DOCSLIB.ORG

Persistent Tracking in Modern Browsers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Persistent Tracking in Modern Browsers Statement from the NDSS 2021 Program Committee: NDSS is devoted to ethical principles and encourages the research community to ensure its work protects the privacy, security, and safety of users and others involved. While the NDSS 2021 PC appreciated the technical contributions of this paper, it was the subject of a debate in our community regarding the responsible disclosure of vulnerabilities for the Firefox web browser. The PC examined and discussed the ethics concerns raised and the authors’ response. Although no harm came to users, the authors’ oversight could have made a non-vulnerable browser vulnerable to the attack proposed in the paper. The PC does not believe the authors acted in bad faith. Nevertheless, we decided to add this note as well as the authors’ response (in an Appendix) to the paper because the NDSS PC takes both the ethics of responsible disclosure and fairness towards the authors seriously. It is the PC’s view that researchers must not engage in disclosure practices that subject users to an appreciable risk of substantial harm. NDSS will work with other conferences to further improve the transparency of vulnerability disclosure to reduce such errors in the future. Tales of F A V I C O N S and Caches: Persistent Tracking in Modern Browsers Konstantinos Solomos, John Kristoff, Chris Kanich, Jason Polakis University of Illinois at Chicago fksolom6, jkrist3, ckanich, [email protected] Abstract—The privacy threats of online tracking have gar- I. INTRODUCTION nered considerable attention in recent years from researchers and practitioners. This has resulted in users becoming more privacy- Browsers lie at the heart of the web ecosystem, as they cautious and browsers gradually adopting countermeasures to mediate and facilitate users’ access to the Internet. As the mitigate certain forms of cookie-based and cookie-less tracking. Web continues to expand and evolve, online services strive to Nonetheless, the complexity and feature-rich nature of modern offer a richer and smoother user experience; this necessitates browsers often lead to the deployment of seemingly innocuous appropriate support from web browsers, which continuously functionality that can be readily abused by adversaries. In this adopt and deploy new standards, APIs and features [76]. These paper we introduce a novel tracking mechanism that misuses a mechanisms may allow web sites to access a plethora of device simple yet ubiquitous browser feature: favicons. In more detail, and system information [55], [21] that can enable privacy- a website can track users across browsing sessions by storing a invasive practices, e.g., trackers leveraging browser features to tracking identifier as a set of entries in the browser’s dedicated favicon cache, where each entry corresponds to a specific sub- exfiltrate users’ Personally Identifiable Information (PII) [24]. domain. In subsequent user visits the website can reconstruct Naturally, the increasing complexity and expanding set of the identifier by observing which favicons are requested by the features supported by browsers introduce new avenues for browser while the user is automatically and rapidly redirected privacy-invasive or privacy-violating behavior, thus, exposing through a series of subdomains. More importantly, the caching of users to significant risks [53]. favicons in modern browsers exhibits several unique characteris- tics that render this tracking vector particularly powerful, as it is In more detail, while cookie-based tracking (e.g., through persistent (not affected by users clearing their browser data), non- third-party cookies [57]) remains a major issue [29], [9], destructive (reconstructing the identifier in subsequent visits does [69], tracking techniques that do not rely on HTTP cookies not alter the existing combination of cached entries), and even are on the rise [63], [16] and have attracted considerable crosses the isolation of the incognito mode. We experimentally attention from the research community (e.g., novel techniques evaluate several aspects of our attack, and present a series of for device and browser fingerprinting [25], [18], [82], [23], optimization techniques that render our attack practical. We [50]). Researchers have even demonstrated how new browser find that combining our favicon-based tracking technique with security mechanisms can be misused for tracking [78], and the immutable browser-fingerprinting attributes that do not change rise of online tracking [52] has prompted user guidelines and over time allows a website to reconstruct a 32-bit tracking identifier in 2 seconds. Furthermore, our attack works in all recommendations from the FTC [20]. major browsers that use a favicon cache, including Chrome and However, cookie-less tracking capabilities do not neces- Safari. Due to the severity of our attack we propose changes to sarily stem from modern or complex browser mechanisms browsers’ favicon caching behavior that can prevent this form (e.g., service workers [43]), but may be enabled by simple or of tracking, and have disclosed our findings to browser vendors overlooked browser functionality. In this paper we present a who are currently exploring appropriate mitigation strategies. novel tracking mechanism that exemplifies this, as we demon- strate how websites can leverage favicons to create persistent tracking identifiers. While favicons have been a part of the Network and Distributed Systems Security (NDSS) Symposium 2021 web for more than two decades and are a fairly simple website 21-25 February 2021, Virtual ISBN 1-891562-66-5 resource, modern browsers exhibit interesting and sometimes https://dx.doi.org/10.14722/ndss.2021.24202 fairly idiosyncratic behavior when caching them. In fact, the www.ndss-symposium.org favicon cache (i) is a dedicated cache that is not part of the browser’s HTTP cache, (ii) is not affected when users clear any website, without the need for user interaction or consent, the browser’s cache/history/data, (iii) is not properly isolated and works even when popular anti-tracking extensions are from private browsing modes (i.e., incognito mode), and (iv) deployed. To make matters worse, the idiosyncratic caching can keep favicons cached for an entire year [26]. behavior of modern browsers, lends a particularly egregious property to our attack as resources in the favicon cache are By leveraging all these properties, we demonstrate a novel used even when browsing in incognito mode due to im- persistent tracking mechanism that allows websites to re- proper isolation practices in all major browsers. Furthermore, identify users across visits even if they are in incognito mode our fingerprint-based optimization technique demonstrates the or have cleared client-side browser data. Specifically, websites threat and practicality of combinatorial approaches that use dif- can create and store a unique browser identifier through a ferent techniques to complement each other, and highlights the unique combination of entries in the favicon cache. To be more need for more holistic explorations of anti-tracking defenses. precise, this tracking can be easily performed by any website Guided by the severity of our findings we have disclosed our by redirecting the user accordingly through a series of subdo- findings to all affected browsers who are currently working on mains. These subdomains serve different favicons and, thus, remediation efforts, while we also propose various defenses create their own entries in the Favicon-Cache. Accordingly, a including a simple-yet-effective countermeasure that can mit- set of N-subdomains can be used to create an N-bit identifier, igate our attack. that is unique for each browser. Since the attacker controls the website, they can force the browser to visit subdomains In summary, our research contributions are: without any user interaction. In essence, the presence of the favicon for subdomaini in the cache corresponds to a value of • We introduce a novel tracking mechanism that allows 1 for the i-th bit of the identifier, while the absence denotes a websites to persistently identify users across browsing value of 0. sessions, even in incognito mode. Subsequently, we demonstrate how immutable browser fingerprints intro- We find that our attack works against all major browsers duce a powerful optimization mechanism that can be used that use a favicon cache, including Chrome, Safari, and the to augment other tracking vectors. more privacy-oriented Brave. We experimentally evaluate our • We conduct an extensive experimental evaluation of our attack methodology using common hosting services and devel- proposed attack and optimization techniques under var- opment frameworks, and measure the impact and performance ious scenarios and demonstrate the practicality of our of several attack characteristics. First, we experiment with the attack. We also explore the effect of popular privacy- size of the browser identifier across different types of devices enhancing browser extensions and find that while they (desktop/mobile) and network connections (high-end/cellular can impact performance they do not prevent our attack. network). While performance depends on the network condi- • Due to the severity of our attack, we have disclosed our tions and the server’s computational power, for a basic server findings to major browsers, setting in motion remediation deployed on Amazon AWS, we find that redirections between efforts to better protect users’ privacy, and also propose subdomains can be done within 110-180 ms. As such, for the caching strategies that
Load more

Recommended publications
  • Analyzing Safari 2.X Web Browser Artifacts Using SFT
    Analyzing Safari 2.x Web Browser Artifacts using SFT. Copyright 2007 - Jacob Cunningham (v1.0) Table of Contents Introduction:...............................................................................................................................................3 Safari Forensic Tools................................................................................................................................. 3 OSX Property List files..............................................................................................................................3 Safari Related Files.................................................................................................................................... 4 The Safari Preferences files....................................................................................................................... 5 Browser History......................................................................................................................................... 7 Downloads history:.................................................................................................................................... 8 Bookmarks file ........................................................................................................................................10 Cookies file:............................................................................................................................................. 11 Browser Cache........................................................................................................................................
    [Show full text]
  • Private Browsing
    Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, and Lorrie Faith Cranor, Carnegie Mellon University https://www.usenix.org/conference/soups2018/presentation/habib-prying This paper is included in the Proceedings of the Fourteenth Symposium on Usable Privacy and Security. August 12–14, 2018 • Baltimore, MD, USA ISBN 978-1-939133-10-6 Open access to the Proceedings of the Fourteenth Symposium on Usable Privacy and Security is sponsored by USENIX. Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, Lorrie Faith Cranor Carnegie Mellon University {htq, jcolnago, vidyag, spearman, thomasjm, acquisti, nicolasc, lorrie}@andrew.cmu.edu ABSTRACT Prior user studies have examined different aspects of private Previous research has suggested that people use the private browsing, including contexts for using private browsing [4, browsing mode of their web browsers to conduct privacy- 10, 16, 28, 41], general misconceptions of how private brows- sensitive activities online, but have misconceptions about ing technically functions and the protections it offers [10,16], how it works and are likely to overestimate the protections and usability issues with private browsing interfaces [41,44]. it provides. To better understand how private browsing is A major limitation of much prior work is that it is based used and whether users are at risk, we analyzed browsing on self-reported survey data, which may not always be reli- data collected from over 450 participants of the Security able.
    [Show full text]
  • Smug May 09 Final
    STANFORD/PALO ALTO MACINTOSH USERS GROUP NEWSLETTER Vol.19 No.5 May 2009 Will be presenting at the monday May 4 Meeting Kathy Garrigan will be the presenter. Avery DesignPro for Mac is software that lets you print on Avery products on your Macintosh. Like business cards, label sheets, greeting cards, iron-ons, and so on. Both Dave and myself have only used the CD. The business card template and labels are very easy to use. I hope to have some samples of the things that I used the Avery templates for. Cards, T-shirts and hopefully wine labels. The great part about this app it is FREE!!!! Lorrie bleiler "Select All." April Meeting Report "Go to end." "Undo dictation." "Select the word 'sigh'". by Dave Strom (Note from Dave: Hey, this works really well!) Jay is read- MacSpeech ing words, and he will speak punctuation like "period" or and Drobo "hyphen", and the punctuation goes in. We had two (count 'em: two in "Capitalize the word group", and Dictate capped it! "Open one!) this evening. Quote", and Jay read, then said "comma", then Jay read MacSpeech and Drobo. more, "close quote", "period", "go to sleep". MacSpeech If you speak fast, you can get up to 120 words a minute, www.macspeech.com but with most people it is more like 60, then 80-90 with Jay Gonzales presented MacSpeech Dictate. This software, practice. Dictate can keep up with you. It will not print out with a microphone, does speech recognition on the the text instantly (note from Dave: I notice it does buffer Macintosh.
    [Show full text]
  • Personalizing Voyager Using Browser Extensions
    University of Kentucky UKnowledge Library Presentations University of Kentucky Libraries 5-8-2015 Personalizing Voyager Using Browser Extensions Kathryn Lybarger University of Kentucky, [email protected] Right click to open a feedback form in a new tab to let us know how this document benefits oy u. Follow this and additional works at: https://uknowledge.uky.edu/libraries_present Part of the Cataloging and Metadata Commons Repository Citation Lybarger, Kathryn, "Personalizing Voyager Using Browser Extensions" (2015). Library Presentations. 128. https://uknowledge.uky.edu/libraries_present/128 This Presentation is brought to you for free and open access by the University of Kentucky Libraries at UKnowledge. It has been accepted for inclusion in Library Presentations by an authorized administrator of UKnowledge. For more information, please contact [email protected]. Personalizing Voyager using Browser Extensions Kathryn Lybarger @zemkat ELUNA 2015 #eluna2015 May 8, 2015 Personalizing Voyager As an institution, we have a fair amount of power over how Voyager’s OPAC looks Colors and fonts Which fields are searchable What displays in search results What displays in full record view … (anything really) Must find a balance Provide good access to most of our patrons Don’t clutter the interface needlessly But how about… Personalizing for particular groups of patrons? Personalizing for staff needs? Doing so quickly? Even temporarily? Web browser extensions Custom search bars Extensions Bookmarklets User scripts Browser
    [Show full text]
  • Tracking Users Across the Web Via TLS Session Resumption
    Tracking Users across the Web via TLS Session Resumption Erik Sy Christian Burkert University of Hamburg University of Hamburg Hannes Federrath Mathias Fischer University of Hamburg University of Hamburg ABSTRACT modes, and browser extensions to restrict tracking practices such as User tracking on the Internet can come in various forms, e.g., via HTTP cookies. Browser fingerprinting got more difficult, as trackers cookies or by fingerprinting web browsers. A technique that got can hardly distinguish the fingerprints of mobile browsers. They are less attention so far is user tracking based on TLS and specifically often not as unique as their counterparts on desktop systems [4, 12]. based on the TLS session resumption mechanism. To the best of Tracking based on IP addresses is restricted because of NAT that our knowledge, we are the first that investigate the applicability of causes users to share public IP addresses and it cannot track devices TLS session resumption for user tracking. For that, we evaluated across different networks. As a result, trackers have an increased the configuration of 48 popular browsers and one million of the interest in additional methods for regaining the visibility on the most popular websites. Moreover, we present a so-called prolon- browsing habits of users. The result is a race of arms between gation attack, which allows extending the tracking period beyond trackers as well as privacy-aware users and browser vendors. the lifetime of the session resumption mechanism. To show that One novel tracking technique could be based on TLS session re- under the observed browser configurations tracking via TLS session sumption, which allows abbreviating TLS handshakes by leveraging resumptions is feasible, we also looked into DNS data to understand key material exchanged in an earlier TLS session.
    [Show full text]
  • Forensic Investigation of User's Web Activity on Google Chrome Using
    IJCSNS International Journal of Computer Science and Network Security, VOL.16 No.9, September 2016 123 Forensic Investigation of User’s Web Activity on Google Chrome using various Forensic Tools Narmeen Shafqat, NUST, Pakistan Summary acknowledged browsers like Internet Explorer, Google Cyber Crimes are increasing day by day, ranging from Chrome, Mozilla Firefox, Safari, Opera etc. but should confidentiality violation to identity theft and much more. The also have hands on experience of less popular web web activity of the suspect, whether carried out on computer or browsers like Erwise, Arena, Cello, Netscape, iCab, smart device, is hence of particular interest to the forensics Cyberdog etc. Not only this, the forensic experts should investigator. Browser forensics i.e forensics of suspect’s browser also know how to find artifacts of interest from older history, saved passwords, cache, recent tabs opened etc. , therefore supply ample amount of information to the forensic versions of well-known web browsers; Internet Explorer, experts in case of any illegal involvement of the culprit in any Chrome and Mozilla Firefox atleast, because he might activity done on web browsers. Owing to the growing popularity experience a case where the suspected person is using and widespread use of the Google Chrome web browser, this older versions of these browsers. paper will forensically analyse the said browser in windows 8 According to StatCounter Global market share for the web environment, using various forensics tools and techniques, with browsers (2015), Google Chrome, Mozilla Firefox and the aim to reconstruct the web browsing activities of the suspect. Microsoft’s Internet Explorer make up 90% of the browser The working of Google Chrome in regular mode, private usage.
    [Show full text]
  • Incognito (Private Browsing) for AHA Online Testing
    Incognito (private browsing) for AHA Online Testing Go Incognito on Google Chrome 1. Open Google Chrome and click the wrench icon in the top right corner. 2. Click ‘new incognito window’. 3. Alternatively, you can press Ctrl + Shift + N. *You can also open a link in a web page in Incognito Mode. 1. Right-click on the link you want to open in an Incognito window. 2. Click ’Open in new incognito window’ from the context menu. **You can tell if you’re browsing privately by looking for the logo of the person in disguise in the top-left corner of the window. He’s wearing sunglasses, a hat and a raincoat. Go Incognito on Mozilla Firefox 1. Open Firefox and click the hamburger Menu button – it looks like three parallel lines. 2. Click ‘New private window’. *You can also open a link in a web page in a private window. 1. Right-click on the link you want to open in a private window. 2. Click ’Open in New Private Window’ from the context menu. **You can tell if you’re browsing privately by looking for an icon of a purple mask in the top-right corner of the window. Go Incognito on Safari on the Mac 1. In Yosemite and later, open Safari and click on ‘File’. 2. Click ‘New Private Window’. 3. Alternatively, click Command + Shift + N. 4. In Mavericks 10.9 or older, open Safari and click Safari in the browser’s Menu bar and select ‘Private Browsing’. **Private browsing tabs in Safari are separated from non-private tabs.
    [Show full text]
  • An Analysis of Private Browsing Modes in Modern Browsers
    An Analysis of Private Browsing Modes in Modern Browsers Gaurav Aggarwal Elie Bursztein Collin Jackson Dan Boneh Stanford University CMU Stanford University Abstract Even within a single browser there are inconsistencies. We study the security and privacy of private browsing For example, in Firefox 3.6, cookies set in public mode modes recently added to all major browsers. We first pro- are not available to the web site while the browser is in pose a clean definition of the goals of private browsing private mode. However, passwords and SSL client cer- and survey its implementation in different browsers. We tificates stored in public mode are available while in pri- conduct a measurement study to determine how often it is vate mode. Since web sites can use the password man- used and on what categories of sites. Our results suggest ager as a crude cookie mechanism, the password policy that private browsing is used differently from how it is is inconsistent with the cookie policy. marketed. We then describe an automated technique for Browser plug-ins and extensions add considerable testing the security of private browsing modes and report complexity to private browsing. Even if a browser ad- on a few weaknesses found in the Firefox browser. Fi- equately implements private browsing, an extension can nally, we show that many popular browser extensions and completely undermine its privacy guarantees. In Sec- plugins undermine the security of private browsing. We tion 6.1 we show that many widely used extensions un- propose and experiment with a workable policy that lets dermine the goals of private browsing.
    [Show full text]
  • Mozilla: a Users Guide
    Mozilla: A Users Guide. or Using the Mozilla Application Suite Kevin T. Neely October 17, 2003 Contents 1 Installation 15 1.1 Deciding which Mozilla to Run ........................ 15 1.1.1 Platform ................................. 15 1.1.2 Version .................................. 15 1.2 Installing Mozilla ................................ 16 1.2.1 Using an Installer Package ....................... 16 1.2.2 Manual Installation ........................... 17 1.3 Upgrading .................................... 19 1.3.1 Make a Backup ............................. 19 1.3.2 Uninstall ................................. 19 1.3.3 Install Mozilla .............................. 20 1.3.4 Retrieve Missing Files ......................... 20 1.4 Running Multiple versions of Mozilla ..................... 21 2 Getting Started and Mozilla Basics 23 2.1 Starting Mozilla ................................. 23 2.2 Exiting Mozilla ................................. 23 2.2.1 QuickLaunch .............................. 23 3 CONTENTS CONTENTS 2.3 Preferences ................................... 24 2.4 Advanced Settings ............................... 24 2.4.1 prefs.js .................................. 25 2.4.2 user.js .................................. 25 2.4.3 userContent.css ............................. 26 2.5 Profiles ...................................... 27 2.6 Themes ..................................... 27 2.7 Security ..................................... 27 2.7.1 Passwords ................................ 27 2.8 Cookies ....................................
    [Show full text]
  • Features Guide [email protected] Table of Contents
    Features Guide [email protected] Table of Contents About Us .................................................................................. 3 Make Firefox Yours ............................................................... 4 Privacy and Security ...........................................................10 The Web is the Platform ...................................................11 Developer Tools ..................................................................13 2 About Us About Mozilla Mozilla is a global community with a mission to put the power of the Web in people’s hands. As a nonprofit organization, Mozilla has been a pioneer and advocate for the Web for more than 15 years and is focused on creating open standards that enable innovation and advance the Web as a platform for all. We are committed to delivering choice and control in products that people love and can take across multiple platforms and devices. For more information, visit www.mozilla.org. About Firefox Firefox is the trusted Web browser of choice for half a billion people around the world. At Mozilla, we design Firefox for how you use the Web. We make Firefox completely customizable so you can be in control of creating your best Web experience. Firefox has a streamlined and extremely intuitive design to let you focus on any content, app or website - a perfect balance of simplicity and power. Firefox makes it easy to use the Web the way you want and offers leading privacy and security features to help keep you safe and protect your privacy online. Mozilla continues to move the Web forward by pioneering new open source technologies such as asm.js, Emscripten and WebAPIs. Firefox also has a range of amazing built-in developer tools to provide a friction-free environment for building Web apps and Web content.
    [Show full text]
  • Online Tracking: a 1-Million-Site Measurement and Analysis
    Online Tracking: A 1-million-site Measurement and Analysis Steven Englehardt Arvind Narayanan Princeton University Princeton University This is an extended version of our paper that appeared at ACM CCS 2016. ABSTRACT to resort to a stripped-down browser [31] (a limitation we explore in detail in Section 3.3). (2) We provide compre­ We present the largest and most detailed measurement of hensive instrumentation by expanding on the rich browser online tracking conducted to date, based on a crawl of the extension instrumentation of FourthParty [33], without re­ top 1 million websites. We make 15 types of measurements quiring the researcher to write their own automation code. on each site, including stateful (cookie-based) and stateless (3) We reduce duplication of work by providing a modular (fingerprinting-based) tracking, the effect of browser privacy architecture to enable code re-use between studies. tools, and the exchange of tracking data between different Solving these problems is hard because the web is not de­ sites (“cookie syncing”). Our findings include multiple so­ 2 signed for automation or instrumentation. Selenium, the phisticated fingerprinting techniques never before measured main tool for automated browsing through a full-fledged in the wild. browser, is intended for developers to test their own web­ This measurement is made possible by our open-source 1 sites. As a result it performs poorly on websites not con­ web privacy measurement tool, OpenWPM , which uses an trolled by the user and breaks frequently if used for large- automated version of a full-fledged consumer browser. It scale measurements. Browsers themselves tend to suffer supports parallelism for speed and scale, automatic recovery memory leaks over long sessions.
    [Show full text]
  • In Action Second Edition
    Bear Bibeault Covers jQuery 1.4 and jQuery UI 1.8 Yehuda Katz IN ACTION SECOND EDITION MANNING Praise for the First Edition This is an excellent work, a worthy successor to others in Manning’s “In Action” series. It is highly readable and chock-full of working code. The Lab pages are a marvelous way to explore the library, which should become an important part of every web developer’s arsenal. Five stars all ‘round! —David Sills, JavaLobby, Dzone I highly recommend the book for learning the fundamentals of jQuery and then serving as a good reference book as you leverage the power of jQuery more and more in your daily development. —David Hayden, MVP C#, Codebetter.com The Elements of Style for JavaScript. —Joshua Heyer, Trane Inc. For those new to jQuery, this book is a good primer that covers a range of common uses of the framework.... The examples throughout the book are relevant, and make the point effectively. The code snippets are easily distinguishable from the rest of the text, and the text is clear and easy to follow. —Grant Palin, Blogger It works and makes for a very readable book that you can just breeze through very quickly and pick up and retain a lot of information. —Rich Strahl, Blogger Thanks to the authors Bear Bibeault and Yehuda Katz and their exemplary style, this compre- hensive book, or operating manual as it might be called, can be taken in a front-to-back approach to learn from scratch, or as a reference to those already dabbling in jQuery and needing verifica- tion of best practices.
    [Show full text]