possible [http://tinyurl.com/edge-ext] – Low number of extensions are available
17-06-09 © Gábor György Gulyás 13
![Page 14: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/14.jpg)
• Extension detection – Detecting extension
resources
• Detecting web logins – Redirection URL
hijacking – Misusing CSP
violation
17-06-09 © Gábor György Gulyás 14
Browser Extension and Login-Leak Experiment
![Page 15: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/15.jpg)
17-06-09 © Gábor György Gulyás 15
Why is this a problem?
Allows very precise profiling.
Leaks sensitive info (security!).
Allow behavioral tracking.
Tells about where you work.
![Page 16: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/16.jpg)
17-06-09 © Gábor György Gulyás 16
Currently detected sites (60)
Shopping • 500px • Alibaba.com, Aliexpress.com • Airbnb • Amazon.{co.uk, com, de, fr, it} • eBay.{co.uk, com, de, fr, it} • Expedia • Paypal • Photobucket • shutterstock • Steam • Square
Social & Fun • Battle.net • Facebook • Flickr • Foursquare • Gmail • Google Plus • Instagram • LinkedIn • Meetup • Pinterest • Skype • Spotify • Tumblr • Twitter • VK • Youtube
News & Blogging • Forbes • Hackernews • LeMonde.fr • LiveJournal • Medium • Reddit • Spiegel.de • Yahoo
Work & Education • Academia.edu • BitBucket • Carbonmade • Dropbox • EdX • Evernote • Github • Indeed • Inria • Khan Academy • PluralSight • Scribd • Slack • SugarSync • Viadeo Gray zone
• Youporn • Dating sites
![Page 17: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/17.jpg)
17-06-09 based on a slide from Nataliia Bielova 17
Techniques used
Redirection URL hijacking by @robin_linus
Abusing Content Security Policy by @homakov
![Page 18: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/18.jpg)
17-06-09 © Gábor György Gulyás 18
How do they work?
https://inria.fr/login?return=CALENDAR
Redirection URL hijacking
![Page 19: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/19.jpg)
17-06-09 © Gábor György Gulyás 19
How do they work? [2]
https://inria.fr/login?return=logo_INRIA.png
Not logged in (login page)
Logged in (silent & unchecked
redirection to image)
<img/>
Redirection URL hijacking
![Page 20: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/20.jpg)
17-06-09 © Gábor György Gulyás 20
How do they work? [3]
http://my.ebay.com
Not logged in (http://www.ebay.com)
Logged in (http://my.ebay.com)
<img/>
Abusing CSP
Not allowed redirection! Raises error,
reports it back.
![Page 21: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/21.jpg)
17-06-09 © Gábor György Gulyás 21
https://extensions.inrialpes.fr
![Page 22: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/22.jpg)
17-06-09 © Gábor György Gulyás 22
https://extensions.inrialpes.fr
![Page 23: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/23.jpg)
17-06-09 © Gábor György Gulyás 23
What could we do (for now)?
Extension detection • Chrome, Opera, Brave: not much. • Safari: not evaluated. • Firefox: vulnerable.
But: few extensions, and good for privacy.
Web login detection • Best advice is to turn off third-
party cookies. • Or use an extension that blocks • access to third-part cookies, • tracking, or • JavaScript (noscript).
![Page 24: BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT · The „de-facto” busniess model of the web ID=967 User Advertiser 17-06-09 © Gábor György Gulyás 3 ID=967 cnn.com Apples on sale!](https://reader033.vdocuments.mx/reader033/viewer/2022050323/5f7c45cdcce0e27e7b2dc12d/html5/thumbnails/24.jpg)
Thank you for your attention!
ANY QUESTIONS?
Gábor György Gulyás Privatics Team, INRIA
http://gulyas.info // @GulyasGG