How Tracking Companies Circumvented Ad Blockers Using WebSockets

Size: px

Start display at page:

Download "How Tracking Companies Circumvented Ad Blockers Using WebSockets"

Beatrice Goodwin
5 years ago
Views:

1 How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson Northeastern University

2 Online Tracking 2

3 Online Tracking Boom in online advertising. Ad networks pour in billions of dollars. Value for their investment? 2

4 Online Tracking Boom in online advertising. Ad networks pour in billions of dollars. Value for their investment? Extensive tracking to serve targeted ads. 2

5 Online Tracking Boom in online advertising. Ad networks pour in billions of dollars. Value for their investment? Extensive tracking to serve targeted ads. User concern over tracking This has led to the proliferation of ad blockers 2

6 Online Tracking Boom in online advertising. Ad networks pour in billions of dollars. Value for their investment? Extensive tracking to serve targeted ads. User concern over tracking This has led to the proliferation of ad blockers Ad networks fight back E.g Using anti-ad blocking scripts 2

7 Google & Safari Google evaded Safari s third-party cookie blocking policy (Jonathan Mayer) by submitting a form in an invisible iframe Google was fined $22.5M by FTC 3

8 This Talk How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets 4

9 This Talk How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets What caused this? How this bug was leveraged by ad networks? 4

10 Web Sockets 5

11 Web Sockets HTTP/S 5

12 Web Sockets HTTP/S 5

13 Web Sockets HTTP/S request response 5

14 Web Sockets HTTP/S request response Chatting App 5

15 Web Sockets HTTP/S request response Chatting App anything new? 5

16 Web Sockets HTTP/S request response Chatting App anything new? Web Socket 5

17 Web Sockets HTTP/S request response Chatting App anything new? Web Socket bidirectional ws:// or wss:// Both client and server can send/receive data This is a persistent connection 5

18 Ad Blockers 6

19 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests 6

20 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API 6

21 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API 6

22 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API Rule List Usually borrowed from EasyList 6

23 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Rule List Usually borrowed from EasyList 6

24 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Rule List Usually borrowed from EasyList 6

25 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Rule List Usually borrowed from EasyList 6

26 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Rule List Usually borrowed from EasyList webrequest API 6

27 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Rule List Usually borrowed from EasyList webrequest API 6

28 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Rule List Usually borrowed from EasyList url webrequest API 6

29 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Rule List Usually borrowed from EasyList url webrequest API 6

Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests http://cnn.

30 Ad Blockers Chrome extension chrome.webrequest API Extension can inspect / modify / drop outgoing requests webrequest API url Rule List Usually borrowed from EasyList url webrequest API 6

31 AdBlock Evasion 7

32 AdBlock Evasion Due to a bug in chrome.webrequest API All ws/wss requests bypassed this extension 7

33 AdBlock Evasion Due to a bug in chrome.webrequest API All ws/wss requests bypassed this extension

34 AdBlock Evasion Due to a bug in chrome.webrequest API All ws/wss requests bypassed this extension Original bug reported

35 AdBlock Evasion Due to a bug in chrome.webrequest API All ws/wss requests bypassed this extension Original bug reported Users report unblocked ads

36 AdBlock Evasion Due to a bug in chrome.webrequest API All ws/wss requests bypassed this extension Original bug reported Users report unblocked ads Patch Landed

37 AdBlock Evasion Due to a bug in chrome.webrequest API All ws/wss requests bypassed this extension Original bug reported Users report unblocked ads Patch Landed Chrome 58 released 7

38 AdBlock Evasion Due to a bug in chrome.webrequest API All ws/wss requests bypassed this extension Original bug reported Users report unblocked ads Patch Landed * * * Represents when our crawls were done Chrome 58 released 7

39 AdBlock Evasion Due to a bug in chrome.webrequest API All ws/wss requests bypassed this extension Original bug reported Users report unblocked ads Patch Landed * * * * * Represents when our crawls were done Chrome 58 released 7

40 Data Crawling 8

41 Data Crawling 100K websites sampled from Alexa 8

42 Data Crawling 100K websites sampled from Alexa Visit 15 links / website Collected chains for all inclusion resources 8

43 Data Crawling This means we know which resource included which other resource 100K websites sampled from Alexa Visit 15 links / website Collected chains for all inclusion resources 8

44 Data Crawling This means we know which resource included which other resource 100K websites sampled from Alexa Visit 15 links / website Collected chains for all inclusion resources Filter WebSockets Filter all resources which end in web sockets 8

45 Data Crawling This means we know which resource included which other resource 100K websites sampled from Alexa Visit 15 links / website Collected chains for all inclusion resources Filter WebSockets Companies involved in Advertising and Analytics are collectively referred as A&A Filter all resources which end in web sockets Mark web sockets which are used by A&A domains Detect A&A WebSockets 8

46 High-Level Numbers 9

47 High-Level Numbers Before Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16,

48 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16,

49 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets. 9

50 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets % sockets are initiated by A&A domains 9

51 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets % sockets are initiated by A&A domains % sockets contact an A&A domain 9

52 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets % sockets are initiated by A&A domains % sockets contact an A&A domain # Initiators drops after Chrome 58 release. 9

53 High-Level Numbers Before Chrome 58 After Chrome 58 Crawl Dates %Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers Apr 02-05, Apr 11-16, May 07-12, Oct 12-16, ~2% websites use web sockets % sockets are initiated by A&A domains % sockets contact an A&A domain # Initiators drops after Chrome 58 release. Small but persistent A&A receivers. 9

54 Initiators and Receivers 10

55 Initiators and Receivers Initiator JavaScript Receiver 10

56 Initiators and Receivers Initiator JavaScript ws/s Receiver 10

57 Initiators and Receivers Initiator JavaScript ws/s Receiver 10

58 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 10

59 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 10

60 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 10

61 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Disqus provides comment board services. 10

62 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Disqus provides comment board services. Zopim, Intercom, Smartsupp provide live chat services. 10

63 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Disqus provides comment board services. Zopim, Intercom, Smartsupp provide live chat services. 33across & Lockerdome are advertising platforms. 10

doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6

Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar

64 Initiators and Receivers Initiator JavaScript ws/s Receiver Top A&A Initiators A&A Initiator #A&A Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 Top A&A Receivers A&A Receiver #A&A Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Disqus provides comment board services. Zopim, Intercom, Smartsupp provide live chat services. 33across & Lockerdome are advertising platforms. Inspectlet & Hotjar are session replay services. 10

65 Sent Items Over Web Sockets 11

66 Sent Items Over Web Sockets Cookie IP User IDs Fingerprinting Variables DOM WebSockets HTTP/S % Requests 11

67 Sent Items Over Web Sockets Cookie IP User IDs Fingerprinting Variables WebSockets HTTP/S DOM % Requests Stateful Identifiers like Cookie and User IDs 11

68 Sent Items Over Web Sockets Cookie IP User IDs Fingerprinting Variables WebSockets HTTP/S DOM % Requests Stateful Identifiers like Cookie and User IDs Fingerprinting data in ~3.4% WebSockets. 97% is 33across 11

69 Sent Items Over Web Sockets Cookie IP User IDs Fingerprinting Variables WebSockets HTTP/S DOM % Requests Stateful Identifiers like Cookie and User IDs Fingerprinting data in ~3.4% WebSockets. 97% is 33across ~1.5% WebSockets sends the entire DOM to Hotjar 11

70 Received Items Over Web Sockets 12

71 Received Items Over Web Sockets HTML JSON JavaScript Images WebSockets HTTP/S % Responses 12

72 Received Items Over Web Sockets HTML JSON JavaScript WebSockets HTTP/S Images % Responses 12

73 Received Items Over Web Sockets HTML JSON JavaScript WebSockets HTTP/S Images % Responses 12

74 Received Items Over Web Sockets HTML JSON JavaScript WebSockets HTTP/S Images % Responses Ads served from Lockerdome 12

75 Summary ~67% of socket connections are initiated or received by A&A domains. Major companies like Google, Facebook, Addthis adopted WebSockets. Abandoned after Chrome 58 was released. The culprits: 33across was harvesting fingerprinting data. HotJar was exfiltrating the entire DOM Lockerdome downloaded URLs to serve ads. We need to keep with the current practices of A&A companies. 13

76 Summary ~67% of socket connections are initiated or received by A&A domains. Major companies like Google, Facebook, Addthis adopted WebSockets. Abandoned after Chrome 58 was released. The culprits: 33across was harvesting fingerprinting data. HotJar was exfiltrating the entire DOM Lockerdome downloaded URLs to serve ads. We need to keep with the current practices of A&A companies. Questions? 13

77 Discussion Points What s Next? Can these findings be used to fine advertisers or shape new policies? Major Ad Exchanges abandoned WebSockets Why? New web standards. Can be problematic? Where should we intervene? Surprising that it took few years to patch this bug WebRTC aspect of it. 14

78 Backup Slides

79 Inclusion Chain DOM Tree Inclusion Tree <html> <body> <script src= tracker/script.js </script> <img src= tracker/img.jpg > </img> <script src= ads/script.js > </script> <iframe src= frame.html > <html> <body> <script src= script_12.js > </script> <img src= img_a.jpg > </img> </body> </html> </iframe> </body> </html> Source code for ads/script_12.js let ws = new WebSocket( ws://adnet/data.ws, ); ws.onopen = function (e) {ws.send( );} tracker/ script.js tracker/ img.jpg pub/ index.html ads/ script_12.js adnet/ data.ws ads/ script.js ads/ frame.html ads/ img_a.jpg 16

How Tracking Companies Circumvented Ad Blockers Using WebSockets

How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson Northeastern University Online Tracking 2 Online Tracking