9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
How Tracking Companies Circumvented Ad Blockers Using WebSockets
1. How Tracking Companies Circumvented
Ad Blockers Using WebSockets
Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda,
William Robertson, Christo Wilson
Northeastern University
3. Online Tracking
Surge in online advertising (internet economy)
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2
4. Online Tracking
Surge in online advertising (internet economy)
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2
User concern over tracking
• Led to the proliferation of ad blocking extensions
5. Online Tracking
Surge in online advertising (internet economy)
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2
User concern over tracking
• Led to the proliferation of ad blocking extensions
Ad networks fight back
• E.g Using anti ad blocking scripts
6. Google & Safari
• Google evaded Safari’s third-party cookie blocking policy
(Jonathan Mayer)
• … by submitting a form in an invisible iFrame
• Google was fined $22.5M by FTC
3
7. This Talk
How Ad Networks leveraged a bug in
Chrome API to bypass Ad Blockers
using WebSockets
4
8. This Talk
How Ad Networks leveraged a bug in
Chrome API to bypass Ad Blockers
using WebSockets
4
1. What caused this?
2. How this bug was leveraged by ad networks?
18. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
19. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
webRequest API
20. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
21. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
Usually borrowed
from EasyList
22. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList
23. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList
24. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList
25. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
webRequest API
Usually borrowed
from EasyList
26. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
Usually borrowed
from EasyList
27. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList
28. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList
29. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList
32. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
webRequest API
33. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
webRequest API
34. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads
webRequest API
35. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads
Patch
Finalized
( Landed)
webRequest API
36. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads
Patch
Finalized
( Landed)
Chrome 58
released
webRequest API
37. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
* * * *
Original bug
reported
Users report
unblocked ads
Patch
Finalized
( Landed)
Chrome 58
released
* Represents when our crawls were done
webRequest API
40. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
41. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
This means we know
which resource included
which other resource
42. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
This means we know
which resource included
which other resource
43. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource
44. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource
pub/
index.html
srv.ws ads/
script.js
ads/
frame.html
ads/
img_a.jpg
adnet/
data.ws
Example Inclusion Tree
45. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource
pub/
index.html
srv.ws ads/
script.js
ads/
frame.html
ads/
img_a.jpg
adnet/
data.ws
Example Inclusion Tree
WebSocket
WebSocket
46. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource
pub/
index.html
srv.ws ads/
script.js
ads/
frame.html
adnet/
data.ws
Example Inclusion Tree
WebSocket
WebSocket
47. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource
pub/
index.html
ads/
script.js
ads/
frame.html
adnet/
data.ws
Example Inclusion Tree
WebSocket
68. Sent Items Over Web Sockets
11
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S
69. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S
70. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets.
97% is 33across
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S
71. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets.
97% is 33across
• ~1.6% WebSockets sends the entire DOM to
Hotjar, LuckyOrange, TruConversion
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S
73. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S
74. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S
75. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S
76. 12
Received Items Over Web Sockets
Ads served from Lockerdome
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S
77. Summary
• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted WebSockets.
Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• DOM exfiltration by HotJar, LuckyOrange, TruConversion
• Lockerdome downloaded URLs to serve ads.
• We need to keep up with the current practices of A&A companies.
13
78. Summary
• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted WebSockets.
Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• DOM exfiltration by HotJar, LuckyOrange, TruConversion
• Lockerdome downloaded URLs to serve ads.
• We need to keep up with the current practices of A&A companies.
13
Questions?
ahmad@ccs.neu.edu