Accept All Exploits: Exploring the Security Impact of Cookie Banners

Klein, David; Musch, Marius; Barber, Thomas J.; Kopmann, Moritz; Johns, Martin

doi:10.1145/3564625.3564647

Cited by 7 publications

(2 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hu et al [18] also introduce a machine learningbased approach to classifying the purpose of a cookie. Klein et al [25] conduct a large-scale crawl to explore the security impact of consenting to a cookie banner and find that users who consent to Web tracking are exposed to more security-sensitive data flows and are vulnerable to more client-side cross-site scripting (XSS) vulnerabilities. Jha et al [22] present a measurement focusing on popular websites in Europe and the US to study the impact of privacy banners on the web.…”

Section: Related Workmentioning

confidence: 99%

A Large-Scale Study of Cookie Banner Interaction Tools and their Impact on Users' Privacy

Demir,

Urban,

Pohlmann

et al. 2024

PoPETs

View full text Add to dashboard Cite

Cookie notices (or cookie banners) are a popular mechanism for websites to provide (European) Internet users a tool to choose which cookies the site may set. Banner implementations range from merely providing information that a site uses cookies over offering the choice to accepting or denying all cookies to allowing fine-grained control of cookie usage. Users frequently get annoyed by the banner's pervasiveness as they interrupt ''natural'' browsing on the Web. As a remedy, different browser extensions have been developed to automate the interaction with cookie banners. In this work, we perform a large-scale measurement study comparing the effectiveness of extensions for ''cookie banner interaction.'' We configured the extensions to express different privacy choices (e.g., accepting all cookies, accepting functional cookies, or rejecting all cookies) to understand their capabilities to execute a user's preferences. The results show statistically significant differences in which cookies are set, how many of them are set, and which types are set---even for extensions that aim to implement the same cookie choice. Extensions for ''cookie banner interaction'' can effectively reduce the number of set cookies compared to no interaction with the banners. However, all extensions increase the tracking requests significantly except when rejecting all cookies.

show abstract

Section: Related Workmentioning

confidence: 99%

A Large-Scale Study of Cookie Banner Interaction Tools and their Impact on Users' Privacy

Demir,

Urban,

Pohlmann

et al. 2024

PoPETs

View full text Add to dashboard Cite

show abstract

“…Klein et al [22] used a combination of keywords in different languages and visual properties (visible and whether it is at the top layer of the screen) to identify elements that notices use to get consent (e. g., accept buttons). The main goal of their research was not to detect consent notices but to measure the security impact of loaded third-party code in terms of client-side cross-site scripting.…”

Section: Detection Of Consent Noticesmentioning

confidence: 99%

Cookiescanner: An Automated Tool for Detecting and Evaluating GDPR Consent Notices on Websites

Gundelach,

Herrmann

2023

Proceedings of the 18th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

The enforcement of the GDPR led to the widespread adoption of consent notices, colloquially known as cookie banners. Studies have shown that many website operators do not comply with the law and track users prior to any interaction with the consent notice, or attempt to trick users into giving consent through dark patterns. Previous research has relied on manually curated filter lists or automated detection methods limited to a subset of websites, making research on GDPR compliance of consent notices tedious or limited. We present cookiescanner, an automated scanning tool that detects and extracts consent notices via various methods and checks if they offer a decline option or use color diversion. We evaluated cookiescanner on a random sample of the top 10,000 websites listed by Tranco. We found that manually curated filter lists have the highest precision but recall fewer consent notices than our keyword-based methods. Our BERT model achieves high precision for English notices, which is in line with previous work, but suffers from low recall due to insufficient candidate extraction. While the automated detection of decline options proved to be challenging due to the dynamic nature of many sites, detecting instances of different colors of the buttons was successful in most cases. Besides systematically evaluating our various detection techniques, we have manually annotated 1,000 websites to provide a ground-truth baseline, which has not existed previously. Furthermore, we release our code and the annotated dataset in the interest of reproducibility and repeatability. CCS CONCEPTS• Security and privacy → Human and societal aspects of security and privacy; • General and reference → Measurement; • Information systems → World Wide Web.

show abstract