You Are Being Watched Analysis of JavaScript-Based Trackers

Size: px

Start display at page:

Download "You Are Being Watched Analysis of JavaScript-Based Trackers"

Gordon Dickerson
5 years ago
Views:

1 You Are Being Watched Analysis of JavaScript-Based Trackers Rohit Mehra IIIT-Delhi Shobhita Saxena IIIT-Delhi Vaishali Garg IIIT-Delhi I. PROBLEM Trackers are code points in a webpage that track personal information about the visitor like browsing patterns, operating environment, search history and much more, without the users consent. These trackers rely heavily on javascript for their execution and logging mechanisms. But what if the user disables browsers javascript for a particular site? Will the tracker still function? This forms the basis for our project. Our project analyzes different types of trackers and their execution requirements and focusses mainly on trackers that function even after javascript is disabled. This analysis will serve as a basis for modern tracker disabling tools that will be more precise than legacy extensions/add-ons performing this task. II. MOTIVATION Almost every site that you visit, maintains a log about visitor s personal information without his consent. This information is then be used for various constructive tasks, recommending website based on browsing patterns, suggesting new stuff to buy based on shopping patterns. Often in most cases this information is misused by selling it to third party agencies that collect tracking information from various sources and create a complete user profile. They use this profile for targeting users for particular scams, access their financial details, gain access to other passwords and sensitive information, find vulnerabilities in users system and exploit them. Even without users knowledge or consent, his identity and personal information gets compromised. III. INTRODUCTION Trackers maintain a log of visitors personal information like Browsing Patterns Search History Likes and Dislikes Personally Identifiable Information So, some important questions are posed from this such as Who are tracking you? How are you being tracked? How 3rd parties get to see what you do on web? How is your collected data being used? This project aims to answer these questions and provides different trends and analysis of these JavaScript based trackers. Methodology applied to perform the task in hand is based upon development of following crucial components that independently help towards achieving the target: Crawler Development : With Multithreading Support Chrome Extension REST API Driver Application Website Category Scraper : McAfee Analysis Code Analysis performed on Ubuntu and Windows 8.1 IV. BACKGROUND STUDY Tracker is a software implementation which maintains a log of a visitors personal information like, number of times the site is visited, browsing patterns, search history, likes and dislikes, banking details and much more. Since these trackers are mostly embedded into a website as internal/external javascript, they get access to all the DOM elements that hold users data and can also access user s operating environment(local storage, network resources, OS details). Even if the trackers are embedded as iframes, they still get access to most of the information except DOM elements. There are many tracker blocking tools available in the market like ghostery, donottrackme, disconnect and not script, that leverage the fact that trackers using javascript for information gathering process will not work if the javascript is disabled. Besides this they use more sophisticated techniques for blocking which are out of scope for this project. Tracker designers are also aware of the javascript disabling fact and have designed more sophisticated trackers that even function with javascript disabled. They may track using cookies, web bugs or referrer tracking. Main focus of our project is to identify and analyze such trackers that function even with javascript disabled. V. IMPLEMENTATION Our implemented approach is divided into these 6 tools/phases discussed as below: A. Crawler Development : With Multithreading Support A crawler is developed to gather URLs. Alexa Top Websites are given as initial seed and then websites are crawled in order to extract unique URLs referred by those websites. A total of 1000 unique URLs are extracted from one website. Thus, we are able to extract large no. of candidate URLs with high reachability.

2 trackers work in a different manner across different Operating Systems. B. Chrome Extension Fig. 1. Architecture of our approach A Chrome Extension is developed which first waits till the URL gets completely rendered. After this it analyzes the URL in JavaScript Enabled Mode, matches the trackers found with the list of Trackers provided in Ghostery Database. Then the extension automatically disables the JavaScript and then again checks for the trackers(if any). The trackers found in the JavaScript enabled anmd disabled mode are then saved to the database. A. Statistics VI. RESULTS Following are the statistics of the data that we gathered and analyzed: Crawled Data Total Crawled Webpages: 1.4 M Alexa Database: 1 M Analyzed Data Total Webpages Analyzed: 0.11 M Total Number of Domains Analyzed: 16 K Total Website Categories: 79 Total Trackers: 879 Tracker Categories: 5 B. Inferences Trackers v/s Websites C. REST API Due to security reasons Chrome doesnt provide a provision to read/write to a file system. Thus, a REST API hosted on Tomcat Server (XAMPP server) is used to store the trackers found in JavaScript enabled and disabled mode. MySQL is used at the backend to store the name of the trackers along with its category and the URL in which it is found. D. Driver Application It is used to drive the chrome extension where it first opens different tabs of Chrome at a time (multi-threading), takes the URLs from the database, runs the extension in enabled and disabled mode and then saves back the details of found trackers in the database. E. Website Category Scraper : McAfee McAfee website is used to determine the category of websites. Then a scrapper is developed to scrap the data from McAfee website and store it in the database. Fig. 2. Trackers v/s Websites Almost 98.63% Trackers were in enabled mode, out of which, 66.89% trackers were present in disabled mode too. Rest remaining percentage of trackers which were not present in enabled mode are taken to be as false positives of our experiments.more than half of the websites crawled had no existence of trackers.close to 45% websites had trackers on them Most Prominent Trackers F. Analysis Code Analysis performed on Ubuntu and Windows 8.1 A Code in Eclipse is written to analyse the database in order to find out some interesting facts and inferences. The Analysis is performed on Windows as well as Ubuntu for Alexa top 500 websites. Thus, analysis is performed across two Operating Systems by which it can be inferred that some 2

Fig. 3. Most Prominent Trackers in Javascript Enabled Mode Fig. 5. Tracker Category v/s Websites in Javascript Enabled Mode Fig. 6. Tracker Category v/s Websites in Javascript Enabled Mode Fig. 4.

3 Fig. 3. Most Prominent Trackers in Javascript Enabled Mode Fig. 5. Tracker Category v/s Websites in Javascript Enabled Mode Fig. 6. Tracker Category v/s Websites in Javascript Enabled Mode Fig. 4. Most Prominent Trackers in Javascript Enabled Mode Most prominent tracker in both enabled and disabled mode was found to be DoubleClick.Rest of the trackers followed different trends of occurrence in both the modes.however, Baidu Ads, Mark Monitor and Dratio occur in Top 10 Trackers in Enabled Mode but not in Disabled Mode. Similarly, TNS and Facebook Custom Audience occur in Disabled Mode but have no signs in Top 10 Trackers in Enabled Mode. Ad based trackers were most widely found on large number of websites. Privacy based trackers had least occurrence on the websites. The relative order of occurrence of trackers remained the same in both the modes. HTTP v/s HTTPS Tracker Category v/s Websites Fig. 7. HTTP v/s HTTPS in Javascript Disabled Mode Ratio of Trackers found on HTTP URLs was more than what was found on HTTPs URLs. No of Trackers found on HTTP URLs were more than the trackers found on 3

4 HTTPs URLs. Website Category v/s Trackers Fig. 10. Tracker category Distribution: Entertainment Websites Fig. 8. Entertainment Websites Analysis Fig. 11. Tracker category Distribution: General News Websites Fig. 9. General News Websites Analysis No. of trackers on General News Websites are more as compared to Entertainment Websites.On Entertainment Websites : No of Trackers in disabled mode were half of those found on enabled mode. On General News Websites : No of Trackers in disabled mode were two-third of those found in enabled mode. Ad based Trackers had maximum occurrence in both enabled and disabled mode on both General News and Entertainment Websites. Relative order of occurrence of Trackers on both the websites were found to be same in both enabled and disabled mode. However, Entertainment Websites are more tracked in Disabled Mode than General New Websites Domain v/s Trackers Tracker Category v/s Website Category 4

Fig. 14. Number Of Trackers: Windows Fig. 12. Domain v/s Trackers In Javascript Enabled Mode Fig. 13.

.es had minimum no of trackers in both enabled and disabled mode.

jp occurs in Top 10 Domains in Enabled Mode but not in Disabled Mode. Similarly,.

5 Fig. 14. Number Of Trackers: Windows Fig. 12. Domain v/s Trackers In Javascript Enabled Mode Fig. 13. Domain v/s Trackers In Javascript Disabled Mode.com domain had maximum no. of trackers in both enabled and disabled mode..es had minimum no of trackers in both enabled and disabled mode. The order of occurrence of rest of the trackers on the basis of their number followed no particular trend in both the cases.however, co.jp occurs in Top 10 Domains in Enabled Mode but not in Disabled Mode. Similarly,.pl occurs in Top 10 Domains in Disabled Mode but not in Enabled Mode Fig. 15. Number Of Trackers: Ubuntu No of Trackers in JavaScript enabled mode in Windows were more than the trackers in enabled mode in Ubuntu.But, its opposite for Disabled Mode. Windows v/s Ubuntu: Tracker Category v/s Websites Windows v/s Ubuntu: Number Of Trackers 5

6 Fig. 16. Tracker Category v/s Websites: Windows Fig. 19. Tracker Category Distribution: Ubuntu Trackers of Ad and analytics had very less difference in Windows in comparison to the trackers difference in Analytics and Ad in Ubuntu in General News Website category. Windows can not identify any tracker in Disabled Mode of Analytics type but Ubuntu can identify. Fig. 17. Number Of Trackers: Ubuntu Trackers of widgets and analytics were found to be in equal percentage in Ubuntu, though they differed in Windows. Windows can find ad and widget type of trackers more than ubuntu but ubuntu can find trackers and analytics type of trackers more than windows. Windows v/s Ubuntu: Tracker Category Distribution Fig. 18. Tracker Category Distribution: Windows C. How Trackers Work In JavaScript Disabled Mode NoScript Tag <noscript> <img src=" ip="> </noscript> NoScript tage gets executed whenever Javascript is disabled for a particular website. if trackers are embedded into this tag they will get triggered even the javascript is disabled for that website. Img Tag (HTML Based Tracker) <img src=" ip="> HTML based trackers always get executed as they are independednt of javascript status for a given website.image tag will always load the required image privided as src attribute which in turn triggers the trackers referenced. 3rd Party Trackers <noscript> <img src=" com/tracker/google_id/?ip="> </noscript> This is a comparitively new technique to indirectly invooke trackers. Google-Analytic for example cannot be invoked in javascript disabled. A tracker NoJSSStat provides a functionality where the agent calls NoJSSStat tracker and pass its google analytics id to id, which in turn triggers google analytics trackers and stores all 6

7 relevant information indirectly. VII. CHALLENGES Following are the challenges we faced during the entire course of this project: A. While Gathering Candidate URLs Alexa Top 1 million could not be used directly as many sites may not be reachable from India or respective ISP, leading to less number of candidate URLs. Moreover, Trackers May Be Different in the following cases: Same Website - Different Pages Same Website - Different Sub Domains Same Website - Different Country Domains/ Implementations Same Website - Front Page v/s Other Pages Same URL - Different Get/Post Parameters Thus, a crawler was developed in order to have a larger dataset. With this approach we have URLs of all popular websites (Breadth Wise Analysis) and many webpages for most popular websites (Depth Wise Analysis) B. During Chrome Extension Developments Chrome Extensions does not have local file system access to read/write to files and hence REST API was required to be used to store the results gathered from Chrome Extension C. While collecting data from Chrome Extension Three workstations were used to collect the data. However, not more than 8 threads could be opened at the same time slowing down the data collection process. VIII. CONCLUSION AND FUTURE WORK We have analyzed 0.1 Million Web URL s and found really exciting insights about the trackers, their categories and related website Categories. We analyzed various trackers where they were enabled in javascript enabled as well as javascript disbaled mode disabled mode. We manually inspected various trackers that were enabled in javascript disabled mode and generated insights on how these trackers work. These insights develops a confidence that these trackers are built with high sophistication keeping in mind all the existing security measures and the threat that they pose to the privacy of users using these websites. Till now URLs analyzed are numbered to be 0.1 million. This dataset can be further increased. Analyzing Tracker behavior on the basis of more extensive parameters like location. To incorporate protection measure against tracker on a browser and then running this tracker analysis on websites in enabled and disabled mode 7

CLOAK OF VISIBILITY : DETECTING WHEN MACHINES BROWSE A DIFFERENT WEB

CLOAK OF VISIBILITY : DETECTING WHEN MACHINES BROWSE A DIFFERENT WEB CIS 601: Graduate Seminar Prof. S. S. Chung Presented By:- Amol Chaudhari CSU ID 2682329 AGENDA About Introduction Contributions Background