Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Tracking Companies Circumvent Ad Blockers Using WebSockets

13 views

Published on

IEEE S&P Workshop on Technology and Consumer Protection (ConPro)
San Francisco, CA, USA, May 2018

Published in: Science
  • Be the first to comment

  • Be the first to like this

How Tracking Companies Circumvent Ad Blockers Using WebSockets

  1. 1. How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson
 
 Northeastern University
  2. 2. Online Tracking 2
  3. 3. Online Tracking • Boom in online advertising. • Ad networks pour in billions of dollars. • Value for their investment? 2
  4. 4. Online Tracking • Boom in online advertising. • Ad networks pour in billions of dollars. • Value for their investment? • Extensive tracking to serve targeted ads. 2
  5. 5. Online Tracking • Boom in online advertising. • Ad networks pour in billions of dollars. • Value for their investment? • Extensive tracking to serve targeted ads. • User concern over tracking • This has led to the proliferation of ad blockers 2
  6. 6. Online Tracking • Boom in online advertising. • Ad networks pour in billions of dollars. • Value for their investment? • Extensive tracking to serve targeted ads. • User concern over tracking • This has led to the proliferation of ad blockers • Ad networks fight back • E.g Using anti-ad blocking scripts 2
  7. 7. Google & Safari • Google evaded Safari’s third-party cookie blocking policy (Jonathan Mayer) • … by submitting a form in an invisible iFrame • Google was fined $22.5M by FTC 3
  8. 8. This Talk How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets 4
  9. 9. This Talk How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets 4 • What caused this? • How this bug was leveraged by ad networks?
  10. 10. Web Sockets 5
  11. 11. Web Sockets 5 HTTP/S
  12. 12. Web Sockets 5 HTTP/S
  13. 13. Web Sockets 5 HTTP/S request response
  14. 14. Web Sockets 5 HTTP/S request response Chatting App
  15. 15. Web Sockets 5 HTTP/S request response Chatting App anything new?
  16. 16. Web Sockets 5 HTTP/S request response Chatting App anything new? Web Socket
  17. 17. Web Sockets 5 HTTP/S request response Chatting App anything new? Web Socket bidirectional ws:// or wss:// • Both client and server can send/receive data • This is a persistent connection
  18. 18. Ad Blockers 6
  19. 19. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests
  20. 20. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests webRequest API
  21. 21. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API
  22. 22. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List Usually borrowed 
 from EasyList
  23. 23. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List url Usually borrowed 
 from EasyList
  24. 24. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List url Usually borrowed 
 from EasyList
  25. 25. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List url Usually borrowed 
 from EasyList
  26. 26. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List url webRequest API Usually borrowed 
 from EasyList
  27. 27. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List http://doubleclick.com/s1.js url webRequest API Usually borrowed 
 from EasyList
  28. 28. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List http://doubleclick.com/s1.js url webRequest API url Usually borrowed 
 from EasyList
  29. 29. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List http://doubleclick.com/s1.js url webRequest API url Usually borrowed 
 from EasyList
  30. 30. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List http://doubleclick.com/s1.js url webRequest API url Usually borrowed 
 from EasyList
  31. 31. AdBlock Evasion 7
  32. 32. AdBlock Evasion • Due to a bug in chrome.webRequest API • All ws/wss requests bypassed this extension 7
  33. 33. AdBlock Evasion • Due to a bug in chrome.webRequest API • All ws/wss requests bypassed this extension 7 2012 2013 2014 2015 2016 2017 2018
  34. 34. AdBlock Evasion • Due to a bug in chrome.webRequest API • All ws/wss requests bypassed this extension 7 2012 2013 2014 2015 2016 2017 2018 Original bug
 reported
  35. 35. AdBlock Evasion • Due to a bug in chrome.webRequest API • All ws/wss requests bypassed this extension 7 2012 2013 2014 2015 2016 2017 2018 Original bug
 reported Users report 
 unblocked ads
  36. 36. AdBlock Evasion • Due to a bug in chrome.webRequest API • All ws/wss requests bypassed this extension 7 2012 2013 2014 2015 2016 2017 2018 Original bug
 reported Users report 
 unblocked ads Patch
 Landed
  37. 37. AdBlock Evasion • Due to a bug in chrome.webRequest API • All ws/wss requests bypassed this extension 7 2012 2013 2014 2015 2016 2017 2018 Original bug
 reported Users report 
 unblocked ads Patch
 Landed Chrome 58
 released
  38. 38. AdBlock Evasion • Due to a bug in chrome.webRequest API • All ws/wss requests bypassed this extension 7 2012 2013 2014 2015 2016 2017 2018 * * Original bug
 reported Users report 
 unblocked ads Patch
 Landed Chrome 58
 released * Represents when our crawls were done
  39. 39. AdBlock Evasion • Due to a bug in chrome.webRequest API • All ws/wss requests bypassed this extension 7 2012 2013 2014 2015 2016 2017 2018 * * * * Original bug
 reported Users report 
 unblocked ads Patch
 Landed Chrome 58
 released * Represents when our crawls were done
  40. 40. Data Crawling 8
  41. 41. Data Crawling 8 100K websites 
 sampled from Alexa
  42. 42. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all inclusion resources
  43. 43. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all inclusion resources This means we know which resource included which other resource
  44. 44. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all inclusion resources Filter all resources which end in 
 web sockets Filter 
 WebSockets This means we know which resource included which other resource
  45. 45. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all inclusion resources Filter all resources which end in 
 web sockets Filter 
 WebSockets Detect A&A 
 WebSocketsMark web sockets
 which are used by A&A domains Companies involved in Advertising and Analytics are collectively referred as A&A This means we know which resource included which other resource
  46. 46. High-Level Numbers 9
  47. 47. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.2 72.0 72 14 Apr 11-16, 2017 2.4 61.0 73.0 61 16 May 07-12, 2017 1.6 60.2 68.3 17 13 Oct 12-16, 2017 2.5 54.9 55.1 19 14 Before 
 Chrome 58
  48. 48. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.2 72.0 72 14 Apr 11-16, 2017 2.4 61.0 73.0 61 16 May 07-12, 2017 1.6 60.2 68.3 17 13 Oct 12-16, 2017 2.5 54.9 55.1 19 14 Before 
 Chrome 58 After 
 Chrome 58
  49. 49. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.2 72.0 72 14 Apr 11-16, 2017 2.4 61.0 73.0 61 16 May 07-12, 2017 1.6 60.2 68.3 17 13 Oct 12-16, 2017 2.5 54.9 55.1 19 14 • ~2% websites use web sockets. Before 
 Chrome 58 After 
 Chrome 58
  50. 50. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.2 72.0 72 14 Apr 11-16, 2017 2.4 61.0 73.0 61 16 May 07-12, 2017 1.6 60.2 68.3 17 13 Oct 12-16, 2017 2.5 54.9 55.1 19 14 • ~2% websites use web sockets. • 55-61 % sockets are initiated by A&A domains Before 
 Chrome 58 After 
 Chrome 58
  51. 51. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.2 72.0 72 14 Apr 11-16, 2017 2.4 61.0 73.0 61 16 May 07-12, 2017 1.6 60.2 68.3 17 13 Oct 12-16, 2017 2.5 54.9 55.1 19 14 • ~2% websites use web sockets. • 55-61 % sockets are initiated by A&A domains • 55-73 % sockets contact an A&A domain Before 
 Chrome 58 After 
 Chrome 58
  52. 52. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.2 72.0 72 14 Apr 11-16, 2017 2.4 61.0 73.0 61 16 May 07-12, 2017 1.6 60.2 68.3 17 13 Oct 12-16, 2017 2.5 54.9 55.1 19 14 • ~2% websites use web sockets. • 55-61 % sockets are initiated by A&A domains • 55-73 % sockets contact an A&A domain • # Initiators drops after Chrome 58 release. Before 
 Chrome 58 After 
 Chrome 58
  53. 53. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.2 72.0 72 14 Apr 11-16, 2017 2.4 61.0 73.0 61 16 May 07-12, 2017 1.6 60.2 68.3 17 13 Oct 12-16, 2017 2.5 54.9 55.1 19 14 • ~2% websites use web sockets. • 55-61 % sockets are initiated by A&A domains • 55-73 % sockets contact an A&A domain • # Initiators drops after Chrome 58 release. • Small but persistent A&A receivers. Before 
 Chrome 58 After 
 Chrome 58
  54. 54. Initiators and Receivers 10
  55. 55. Initiators and Receivers 10 Initiator ReceiverJavaScript
  56. 56. Initiators and Receivers 10 Initiator Receiver ws/s JavaScript
  57. 57. Initiators and Receivers 10 Initiator Receiver ws/s JavaScript
  58. 58. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 Top A&A 
 Initiators Initiator Receiver ws/s JavaScript
  59. 59. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 Top A&A 
 Initiators Initiator Receiver ws/s JavaScript
  60. 60. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s JavaScript
  61. 61. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s • Disqus provides comment board services. JavaScript
  62. 62. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s • Disqus provides comment board services. • Zopim, Intercom, Smartsupp provide live chat services. JavaScript
  63. 63. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s • Disqus provides comment board services. • Zopim, Intercom, Smartsupp provide live chat services. • 33across & Lockerdome are advertising platforms. JavaScript
  64. 64. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 6 googlesyndication 6 cloudfront 4 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 15 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s • Disqus provides comment board services. • Zopim, Intercom, Smartsupp provide live chat services. • 33across & Lockerdome are advertising platforms. • Inspectlet & Hotjar are session replay services. JavaScript
  65. 65. Sent Items Over Web Sockets 11
  66. 66. Sent Items Over Web Sockets 11 Cookie IP User IDs Fingerprinting 
 Variables DOM % Requests 0 20 40 60 80 WebSockets HTTP/S
  67. 67. Sent Items Over Web Sockets 11 •Stateful Identifiers like Cookie and User IDs Cookie IP User IDs Fingerprinting 
 Variables DOM % Requests 0 20 40 60 80 WebSockets HTTP/S
  68. 68. Sent Items Over Web Sockets 11 •Stateful Identifiers like Cookie and User IDs • Fingerprinting data in ~3.4% WebSockets. 
 97% is 33across Cookie IP User IDs Fingerprinting 
 Variables DOM % Requests 0 20 40 60 80 WebSockets HTTP/S
  69. 69. Sent Items Over Web Sockets 11 •Stateful Identifiers like Cookie and User IDs • Fingerprinting data in ~3.4% WebSockets. 
 97% is 33across • ~1.5% WebSockets sends the entire DOM to Hotjar Cookie IP User IDs Fingerprinting 
 Variables DOM % Requests 0 20 40 60 80 WebSockets HTTP/S
  70. 70. 12 Received Items Over Web Sockets
  71. 71. 12 Received Items Over Web Sockets HTML JSON JavaScript Images % Responses 0 10 20 30 40 50 WebSockets HTTP/S
  72. 72. 12 Received Items Over Web Sockets HTML JSON JavaScript Images % Responses 0 10 20 30 40 50 WebSockets HTTP/S
  73. 73. 12 Received Items Over Web Sockets HTML JSON JavaScript Images % Responses 0 10 20 30 40 50 WebSockets HTTP/S
  74. 74. 12 Received Items Over Web Sockets Ads served from Lockerdome HTML JSON JavaScript Images % Responses 0 10 20 30 40 50 WebSockets HTTP/S
  75. 75. Summary • ~67% of socket connections are initiated or received by A&A domains. • Major companies like Google, Facebook, Addthis adopted WebSockets. 
 Abandoned after Chrome 58 was released. • The culprits: • 33across was harvesting fingerprinting data. • HotJar was exfiltrating the entire DOM • Lockerdome downloaded URLs to serve ads. • We need to keep with the current practices of A&A companies. 13
  76. 76. Summary • ~67% of socket connections are initiated or received by A&A domains. • Major companies like Google, Facebook, Addthis adopted WebSockets. 
 Abandoned after Chrome 58 was released. • The culprits: • 33across was harvesting fingerprinting data. • HotJar was exfiltrating the entire DOM • Lockerdome downloaded URLs to serve ads. • We need to keep with the current practices of A&A companies. 13 Questions? ahmad@ccs.neu.edu
  77. 77. Discussion Points • What’s Next? • Can these findings be used to fine advertisers or shape new policies? • Major Ad Exchanges abandoned WebSockets — Why? • New web standards. • Can be problematic? Where should we intervene? • Surprising that it took few years to patch this bug • WebRTC aspect of it. 14
  78. 78. Backup Slides
  79. 79. Inclusion Chain 16 <html> <body> <script src=“tracker/script.js” </script> <img src=“tracker/img.jpg”> </img> <script src=“ads/script.js”> </script> <iframe src=“frame.html”> <html> <body> <script src=“script_12.js”> </script> <img src=“img_a.jpg”> </img> </body> </html> </iframe> </body> </html> pub/ index.html tracker/ script.js tracker/ img.jpg ads/ script.js ads/ frame.html ads/ script_12.js ads/ img_a.jpg adnet/ data.ws Source code for ads/script_12.js
 
 let ws =
 new WebSocket(“ws://adnet/data.ws”, …);
 ws.onopen = function (e) {ws.send(“…”);} DOM Tree Inclusion Tree

×