No boundaries: data exfiltration by third parties embedded on web pages-Reference-Cited by-同舟云学术

No boundaries: data exfiltration by third parties embedded on web pages

Published:2020-08-17 Issue:4 Volume:2020 Page:220-238
ISSN:2299-0984
Container-title:Proceedings on Privacy Enhancing Technologies
language:en
Short-container-title:

Author:

Acar Gunes¹,Englehardt Steven²,Narayanan Arvind³

Affiliation:

1. imec-COSIC KU Leuven

2. Mozilla

3. Princeton University

Abstract

Abstract We investigate data exfiltration by third-party scripts directly embedded on web pages. Specifically, we study three attacks: misuse of browsers’ internal login managers, social data exfiltration, and whole-DOM exfiltration. Although the possibility of these attacks was well known, we provide the first empirical evidence based on measurements of 300,000 distinct web pages from 50,000 sites. We extend OpenWPM’s instrumentation to detect and precisely attribute these attacks to specific third-party scripts. Our analysis reveals invasive practices such as inserting invisible login forms to trigger autofilling of the saved user credentials, and reading and exfiltrating social network data when the user logs in via Facebook login. Further, we uncovered password, credit card, and health data leaks to third parties due to wholesale collection of the DOM. We discuss the lessons learned from the responses to the initial disclosure of our findings and fixes that were deployed by the websites, browser vendors, third-party libraries and privacy protection tools.

Publisher

Walter de Gruyter GmbH

Subject

General Medicine

Link

https://www.sciendo.com/pdf/10.2478/popets-2020-0070

Reference73 articles.

1. [1] “Facebook login,” 2018. [Online]. Available: https://developers.facebook.com/docs/facebook-login/

2. [2] S. Englehardt and A. Narayanan, “Online tracking: A 1- million-site measurement and analysis,” in ACM Conference on Computer and Communications Security, 2016.

3. [3] A. Fou. (2016) Javascript trackers open security holes | exchangewire.com. [Online]. Available: https://www.exchangewire.com/blog/2016/05/19/%E2%80%8Bon-sitejavascript-trackers-open-gaping-security-holes/

4. [4] J. Weiler. (2016) 3rd party javascript management cheat sheet - owasp. [Online]. Available: https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet#Major_risks

5. [5] Mozilla, “Document.referrer - Web APIs,” https://developer.mozilla.org/en-US/docs/Web/API/Document/referrer, accessed: 2019-12-02.

Cited by 17 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. A User-Centric Approach to API Delegations;Lecture Notes in Computer Science;2024

2. Fine-Grained Data-Centric Content Protection Policy for Web Applications;Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security;2023-11-15

3. Detection of Inconsistencies in Privacy Practices of Browser Extensions;2023 IEEE Symposium on Security and Privacy (SP);2023-05

4. QButterfly: Lightweight Survey Extension for Online User Interaction Studies for Non-Tech-Savvy Researchers;Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems;2023-04-19

5. Uncovering Privacy and Security Challenges In K-12 Schools;Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems;2023-04-19