How Tracking Companies Circumvented Ad Blockers Using WebSockets

Size: px

Start display at page:

Download "How Tracking Companies Circumvented Ad Blockers Using WebSockets"

Adelia Black
5 years ago
Views:

1 How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson Northeastern University

2 Online Tracking 2

3 Online Tracking Surge in online advertising (internet economy) Ad networks pour in billions of dollars. Value for their investment? Extensive tracking to serve targeted ads. 2

4 Online Tracking Surge in online advertising (internet economy) Ad networks pour in billions of dollars. Value for their investment? Extensive tracking to serve targeted ads. User concern over tracking Led to the proliferation of ad blocking extensions 2

5 Online Tracking Surge in online advertising (internet economy) Ad networks pour in billions of dollars. Value for their investment? Extensive tracking to serve targeted ads. User concern over tracking Led to the proliferation of ad blocking extensions Ad networks fight back E.g Using anti ad blocking scripts 2

6 Google & Safari Google evaded Safari s third-party cookie blocking policy (Jonathan Mayer) by submitting a form in an invisible iframe Google was fined $22.5M by FTC 3

7 This Talk How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets 4

8 This Talk How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets 1. What caused this? 2. How this bug was leveraged by ad networks? 4

9 Web Sockets 5

10 Web Sockets HTTP/S 5

11 Web Sockets HTTP/S request response 5

12 Web Sockets HTTP/S request response Chatting App 5

13 Web Sockets HTTP/S request response Chatting App anything new? 5

14 Web Sockets HTTP/S request response Chatting App anything new? Web Socket 5

15 Web Sockets HTTP/S request response Chatting App anything new? Web Socket bidirectional Both client and server can send/receive data This is a persistent connection 5

16 Web Sockets HTTP/S request response Chatting App anything new? Web Socket bidirectional ws:// or wss:// Both client and server can send/receive data This is a persistent connection 5

17 Ad Blockers 6

18 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests 6

19 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API 6

20 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API 6

21 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API Usually borrowed from EasyList Rule List 6

22 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Usually borrowed from EasyList Rule List 6

23 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Usually borrowed from EasyList Rule List 6

24 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Usually borrowed from EasyList Rule List 6

25 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Usually borrowed from EasyList Rule List webrequest API 6

26 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Usually borrowed from EasyList Rule List webrequest API 6

27 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Usually borrowed from EasyList Rule List url webrequest API 6

28 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Usually borrowed from EasyList Rule List url webrequest API 6

jpeg webrequest API url Usually borrowed

29 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Usually borrowed from EasyList Rule List url webrequest API 6

30 AdBlock Evasion 7

31 AdBlock Evasion Bug in webrequest API ws/wss requests did not trigger the API 7

32 AdBlock Evasion Bug in webrequest API ws/wss requests did not trigger the API

33 AdBlock Evasion Bug in webrequest API ws/wss requests did not trigger the API Original bug reported

34 AdBlock Evasion Bug in webrequest API ws/wss requests did not trigger the API Original bug reported Users report unblocked ads

35 AdBlock Evasion Bug in webrequest API ws/wss requests did not trigger the API Original bug reported Users report unblocked ads Patch Finalized ( Landed)

36 AdBlock Evasion Bug in webrequest API ws/wss requests did not trigger the API Original bug reported Users report unblocked ads Patch Finalized ( Landed) Chrome 58 released 7

37 AdBlock Evasion Bug in webrequest API ws/wss requests did not trigger the API Original bug reported Users report unblocked ads Patch Finalized ( Landed) * * * * * Represents when our crawls were done Chrome 58 released 7

38 Data Crawling 8

39 Data Crawling 100K websites sampled from Alexa 8

40 Data Crawling 100K websites sampled from Alexa Visit 15 links / website Collected chains for all included resources 8

41 Data Crawling This means we know which resource included which other resource 100K websites sampled from Alexa Visit 15 links / website Collected chains for all included resources 8

42 Data Crawling 100K websites sampled from Alexa Visit 15 links / website Collected chains for all included resources This means we know which resource included which other resource Filter WebSockets Filter all resources which end in web sockets 8

43 Data Crawling 100K websites sampled from Alexa Visit 15 links / website Collected chains for all included resources This means we know which resource included which other resource Filter WebSockets Mark web sockets which are used by A&A domains Detect A&A WebSockets Filter all resources which end in web sockets A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs 8

44 Data Crawling 100K websites sampled from Alexa Visit 15 links / website Example Inclusion Tree srv.ws pub/ index.html ads/ script.js Collected chains for all included resources Mark web sockets which are used by A&A domains This means we know which resource included which other resource Filter WebSockets Detect A&A WebSockets Filter all resources which end in web sockets adnet/ data.ws ads/ frame.html ads/ img_a.jpg A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs 8

45 Data Crawling 100K websites sampled from Alexa Visit 15 links / website Example Inclusion Tree srv.ws WebSocket pub/ index.html ads/ script.js Collected chains for all included resources Mark web sockets which are used by A&A domains This means we know which resource included which other resource Filter WebSockets Detect A&A WebSockets Filter all resources which end in web sockets adnet/ data.ws WebSocket ads/ frame.html ads/ img_a.jpg A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs 8

46 Data Crawling 100K websites sampled from Alexa Visit 15 links / website Example Inclusion Tree srv.ws WebSocket pub/ index.html ads/ script.js Collected chains for all included resources Mark web sockets which are used by A&A domains This means we know which resource included which other resource Filter WebSockets Detect A&A WebSockets Filter all resources which end in web sockets adnet/ data.ws WebSocket ads/ frame.html A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs 8

47 Data Crawling 100K websites sampled from Alexa Visit 15 links / website Example Inclusion Tree pub/ index.html ads/ script.js Collected chains for all included resources Mark web sockets which are used by A&A domains This means we know which resource included which other resource Filter WebSockets Detect A&A WebSockets Filter all resources which end in web sockets adnet/ data.ws WebSocket ads/ frame.html A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs 8

48 High-Level Numbers 9

49 High-Level Numbers Before Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16,

50 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16,

51 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets. 9

52 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets. ~61 % sockets are initiated by A&A domains A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs 9

53 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets. ~61 % sockets are initiated by A&A domains A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs ~71 % sockets contact an A&A domain 9

54 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets. ~61 % sockets are initiated by A&A domains A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs ~71 % sockets contact an A&A domain # Initiators drop after Chrome 58 release. 9

55 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets. ~61 % sockets are initiated by A&A domains A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs ~71 % sockets contact an A&A domain # Initiators drop after Chrome 58 release. Small but persistent A&A receivers. 9

56 Initiators and Receivers 10

57 Initiators and Receivers Initiator JavaScript Receiver 10

58 Initiators and Receivers Initiator JavaScript ws/s Receiver 10

59 Initiators and Receivers Initiator JavaScript ws/s Receiver 10

60 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 10

61 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 10

62 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 10

63 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Disqus provides comment board services. 10

64 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Disqus provides comment board services. Zopim, Intercom, Smartsupp provide live chat services. 10

65 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Disqus provides comment board services. Zopim, Intercom, Smartsupp provide live chat services. 33across & Lockerdome are advertising platforms. 10

doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5

realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit

services. Zopim, Intercom, Smartsupp provide live chat services.

66 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Disqus provides comment board services. Zopim, Intercom, Smartsupp provide live chat services. 33across & Lockerdome are advertising platforms. Inspectlet & Hotjar are session replay services. 10

67 Sent Items Over Web Sockets 11

68 Sent Items Over Web Sockets Cookie IP User IDs Fingerprinting Variables DOM WebSockets HTTP/S % Requests 11

69 Sent Items Over Web Sockets Cookie IP User IDs Fingerprinting Variables WebSockets HTTP/S DOM % Requests Stateful Identifiers like Cookie and User IDs 11

70 Sent Items Over Web Sockets Cookie IP User IDs Fingerprinting Variables WebSockets HTTP/S DOM % Requests Stateful Identifiers like Cookie and User IDs Fingerprinting data in ~3.4% WebSockets. 97% is 33across 11

71 Sent Items Over Web Sockets Cookie IP User IDs Fingerprinting Variables WebSockets HTTP/S DOM % Requests Stateful Identifiers like Cookie and User IDs Fingerprinting data in ~3.4% WebSockets. 97% is 33across ~1.6% WebSockets sends the entire DOM to Hotjar, LuckyOrange, TruConversion 11

72 Received Items Over Web Sockets 12

73 Received Items Over Web Sockets HTML JSON JavaScript Images WebSockets HTTP/S % Responses 12

74 Received Items Over Web Sockets HTML JSON JavaScript WebSockets HTTP/S Images % Responses 12

75 Received Items Over Web Sockets HTML JSON JavaScript WebSockets HTTP/S Images % Responses 12

76 Received Items Over Web Sockets HTML JSON JavaScript WebSockets HTTP/S Images % Responses Ads served from Lockerdome 12

77 Summary ~67% of socket connections are initiated or received by A&A domains. Major companies like Google, Facebook, Addthis adopted WebSockets. Abandoned after Chrome 58 was released. The culprits: 33across was harvesting fingerprinting data. DOM exfiltration by HotJar, LuckyOrange, TruConversion Lockerdome downloaded URLs to serve ads. We need to keep up with the current practices of A&A companies. 13

78 Summary ~67% of socket connections are initiated or received by A&A domains. Major companies like Google, Facebook, Addthis adopted WebSockets. Abandoned after Chrome 58 was released. The culprits: 33across was harvesting fingerprinting data. DOM exfiltration by HotJar, LuckyOrange, TruConversion Lockerdome downloaded URLs to serve ads. We need to keep up with the current practices of A&A companies. Questions? 13

79 Backup Slides

80 Inclusion Chain DOM Tree Inclusion Tree <html> <body> <script src= tracker/script.js </script> <img src= tracker/img.jpg > </img> <script src= ads/script.js > </script> <iframe src= frame.html > <html> <body> <script src= script_12.js > </script> <img src= img_a.jpg > </img> </body> </html> </iframe> </body> </html> Source code for ads/script_12.js let ws = new WebSocket( ws://adnet/data.ws, ); ws.onopen = function (e) {ws.send( );} tracker/ script.js tracker/ img.jpg pub/ index.html ads/ script_12.js adnet/ data.ws ads/ script.js ads/ frame.html ads/ img_a.jpg 15

How Tracking Companies Circumvented Ad Blockers Using WebSockets

How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson Northeastern University Online Tracking 2 Online Tracking