Browser Extension and Login-Leak Experiment

Total Page:16

File Type:pdf, Size:1020Kb

Browser Extension and Login-Leak Experiment BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT IPEN 2017, Vienna Joint work with Nataliia Bielova, Claude Castelluccia Gábor György Gulyás Privatics Team, INRIA http://gulyas.info // @GulyasGG USER TRACKING ON THE WEB 17-06-09 © Gábor György Gulyás 2 The „de-facto” busniess model of the web Advertiser ID=967 User Apples on sale! ID=967 cnn.com 17-06-09 © Gábor György Gulyás 3 Storing the identifier on the client side • Cookies • E-tags – Flash • Last-mod timestamps – HTML5 • HTTP authentication • Caching in files of • HTTP 301 redirect – JavaScript • HSTS caches – CSS – Images (pixel-level) … 17-06-09 © Gábor György Gulyás 4 Browser fingerprinting appears (2010-2012) [3] http://panopticlick.eff.org https://fingerprint.pet-portal.eu • Browser fingerprint • Cross-browser fingp. – Flash/Java required – Device fingerprint (for 95% uniqueness) – No plugins, just JS – Browser dependent – Concept appears later in the wild 17-06-09 © Gábor György Gulyás 5 Fingerprinting penetration (2013-2016) 2013: Alexa TOP 10k. • 20 pages deep • 0,4% adoption (40 sites) • Skype.com, porn and dating • 3 804 less popular sites are tracked Nickiforakis et al.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting (2013) 2016: Alexa TOP 1M. S. Englehardt, A. Narayanan: Online tracking: A 1-illion-site measurement and analysis (2016) 17-06-09 © Gábor György Gulyás 6 Behavioral fingerprinting You are what you install to you computer? Fonts are good indicators of what is installed. Boda et al.: User Tracking on the Web via Cross-Browser Fingerprinting (2011) Google.com Youtube.com Facebook.com Baidu.com The list of the sites you have Yahoo.com Wikipedia.org visited also describe you well. Google.co.in Qq.com Sohu.com Google.co.jp Taobao.com Tmall.com Live.com Amazon.com Can be used to de-anonymize Vk.com Twitter.com you as a natural person. Instagram.com 360.cn Su et al.: De-anonymizing Web Browsing Data with Social Networks (2017) 17-06-09 © Gábor György Gulyás 7 BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT 17-06-09 © Gábor György Gulyás 8 Browser Extension and Login-Leak Experiment • Extension detection • Detecting web logins – Detecting extension – Redirection URL resources hijacking – Misusing CSP violation 17-06-09 © Gábor György Gulyás 9 Why is this a problem? Extensions can leak private information! The more privacy extensions you install, the more identifiable you are! 17-06-09 © Gábor György Gulyás 10 Extension detection history 17-06-09 © Gábor György Gulyás 11 How does it work? chrome-extension://mlomiejdfkolichcflejclcbmpeaniij/app/images/apps_pages/tracker.png Extension ID Local filepath (Ghostery) • Try yourself: http://tinyurl.com/chrome- ghostery • High precision & coverage: – Large fraction of extensions covered ~28% – No false-positives (uninstalled extensions not reported) • Robustness (multiple resources can be checked) 17-06-09 © Gábor György Gulyás 12 Other browsers? • Firefox – Smaller impact: ~7% (direct possibility to manipulate UI) – WebExtensions è same vulnerability as Chrome (but ~5.5%) – Resources leak more information • Opera • Brave – Comes with detectable built-in extensions – Test it here: https://extensions.inrialpes.fr/brave/ • Edge – It is possible [http://tinyurl.com/edge-ext] – Low number of extensions are available 17-06-09 © Gábor György Gulyás 13 Browser Extension and Login-Leak Experiment • Extension detection • Detecting web logins – Detecting extension – Redirection URL resources hijacking – Misusing CSP violation 17-06-09 © Gábor György Gulyás 14 Why is this a problem? Allows very precise profiling. Leaks sensitive info (security!). Tells about where you work. Allow behavioral tracking. 17-06-09 © Gábor György Gulyás 15 Currently detected sites (60) Social & Fun Work & Education • Battle.net Shopping • Academia.edu • Facebook • 500px • BitBucket • Flickr • Alibaba.com, Aliexpress.com • Carbonmade • Foursquare • Airbnb • Dropbox • Gmail • Amazon.{co.uk, com, de, fr, it} • EdX • Google Plus • eBay.{co.uk, com, de, fr, it} • Evernote • Instagram • Expedia • Github • LinkedIn • Paypal • Indeed • Meetup • Photobucket News & Blogging • Inria • Pinterest • shutterstock • Forbes • Khan Academy • Skype • Steam • Hackernews • PluralSight • Spotify • Square • LeMonde.fr • Scribd • Tumblr • LiveJournal • Slack • Twitter • Medium • SugarSync Gray zone • VK • Reddit • Viadeo • Youporn • Youtube • Spiegel.de • Dating sites • Yahoo 17-06-09 © Gábor György Gulyás 16 Techniques used Redirection URL hijacking by @robin_linus Abusing Content Security Policy by @homakov 17-06-09 based on a slide from Nataliia Bielova 17 How do they work? Redirection URL hijacking https://inria.fr/login?return=CALENDAR 17-06-09 © Gábor György Gulyás 18 How do they work? [2] Redirection URL hijacking <img /> https://inria.fr/login?return=logo_INRIA.png Not logged in Logged in (login page) (silent & unchecked redirection to image) 17-06-09 © Gábor György Gulyás 19 How do they work? [3] Abusing CSP <img /> http://my.ebay.com Not allowed redirection! Raises error, reports it back. Not logged in Logged in (http://www.ebay.com) (http://my.ebay.com) 17-06-09 © Gábor György Gulyás 20 https://extensions.inrialpes.fr 17-06-09 © Gábor György Gulyás 21 https://extensions.inrialpes.fr 17-06-09 © Gábor György Gulyás 22 What could we do (for now)? Extension detection • Chrome, Opera, Brave: not much. • Safari: not evaluated. • Firefox: vulnerable. But: few extensions, and good for privacy. Web login detection • Best advice is to turn off third- party cookies. • Or use an extension that blocks • access to third-part cookies, • tracking, or • JavaScript (noscript). 17-06-09 © Gábor György Gulyás 23 Thank you for your attention! ANY QUESTIONS? Gábor György Gulyás Privatics Team, INRIA http://gulyas.info // @GulyasGG .
Recommended publications
  • A Usability Evaluation of Privacy Add-Ons for Web Browsers
    A Usability Evaluation of Privacy Add-ons for Web Browsers Matthew Corner1, Huseyin Dogan1, Alexios Mylonas1 and Francis Djabri2 1 Bournemouth University, Bournemouth, United Kingdom {i7241812,hdogan,amylonas}@bournemouth.ac.uk 2 Mozilla Corporation, San Francisco, United States of America [email protected] Abstract. The web has improved our life and has provided us with more oppor- tunities to access information and do business. Nonetheless, due to the preva- lence of trackers on websites, web users might be subject to profiling while ac- cessing the web, which impairs their online privacy. Privacy browser add-ons, such as DuckDuckGo Privacy Essentials, Ghostery and Privacy Badger, extend the privacy protection that the browsers offer by default, by identifying and blocking trackers. However, the work that focuses on the usability of the priva- cy add-ons, as well as the users’ awareness, feelings, and thoughts towards them, is rather limited. In this work, we conducted usability evaluations by uti- lising System Usability Scale and Think-Aloud Protocol on three popular priva- cy add-ons, i.e., DuckDuckGo Privacy Essentials, Ghostery and Privacy Badg- er. Our work also provides insights into the users’ awareness of online privacy and attitudes towards the abovementioned privacy add-ons; in particular trust, concern, and control. Our results suggest that the participants feel safer and trusting of their respective add-on. It also uncovers areas for add-on improve- ment, such as a more visible toolbar logo that offers visual feedback, easy ac- cess to thorough help resources, and detailed information on the trackers that have been found. Keywords: Usability, Privacy, Browser Add-ons.
    [Show full text]
  • Demystifying Content-Blockers: a Large-Scale Study of Actual Performance Gains
    Demystifying Content-blockers: A Large-scale Study of Actual Performance Gains Ismael Castell-Uroz Josep Sole-Pareta´ Pere Barlet-Ros Universitat Politecnica` de Catalunya Universitat Politecnica` de Catalunya Universitat Politecnica` de Catalunya Barcelona, Spain Barcelona, Spain Barcelona, Spain [email protected] [email protected] [email protected] Abstract—With the evolution of the online advertisement and highly parallel network measurement system [10] that loads tracking ecosystem, content-filtering has become the reference every website using one of the most relevant content-blockers tool for improving the security, privacy and browsing experience of each category and compares their performance. when surfing the Internet. It is also commonly believed that using content-blockers to stop unsolicited content decreases the time We found that, although we can observe some improvements needed for loading websites. In this work, we perform a large- in terms of effective page size, the results do not directly scale study with the 100K most popular websites on the actual translate to gains in loading time. In some cases, there could performance improvements of using content-blockers. We focus even be an overhead to be paid. This is the case for two of the our study on two relevant metrics for measuring the browsing studied plugins, especially in small and fast loading websites. performance; page size and loading time. Our results show that using such tools results in small improvements in terms of page The measurement system and methodology proposed in this size but, contrary to popular belief, it has a negligible impact in paper can also be useful for network and service administrators terms of loading time.
    [Show full text]
  • Whotracks. Me: Shedding Light on the Opaque World of Online Tracking
    WhoTracks.Me: Shedding light on the opaque world of online tracking Arjaldo Karaj Sam Macbeth Rémi Berson [email protected] [email protected] [email protected] Josep M. Pujol [email protected] Cliqz GmbH Arabellastraße 23 Munich, Germany ABSTRACT print users and their devices [25], and the extent to Online tracking has become of increasing concern in recent which these methods are being used across the web [5], years, however our understanding of its extent to date has and quantifying the value exchanges taking place in on- been limited to snapshots from web crawls. Previous at- line advertising [7, 27]. There is a lack of transparency tempts to measure the tracking ecosystem, have been done around which third-party services are present on pages, using instrumented measurement platforms, which are not and what happens to the data they collect is a common able to accurately capture how people interact with the web. concern. By monitoring this ecosystem we can drive In this work we present a method for the measurement of awareness of the practices of these services, helping to tracking in the web through a browser extension, as well as inform users whether they are being tracked, and for a method for the aggregation and collection of this informa- what purpose. More transparency and consumer aware- tion which protects the privacy of participants. We deployed ness of these practices can help drive both consumer this extension to more than 5 million users, enabling mea- and regulatory pressure to change, and help researchers surement across multiple countries, ISPs and browser con- to better quantify the privacy and security implications figurations, to give an accurate picture of real-world track- caused by these services.
    [Show full text]
  • Vmlogin Virtual Multi-Login Browser Instruction Ver
    VMLogin virtual multi-login browser Instruction Ver 1.0 Skype: [email protected] Telegram1: Vmlogin Telegram2: vmlogin_us System Requirements Hardware requirements RAM: 4GB recommended; 1GB available disk space Effective GPU Supported operating systems Although VMLogin supports x86 (32-bit) systems, we recommend using VMLogin on x64 (64-bit) systems. OS supported by VMLogin Windows 10 Windows Server 2016 Windows 7 Windows 8 Software install Users can download the latest software installation package from the official website: vmlogin.us. The version used in this manual is 1.0.3.8. We can start the software installation package program, and the interface for selecting the installation language will be displayed: User can select the software language he likes, and can also change the language in the settings after installation. Currently supports Simplified Chinese and English. After the user select the language, enter the interface for selecting the installation directory: Here is generally installed by default, press the "Next" button, if the user customizes the installation directory, please pay attention to the directory permissions, the current user can edit. Generally, you need to create a desktop shortcut for convenient, we click the "Next" button to continue by default here. At this point we can click the "Install" button to install. We need to wait for the installation progress to complete. At this step, the software installation is complete. Software function 1. Start Software When we start the software, we will see the login interface. New users need to create a new account to log in. 2. Create Account To register as a new user, you need to use email as your account, set a password, and register.
    [Show full text]
  • Web Privacy Beyond Extensions
    Web Privacy Beyond Extensions: New Browsers Are Pursuing Deep Privacy Protections Peter Snyder <[email protected]> Privacy Researcher at Brave Software In a slide… • Web privacy is a mess. • Privacy activists and researchers are limited by the complexity of modern browsers. • New browser vendors are eager to work with activists to deploy their work. Outline 1. Background Extension focus in practical privacy tools 2. Present Privacy improvements require deep browser modifications 3. Next Steps Call to action, how to keep improving Outline 1. Background Extension focus in practical privacy tools 2. Present Privacy improvements require deep browser modifications 3. Next Steps Call to action, how to keep improving Browsers are Complicated uBlock PrivacyBadger Disconnect AdBlock Plus Firefox Safari Privacy concern Chrome Edge / IE Browser maintenance experience Extensions as a Compromise uBlock PrivacyBadger Disconnect AdBlock Plus Runtime Extensions modifications Firefox Safari Privacy concern Chrome Edge / IE Browser maintenance experience Privacy and Browser Extensions � • Successes! uBlock Origin, HTTPS Everywhere, Ghostery, Disconnect, Privacy Badger, EasyList / EasyPrivacy, etc… • Appealing Easy(er) to build, easy to share • Popular Hundreds of thousands of extensions, Millions of users Browser Extension Limitations � • Limited Capabilities Networking, request modification, rendering, layout, image processing, JS engine, etc… • Security and Privacy Possibly giving capabilities to malicious parties • Performance Limited to JS, secondary access Extensions vs Runtime uBlock PrivacyBadger Disconnect AdBlock Plus Runtime Extensions modifications Firefox Safari Privacy concern Chrome Edge / IE Browser maintenance experience Under Explored Space uBlock PrivacyBadger Disconnect ? AdBlock Plus Runtime Extensions modifications Firefox Safari Privacy concern Chrome Edge / IE Browser maintenance experience Outline 1. Background Extension focus in practical privacy tools 2.
    [Show full text]
  • Downloading Additional Components of the Webpage
    Towards Seamless Tracking-Free Web: Improved Detection of Trackers via One-class Learning Muhammad Ikramy1, Hassan Jameel Asghary, Balachander Krishnamurthy Mohamed Ali Kaafary, Anirban Mahantiy AT&T Labs–Research, USA 1 School of EET UNSW, Australia y NICTA, Australia Abstract—Numerous tools have been developed to aggressively and tailor advertisements on websites to the browsing history block the execution of popular JavaScript programs in Web and web activities of users [1], [2], [3]. The class of tools browsers. Such blocking also affects functionality of webpages (including web browser plugins), developed in an attempt to and impairs user experience. As a consequence, many privacy preserve user privacy (e.g., NoScript [4], Ghostery [5], and preserving tools that have been developed to limit online tracking, Adblock Plus [6]), aims to block JavaScript programs and other often executed via JavaScript programs, may suffer from poor components of a webpage that may compromise user privacy performance and limited uptake. A mechanism that can isolate JavaScript programs necessary for proper functioning of the and enable tracking. However, aggressive blocking can hinder website from tracking JavaScript programs would thus be useful. proper functioning of the website and impact user’s browsing Through the use of a manually labelled dataset composed of 2,612 experience [7], [8] (See AppendixE for an example of how JavaScript programs, we show how current privacy preserving a tool blocks content necessary for proper website function.). tools are ineffective in finding the right balance between blocking A mechanism that can properly isolate JavaScript programs tracking JavaScript programs and allowing functional JavaScript necessary for “legitimate” web functioning of the website from code.
    [Show full text]
  • General Characteristics of Android Browsers with Focus on Security and Privacy Features
    BÁNKI KÖZLEMÉNYEK 3. ÉVFOLYAM 1. SZÁM General characteristics of Android browsers with focus on security and privacy features Petar Čisar*, Sanja Maravic Cisar**, Igor Fürstner*** Academy of Criminalistic and Police Studies, Belgrade, Serbia, **Subotica Tech, Subotica, Serbia, ***Óbuda University, Bánki Donát Faculty of Mechanical and Safety Engineering, Budapest, Hungary, [email protected], [email protected], [email protected] • Incognito browsing mode - offers real private Abstract —Satisfactory level of security in the use of the browsing experience without leaving any historical Internet in mobile devices depends on several factors. One of data. them is safe browsing. A key factor in providing secure • Using of HTTPS protocol - enforces SSL (Secure browsing is the application of a browser with the appropriate Socket Layer) security protocol (using of certificates) methods applied: clearing cookies, cache and history, ability wherever that’s possible. of incognito browsing, using of whitelists and encryptions and others. This paper presents an overview of the various • Disabling features like JavaScript, DOM (Document security and privacy features used in the most frequently Object Model) storage used Android browsers. Also, in the case of several browsers • Using fingerprinting techniques and types of mobile devices, the use of benchmark tests is Further sections of this paper provide an overview of the shown. Bearing in mind the differences, when choosing a applied security and privacy methods for more popular browser, special attention should be paid to the applied Android browsers. Also, in order to compare the adequate security and privacy features. features of browsers, the use of benchmark tests on different mobile devices will be shown.
    [Show full text]
  • Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods
    Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods Furkan Alaca P.C. van Oorschot School of Computer Science Carleton University, Ottawa, Canada ABSTRACT ing habits [21,2]. In addition, a number of commercial Device fingerprinting is commonly used for tracking users. fraud detection services [38, 57] employ browser-based de- We explore device fingerprinting but in the specific context vice fingerprinting to identify fraudulent transactions. Large of use for augmenting authentication, providing a state-of- web services can mitigate insecure passwords in part by the-art view and analysis. We summarize and classify 29 using server-side intelligence in the authentication process available methods and their properties; define attack models with \multidimensional" authentication [14], wherein con- relevant to augmenting passwords for user authentication; ventional passwords are augmented by multiple implicit sig- and qualitatively compare them based on stability, repeata- nals collected from the user's device without requiring user bility, resource use, client passiveness, difficulty of spoofing, intervention. We explore the applicability of various finger- and distinguishability offered. printing techniques to strengthening web authentication and evaluate them based on the security benefits they provide. CCS Concepts We aim to identify techniques that can improve security, while being ideally invisible to users and compatible with •Security and privacy ! Authentication; Web appli- existing web browsers, thereby imposing zero cost on us- cation security; ability and deployability. We identify and classify 29 available device fingerprint- Keywords ing mechanisms, primarily browser-based and known, but Device fingerprinting, multi-dimensional authentication, pass- including several network-based methods and others not in words, comparative analysis, comparative criteria the literature; identify and assess their properties suitable for application to augment user authentication; define a se- 1.
    [Show full text]
  • Threatmetrix Whitepaper
    Smart Device Identification for Cloud-Based Fraud Prevention Alisdair Faulkner Chief Products Officer White Paper: Smart Device Identification for Cloud-Based Fraud Prevention Contents Basic Device Identification is no longer enough ........ 3 Times have changed but your Device ID hasn’t .......................................................................... 3 Cookies are Obsolete .................................................................................................................. 5 Device Fingerprints Smudge and Fraudsters Wear Gloves ........................................................ 6 Compromised Devices are Commodities .................................................................................... 7 Smart Device Identification Requirements .................................................................................. 8 Smart versus Basic Device Identification Comparison ................................................................ 9 ThreatMetrix Smart Device Identification ................. 11 Identify Fraudsters and Authenticate Customers ...................................................................... 11 Cookieless Device Fingerprinting .............................................................................................. 12 IP, Browser and Packet Fingerprint Interrogation ..................................................................... 13 Real-time complex attribute matching and confidence scoring ................................................. 15 Man-In-The-Middle/Hidden Proxy
    [Show full text]
  • How to Enable Javascript in a Web Browser
    How to enable JavaScript in a web browser To allow all Web sites in the Internet zone to run scripts, use the steps that apply to your browser: Windows Internet Explorer (all versions except Pocket Internet Explorer) Note To allow scripting on this Web site only, and to leave scripting disabled in the Internet zone, add this Web site to the Trusted sites zone. 1. On the Tools menu, click Internet Options , and then click the Security tab. 2. Click the Internet zone. 3. If you do not have to customize your Internet security settings, click Default Level . Then do step 4 If you have to customize your Internet security settings, follow these steps: a. Click Custom Level . b. In the Security Settings – Internet Zone dialog box, click Enable for Active Scripting in the Scripting section. 4. Click the Back button to return to the previous page, and then click the Refresh button to run scripts. Mozilla Corporation’s Firefox By default, Firefox enables the use of JavaScript and requires no additional installation. Note To allow and block JavaScript on certain domains you can install privacy extensions such as: NoScript: Allows JavaScript and other content to run only on websites of your choice. Ghostery: Allows you to block scripts from companies that you don't trust. For more information please refer to mozzila support web page. Google Chrome 1. Select Customize and control Google Chrome (the icon with 3 stacked horizontal lines) to the right of the address bar. 2. From the drop-down menu, select Settings . 3. At the bottom of the page, click Show advanced settings..
    [Show full text]
  • Web-Based Fingerprinting Techniques
    Web-based Fingerprinting Techniques V´ıtor Bernardo and Dulce Domingos LaSIGE, Faculdade de Ciencias,ˆ Universidade de Lisboa, Lisboa, Portugal Keywords: Browser Fingerprinting, Cross-browser Fingerprinting, Device Fingerprinting, Privacy, Fingerprint. Abstract: The concept of device fingerprinting is based in the assumption that each electronic device holds a unique set of physical and/or logical features that others can capture and use to differentiate it from the whole. Web-based fingerprinting, a particular case of device fingerprinting, allows website owners to differentiate devices based on the set of information that browsers transmit. Depending on the techniques being used, a website can track a device based on its browser features (browser fingerprinting) or based on system settings (cross-browser fingerprinting). The latter allows identification of the device even when more than one browser is used. Several different works have introduced new techniques over the last years proving that fingerprinting can be done in multiple ways, but there is not a consolidated work gathering all of them. The current work identifies known web-based fingerprinting techniques, categorizing them as which ones are browser and which are cross-browser and showing real examples of the data that can be captured with each technique. The study is synthesized in a taxonomy, which provides a clear separation between techniques, making it easier to identify the threats to security and privacy inherent to each one. 1 INTRODUCTION far more upsetting than simple cookies. In most cases, web-based fingerprinting is used to Device fingerprinting is based on the assumption that track users activity in sites and bind a device finger- no two devices are exactly alike and that profiles can print to a user profile (together with its preferences, be created by capturing the emanation patterns sent tastes and interests).
    [Show full text]
  • The Elephant in the Background: a Quantitative Approach to Empower Users Against Web Browser Fingerprinting
    The Elephant in the Background: A Quantitative Approach to Empower Users Against Web Browser Fingerprinting Anonymous Abstract—Tracking users is a ubiquitous practice in the web Furthermore, other researchers have concentrated their ef- today. User activity is recorded on a large scale and analyzed forts on creating new fingerprinting techniques, e.g. by using by various actors to create personalized products, forecast future canvas [24] and audio objects [30] or via CSS [37]. Others behavior, and prevent online fraud. While so far HTTP cookies have significantly improved known techniques with machine have been the weapon of choice, new and more pervasive learning [42] or by extracting fingerprinting features more techniques such as browser fingerprinting are gaining traction. passively via extension activity tracking [36]. Hence, in this paper, we describe how users can be empowered against JavaScript fingerprinting by showing them when, how, The sheer diversity of fingerprinting techniques available and who is tracking them. To this end, we conduct a systematic analysis of various JavaScript fingerprinting tools. Based on this to us begs the question of which techniques are really being analysis, we design and develop FPMON: a light-weight and used and which ones are not? So far, large scale studies have comprehensive fingerprinting monitor that measures and rates only uncovered specific instances of fingerprinting and these JavaScript fingerprinting activity on any given website in real- are over 5-10 years old [1,2]. In particular, we currently lack time. Using FPMON, we evaluate the Alexa 10k most popular a comprehensive view of fingerprinting activity on the web websites to i) study the pervasiveness of JavaScript fingerprinting; today.
    [Show full text]