Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Tracking Companies Circumvented Ad Blockers Using WebSockets

12 views

Published on

ACM Internet Measurement Conference (IMC)
Boston, MA, USA, October 2018

Published in: Science
  • Be the first to comment

  • Be the first to like this

How Tracking Companies Circumvented Ad Blockers Using WebSockets

  1. 1. How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson
 
 Northeastern University
  2. 2. Online Tracking 2
  3. 3. Online Tracking Surge in online advertising (internet economy) • Ad networks pour in billions of dollars. • Value for their investment? • Extensive tracking to serve targeted ads. 2
  4. 4. Online Tracking Surge in online advertising (internet economy) • Ad networks pour in billions of dollars. • Value for their investment? • Extensive tracking to serve targeted ads. 2 User concern over tracking • Led to the proliferation of ad blocking extensions
  5. 5. Online Tracking Surge in online advertising (internet economy) • Ad networks pour in billions of dollars. • Value for their investment? • Extensive tracking to serve targeted ads. 2 User concern over tracking • Led to the proliferation of ad blocking extensions Ad networks fight back • E.g Using anti ad blocking scripts
  6. 6. Google & Safari • Google evaded Safari’s third-party cookie blocking policy (Jonathan Mayer) • … by submitting a form in an invisible iFrame • Google was fined $22.5M by FTC 3
  7. 7. This Talk How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets 4
  8. 8. This Talk How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets 4 1. What caused this? 2. How this bug was leveraged by ad networks?
  9. 9. Web Sockets 5
  10. 10. Web Sockets 5 HTTP/S
  11. 11. Web Sockets 5 HTTP/S request response
  12. 12. Web Sockets 5 HTTP/S request response Chatting App
  13. 13. Web Sockets 5 HTTP/S request response Chatting App anything new?
  14. 14. Web Sockets 5 HTTP/S request response Chatting App anything new? Web Socket
  15. 15. Web Sockets 5 HTTP/S request response Chatting App anything new? Web Socket bidirectional • Both client and server can send/receive data • This is a persistent connection
  16. 16. Web Sockets 5 HTTP/S request response Chatting App anything new? Web Socket bidirectional ws:// or wss:// • Both client and server can send/receive data • This is a persistent connection
  17. 17. Ad Blockers 6
  18. 18. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests
  19. 19. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests webRequest API
  20. 20. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API
  21. 21. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List Usually borrowed 
 from EasyList
  22. 22. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List url Usually borrowed 
 from EasyList
  23. 23. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List url Usually borrowed 
 from EasyList
  24. 24. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List url Usually borrowed 
 from EasyList
  25. 25. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List url webRequest API Usually borrowed 
 from EasyList
  26. 26. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List http://doubleclick.com/s1.js url webRequest API Usually borrowed 
 from EasyList
  27. 27. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List http://doubleclick.com/s1.js url webRequest API url Usually borrowed 
 from EasyList
  28. 28. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List http://doubleclick.com/s1.js url webRequest API url Usually borrowed 
 from EasyList
  29. 29. Ad Blockers 6 • Chrome extension chrome.webRequest API • Extension can inspect / modify / drop outgoing requests http://cnn.com/logo.jpeg webRequest API Rule List http://doubleclick.com/s1.js url webRequest API url Usually borrowed 
 from EasyList
  30. 30. AdBlock Evasion 7
  31. 31. AdBlock Evasion • Bug in • ws/wss requests did not trigger the API 7 webRequest API
  32. 32. AdBlock Evasion • Bug in • ws/wss requests did not trigger the API 7 2012 2013 2014 2015 2016 2017 2018 webRequest API
  33. 33. AdBlock Evasion • Bug in • ws/wss requests did not trigger the API 7 2012 2013 2014 2015 2016 2017 2018 Original bug
 reported webRequest API
  34. 34. AdBlock Evasion • Bug in • ws/wss requests did not trigger the API 7 2012 2013 2014 2015 2016 2017 2018 Original bug
 reported Users report 
 unblocked ads webRequest API
  35. 35. AdBlock Evasion • Bug in • ws/wss requests did not trigger the API 7 2012 2013 2014 2015 2016 2017 2018 Original bug
 reported Users report 
 unblocked ads Patch Finalized 
 ( Landed) webRequest API
  36. 36. AdBlock Evasion • Bug in • ws/wss requests did not trigger the API 7 2012 2013 2014 2015 2016 2017 2018 Original bug
 reported Users report 
 unblocked ads Patch Finalized 
 ( Landed) Chrome 58
 released webRequest API
  37. 37. AdBlock Evasion • Bug in • ws/wss requests did not trigger the API 7 2012 2013 2014 2015 2016 2017 2018 * * * * Original bug
 reported Users report 
 unblocked ads Patch Finalized 
 ( Landed) Chrome 58
 released * Represents when our crawls were done webRequest API
  38. 38. Data Crawling 8
  39. 39. Data Crawling 8 100K websites 
 sampled from Alexa
  40. 40. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all included resources
  41. 41. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all included resources This means we know which resource included which other resource
  42. 42. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all included resources Filter all resources which end in 
 web sockets Filter 
 WebSockets This means we know which resource included which other resource
  43. 43. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all included resources Filter all resources which end in 
 web sockets Filter 
 WebSockets Detect A&A 
 WebSockets Mark web sockets
 which are used by A&A domains A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource
  44. 44. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all included resources Filter all resources which end in 
 web sockets Filter 
 WebSockets Detect A&A 
 WebSockets Mark web sockets
 which are used by A&A domains A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource pub/ index.html srv.ws ads/ script.js ads/ frame.html ads/ img_a.jpg adnet/ data.ws Example Inclusion Tree
  45. 45. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all included resources Filter all resources which end in 
 web sockets Filter 
 WebSockets Detect A&A 
 WebSockets Mark web sockets
 which are used by A&A domains A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource pub/ index.html srv.ws ads/ script.js ads/ frame.html ads/ img_a.jpg adnet/ data.ws Example Inclusion Tree WebSocket WebSocket
  46. 46. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all included resources Filter all resources which end in 
 web sockets Filter 
 WebSockets Detect A&A 
 WebSockets Mark web sockets
 which are used by A&A domains A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource pub/ index.html srv.ws ads/ script.js ads/ frame.html adnet/ data.ws Example Inclusion Tree WebSocket WebSocket
  47. 47. Data Crawling 8 100K websites 
 sampled from Alexa Visit 15 
 links / website Collected chains for all included resources Filter all resources which end in 
 web sockets Filter 
 WebSockets Detect A&A 
 WebSockets Mark web sockets
 which are used by A&A domains A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource pub/ index.html ads/ script.js ads/ frame.html adnet/ data.ws Example Inclusion Tree WebSocket
  48. 48. High-Level Numbers 9
  49. 49. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18 Before 
 Chrome 58
  50. 50. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18 Before 
 Chrome 58 After 
 Chrome 58
  51. 51. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18 • ~2% websites use web sockets. Before 
 Chrome 58 After 
 Chrome 58
  52. 52. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18 • ~2% websites use web sockets. • ~61 % sockets are initiated by A&A domains Before 
 Chrome 58 After 
 Chrome 58 A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
  53. 53. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18 • ~2% websites use web sockets. • ~61 % sockets are initiated by A&A domains • ~71 % sockets contact an A&A domain Before 
 Chrome 58 After 
 Chrome 58 A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
  54. 54. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18 • ~2% websites use web sockets. • ~61 % sockets are initiated by A&A domains • ~71 % sockets contact an A&A domain • # Initiators drop after Chrome 58 release. Before 
 Chrome 58 After 
 Chrome 58 A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
  55. 55. High-Level Numbers 9 Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18 • ~2% websites use web sockets. • ~61 % sockets are initiated by A&A domains • ~71 % sockets contact an A&A domain • # Initiators drop after Chrome 58 release. • Small but persistent A&A receivers. Before 
 Chrome 58 After 
 Chrome 58 A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
  56. 56. Initiators and Receivers 10
  57. 57. Initiators and Receivers 10 Initiator ReceiverJavaScript
  58. 58. Initiators and Receivers 10 Initiator Receiver ws/s JavaScript
  59. 59. Initiators and Receivers 10 Initiator Receiver ws/s JavaScript
  60. 60. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 Top A&A 
 Initiators Initiator Receiver ws/s JavaScript
  61. 61. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 Top A&A 
 Initiators Initiator Receiver ws/s JavaScript
  62. 62. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s JavaScript
  63. 63. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s • Disqus provides comment board services. JavaScript
  64. 64. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s • Disqus provides comment board services. • Zopim, Intercom, Smartsupp provide live chat services. JavaScript
  65. 65. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s • Disqus provides comment board services. • Zopim, Intercom, Smartsupp provide live chat services. • 33across & Lockerdome are advertising platforms. JavaScript
  66. 66. Initiators and Receivers 10 A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4 Top A&A 
 Initiators Top A&A 
 Receivers Initiator Receiver ws/s • Disqus provides comment board services. • Zopim, Intercom, Smartsupp provide live chat services. • 33across & Lockerdome are advertising platforms. • Inspectlet & Hotjar are session replay services. JavaScript
  67. 67. Sent Items Over Web Sockets 11
  68. 68. Sent Items Over Web Sockets 11 Cookie IP User IDs Fingerprinting 
 Variables DOM % Requests 0 20 40 60 80 WebSockets HTTP/S
  69. 69. Sent Items Over Web Sockets 11 •Stateful Identifiers like Cookie and User IDs Cookie IP User IDs Fingerprinting 
 Variables DOM % Requests 0 20 40 60 80 WebSockets HTTP/S
  70. 70. Sent Items Over Web Sockets 11 •Stateful Identifiers like Cookie and User IDs • Fingerprinting data in ~3.4% WebSockets. 
 97% is 33across Cookie IP User IDs Fingerprinting 
 Variables DOM % Requests 0 20 40 60 80 WebSockets HTTP/S
  71. 71. Sent Items Over Web Sockets 11 •Stateful Identifiers like Cookie and User IDs • Fingerprinting data in ~3.4% WebSockets. 
 97% is 33across • ~1.6% WebSockets sends the entire DOM to 
 Hotjar, LuckyOrange, TruConversion Cookie IP User IDs Fingerprinting 
 Variables DOM % Requests 0 20 40 60 80 WebSockets HTTP/S
  72. 72. 12 Received Items Over Web Sockets
  73. 73. 12 Received Items Over Web Sockets HTML JSON JavaScript Images % Responses 0 10 20 30 40 50 WebSockets HTTP/S
  74. 74. 12 Received Items Over Web Sockets HTML JSON JavaScript Images % Responses 0 10 20 30 40 50 WebSockets HTTP/S
  75. 75. 12 Received Items Over Web Sockets HTML JSON JavaScript Images % Responses 0 10 20 30 40 50 WebSockets HTTP/S
  76. 76. 12 Received Items Over Web Sockets Ads served from Lockerdome HTML JSON JavaScript Images % Responses 0 10 20 30 40 50 WebSockets HTTP/S
  77. 77. Summary • ~67% of socket connections are initiated or received by A&A domains. • Major companies like Google, Facebook, Addthis adopted WebSockets. 
 Abandoned after Chrome 58 was released. • The culprits: • 33across was harvesting fingerprinting data. • DOM exfiltration by HotJar, LuckyOrange, TruConversion • Lockerdome downloaded URLs to serve ads. • We need to keep up with the current practices of A&A companies. 13
  78. 78. Summary • ~67% of socket connections are initiated or received by A&A domains. • Major companies like Google, Facebook, Addthis adopted WebSockets. 
 Abandoned after Chrome 58 was released. • The culprits: • 33across was harvesting fingerprinting data. • DOM exfiltration by HotJar, LuckyOrange, TruConversion • Lockerdome downloaded URLs to serve ads. • We need to keep up with the current practices of A&A companies. 13 Questions? ahmad@ccs.neu.edu
  79. 79. Backup Slides
  80. 80. Inclusion Chain 15 <html> <body> <script src=“tracker/script.js” </script> <img src=“tracker/img.jpg”> </img> <script src=“ads/script.js”> </script> <iframe src=“frame.html”> <html> <body> <script src=“script_12.js”> </script> <img src=“img_a.jpg”> </img> </body> </html> </iframe> </body> </html> pub/ index.html tracker/ script.js tracker/ img.jpg ads/ script.js ads/ frame.html ads/ script_12.js ads/ img_a.jpg adnet/ data.ws Source code for ads/script_12.js
 
 let ws =
 new WebSocket(“ws://adnet/data.ws”, …);
 ws.onopen = function (e) {ws.send(“…”);} DOM Tree Inclusion Tree

×