No Boundaries: Data Exfiltration by Third Parties Embedded on Web Pages
Speaker
Gunes Acar
the Computer Security and Industrial Cryptography (COSIC) group: KU Leuven, Belgium
Host
Srini Devadas
CSAIL
Abstract:
We investigate data exfiltration by third-party scripts directly
embedded on web pages. Specifically, we study three attacks: misuse of
browsers' internal login managers, social data exfiltration, and
whole-DOM exfiltration. Although the possibility of these attacks was
well known, we provide the first empirical evidence based on
measurements of 300,000 distinct web pages from 50,000 sites. We extend
OpenWPM's instrumentation to detect and precisely attribute these
attacks to specific third-party scripts. Our analysis reveals invasive
practices such as inserting invisible login forms to trigger autofilling
of the saved user credentials, and reading and exfiltrating social
network data when the user logs in via Facebook login. Further, we
uncovered password, credit card, and health data leaks to third parties
due to wholesale collection of the DOM. We discuss the lessons learned
from the responses to the initial disclosure of our findings and fixes
that were deployed by the websites, browser vendors, third-party
libraries and privacy protection tools.
Bio:
Gunes is a postdoctoral fellow at KU Leuven's COSIC research group.
His research interests involve web privacy and security, anonymous
communications, dark design patterns, and IoT privacy and security.
Gunes obtained his PhD at KU Leuven in 2017, and was a postdoctoral researcher between 2017 and 2019 at Princeton University's Center for Information Technology Policy.
Zoom:
Kyle Hogan is inviting you to a scheduled Zoom meeting.
Topic: CSAIL Security Seminar
Time: This is a recurring meeting Meet anytime
Join Zoom Meeting
https://mit.zoom.us/j/97527284254
Password: <3security
One tap mobile
+16465588656,,97527284254# US (New York)
+16699006833,,97527284254# US (San Jose)
Meeting ID: 975 2728 4254
US : +1 646 558 8656 or +1 669 900 6833
International Numbers: https://mit.zoom.us/u/aeHSWRlxez
Join by SIP
97527284254@zoomcrc.com
Join by Skype for Business
https://mit.zoom.us/skype/97527284254
We investigate data exfiltration by third-party scripts directly
embedded on web pages. Specifically, we study three attacks: misuse of
browsers' internal login managers, social data exfiltration, and
whole-DOM exfiltration. Although the possibility of these attacks was
well known, we provide the first empirical evidence based on
measurements of 300,000 distinct web pages from 50,000 sites. We extend
OpenWPM's instrumentation to detect and precisely attribute these
attacks to specific third-party scripts. Our analysis reveals invasive
practices such as inserting invisible login forms to trigger autofilling
of the saved user credentials, and reading and exfiltrating social
network data when the user logs in via Facebook login. Further, we
uncovered password, credit card, and health data leaks to third parties
due to wholesale collection of the DOM. We discuss the lessons learned
from the responses to the initial disclosure of our findings and fixes
that were deployed by the websites, browser vendors, third-party
libraries and privacy protection tools.
Bio:
Gunes is a postdoctoral fellow at KU Leuven's COSIC research group.
His research interests involve web privacy and security, anonymous
communications, dark design patterns, and IoT privacy and security.
Gunes obtained his PhD at KU Leuven in 2017, and was a postdoctoral researcher between 2017 and 2019 at Princeton University's Center for Information Technology Policy.
Zoom:
Kyle Hogan is inviting you to a scheduled Zoom meeting.
Topic: CSAIL Security Seminar
Time: This is a recurring meeting Meet anytime
Join Zoom Meeting
https://mit.zoom.us/j/97527284254
Password: <3security
One tap mobile
+16465588656,,97527284254# US (New York)
+16699006833,,97527284254# US (San Jose)
Meeting ID: 975 2728 4254
US : +1 646 558 8656 or +1 669 900 6833
International Numbers: https://mit.zoom.us/u/aeHSWRlxez
Join by SIP
97527284254@zoomcrc.com
Join by Skype for Business
https://mit.zoom.us/skype/97527284254