2020
DOI: 10.2478/popets-2020-0070
|View full text |Cite
|
Sign up to set email alerts
|

No boundaries: data exfiltration by third parties embedded on web pages

Abstract: We investigate data exfiltration by third-party scripts directly embedded on web pages. Specifically, we study three attacks: misuse of browsers’ internal login managers, social data exfiltration, and whole-DOM exfiltration. Although the possibility of these attacks was well known, we provide the first empirical evidence based on measurements of 300,000 distinct web pages from 50,000 sites. We extend OpenWPM’s instrumentation to detect and precisely attribute these attacks to specific third-party scripts. Our … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
6
0

Year Published

2021
2021
2024
2024

Publication Types

Select...
5
2

Relationship

0
7

Authors

Journals

citations
Cited by 20 publications
(6 citation statements)
references
References 17 publications
0
6
0
Order By: Relevance
“…For the web OpenWPM provided a measurement infrastructure to detect, quantify, and characterize emerging online tracking behaviors, such as browser fingerprinting [27]. OpenWPM was extended to invisible login forms triggering autofilling of saved user credentials, exfiltrating social network data, and other privacy-invasive practices [2]. In addition to OpenWPM, OmniCrawl, a similar infrastructure, was used to find that the third party advertising and tracking ecosystem on mobile browsers is similar to that of desktop browsers [12].…”
Section: Web Traffic Analysismentioning
confidence: 99%
See 3 more Smart Citations
“…For the web OpenWPM provided a measurement infrastructure to detect, quantify, and characterize emerging online tracking behaviors, such as browser fingerprinting [27]. OpenWPM was extended to invisible login forms triggering autofilling of saved user credentials, exfiltrating social network data, and other privacy-invasive practices [2]. In addition to OpenWPM, OmniCrawl, a similar infrastructure, was used to find that the third party advertising and tracking ecosystem on mobile browsers is similar to that of desktop browsers [12].…”
Section: Web Traffic Analysismentioning
confidence: 99%
“…As a proof of concept we implement our interfaces in a Firefox browser extension, Privacy Pioneer. 2 In addition to pattern-based detection, we use a machine learning model to classify unstructured data, in our case location data, for which the web traffic context plays a significant role. By doing so, we show the potential improvements obtainable from machine learning models while still accounting for the constrained browser environment.…”
Section: Introductionmentioning
confidence: 99%
See 2 more Smart Citations
“…Researchers consistently demonstrate privacy eroding techniques deployed in the wild [15][16][17][18][19] motivated by online advertising business models [32]. Personal data is leaked via social networks [33], third-party web scripts [34], apps [35], software development kits [36], and organizational breaches [37]. The scale of tracking motivate re-designing systems to provide privacy guarantees.…”
Section: Privacy Practicesmentioning
confidence: 99%