BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT

IPEN 2017, Vienna Joint work with Nataliia Bielova, Claude Castelluccia

Gábor György Gulyás Privatics Team, INRIA http://gulyas.info // @GulyasGG USER TRACKING ON THE WEB

17-06-09 © Gábor György Gulyás 2 The „de-facto” busniess model of the web

Advertiser ID=967 User

Apples on sale!

ID=967 cnn.com

17-06-09 © Gábor György Gulyás 3 Storing the identifier on the client side

• Cookies • E-tags – Flash • Last-mod timestamps – HTML5 • HTTP authentication • Caching in files of • HTTP 301 redirect – JavaScript • HSTS caches – CSS

– Images (pixel-level) …

17-06-09 © Gábor György Gulyás 4 Browser fingerprinting appears (2010-2012) [3]

http://panopticlick.eff.org https://fingerprint.pet-portal.eu • Browser fingerprint • Cross-browser fingp. – Flash/Java required – Device fingerprint (for 95% uniqueness) – No plugins, just JS – Browser dependent – Concept appears later in the wild

17-06-09 © Gábor György Gulyás 5 Fingerprinting penetration (2013-2016)

2013: Alexa TOP 10k. • 20 pages deep • 0,4% adoption (40 sites) • Skype.com, porn and dating • 3 804 less popular sites are tracked Nickiforakis et al.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting (2013)

2016: Alexa TOP 1M.

S. Englehardt, A. Narayanan: Online tracking: A 1-illion-site measurement and analysis (2016)

17-06-09 © Gábor György Gulyás 6 Behavioral fingerprinting

You are what you install to you computer?

Fonts are good indicators of what is installed.

Boda et al.: User Tracking on the Web via Cross-Browser Fingerprinting (2011) Google.com Youtube.com Facebook.com Baidu.com The list of the sites you have Yahoo.com Wikipedia.org visited also describe you well. Google.co.in Qq.com Sohu.com Google.co.jp Taobao.com Tmall.com Live.com Amazon.com Can be used to de-anonymize Vk.com Twitter.com you as a natural person. Instagram.com 360.cn Su et al.: De-anonymizing Web Browsing Data with Social Networks (2017) 17-06-09 © Gábor György Gulyás 7 BROWSER EXTENSION AND LOGIN-LEAK EXPERIMENT

17-06-09 © Gábor György Gulyás 8 Browser Extension and Login-Leak Experiment

• Extension detection • Detecting web logins – Detecting extension – Redirection URL resources hijacking – Misusing CSP violation

17-06-09 © Gábor György Gulyás 9 Why is this a problem?

Extensions can leak private information!

The more privacy extensions you install, the more identifiable you are!

17-06-09 © Gábor György Gulyás 10 Extension detection history

17-06-09 © Gábor György Gulyás 11 How does it work? chrome-extension://mlomiejdfkolichcflejclcbmpeaniij/app/images/apps_pages/tracker.png

Extension ID Local filepath (Ghostery) • Try yourself: http://tinyurl.com/chrome- ghostery

• High precision & coverage: – Large fraction of extensions covered ~28% – No false-positives (uninstalled extensions not reported) • Robustness (multiple resources can be checked)

17-06-09 © Gábor György Gulyás 12 Other browsers?

• Firefox – Smaller impact: ~7% (direct possibility to manipulate UI) – WebExtensions è same vulnerability as Chrome (but ~5.5%) – Resources leak more information • Opera

• Brave – Comes with detectable built-in extensions – Test it here: https://extensions.inrialpes.fr/brave/ • Edge – It is possible [http://tinyurl.com/edge-ext] – Low number of extensions are available

17-06-09 © Gábor György Gulyás 13 Browser Extension and Login-Leak Experiment

• Extension detection • Detecting web logins – Detecting extension – Redirection URL resources hijacking – Misusing CSP violation

17-06-09 © Gábor György Gulyás 14 Why is this a problem?

Allows very precise profiling.

Leaks sensitive info (security!).

Tells about where you work.

Allow behavioral tracking.

17-06-09 © Gábor György Gulyás 15 Currently detected sites (60)

Social & Fun Work & Education • Battle.net Shopping • Academia.edu • Facebook • 500px • BitBucket • Flickr • Alibaba.com, Aliexpress.com • Carbonmade • Foursquare • Airbnb • Dropbox • Gmail • Amazon.{co.uk, com, de, fr, it} • EdX • Google Plus • eBay.{co.uk, com, de, fr, it} • Evernote • Instagram • Expedia • Github • LinkedIn • Paypal • Indeed • Meetup • Photobucket News & Blogging • Inria • Pinterest • shutterstock • Forbes • Khan Academy • Skype • Steam • Hackernews • PluralSight • Spotify • Square • LeMonde.fr • Scribd • Tumblr • LiveJournal • Slack • Twitter • Medium • SugarSync Gray zone • VK • Reddit • Viadeo • Youporn • Youtube • Spiegel.de • Dating sites • Yahoo

17-06-09 © Gábor György Gulyás 16 Techniques used

Redirection URL hijacking by @robin_linus

Abusing Content Security Policy by @homakov

17-06-09 based on a slide from Nataliia Bielova 17 How do they work?

Redirection URL hijacking

https://inria.fr/login?return=CALENDAR

17-06-09 © Gábor György Gulyás 18 How do they work? [2]

Redirection URL hijacking https://inria.fr/login?return=logo_INRIA.png

Not logged in Logged in (login page) (silent & unchecked redirection to image)

17-06-09 © Gábor György Gulyás 19 How do they work? [3]

Abusing CSP

http://my.ebay.com Not allowed redirection! Raises error, reports it back.

Not logged in Logged in (http://www.ebay.com) (http://my.ebay.com)

17-06-09 © Gábor György Gulyás 20 https://extensions.inrialpes.fr

17-06-09 © Gábor György Gulyás 21 https://extensions.inrialpes.fr

17-06-09 © Gábor György Gulyás 22 What could we do (for now)?

Extension detection • Chrome, Opera, Brave: not much. • Safari: not evaluated. • Firefox: vulnerable. But: few extensions, and good for privacy.

Web login detection • Best advice is to turn off third- party cookies. • Or use an extension that blocks • access to third-part cookies, • tracking, or • JavaScript (noscript).

17-06-09 © Gábor György Gulyás 23 Thank you for your attention!

ANY QUESTIONS?

Gábor György Gulyás Privatics Team, INRIA http://gulyas.info // @GulyasGG