ACM Internet Measurement Conference (IMC) Boston, MA, USA, October 2018

1. How Tracking Companies Circumvented
Ad Blockers Using WebSockets
Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda,
William Robertson, Christo Wilson
Northeastern University

2. Online Tracking
2

3. Online Tracking
Surge in online advertising (internet economy)
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2

4. Online Tracking
Surge in online advertising (internet economy)
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2
User concern over tracking
• Led to the proliferation of ad blocking extensions

5. Online Tracking
Surge in online advertising (internet economy)
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2
User concern over tracking
• Led to the proliferation of ad blocking extensions
Ad networks fight back
• E.g Using anti ad blocking scripts

6. Google & Safari
• Google evaded Safari’s third-party cookie blocking policy
(Jonathan Mayer)
• … by submitting a form in an invisible iFrame
• Google was fined $22.5M by FTC
3

7. This Talk
How Ad Networks leveraged a bug in
Chrome API to bypass Ad Blockers
using WebSockets
4

8. This Talk
How Ad Networks leveraged a bug in
Chrome API to bypass Ad Blockers
using WebSockets
4
1. What caused this?
2. How this bug was leveraged by ad networks?

9. Web Sockets
5

10. Web Sockets
5
HTTP/S

11. Web Sockets
5
HTTP/S
request
response

12. Web Sockets
5
HTTP/S
request
response
Chatting App

13. Web Sockets
5
HTTP/S
request
response
Chatting App
anything new?

14. Web Sockets
5
HTTP/S
request
response
Chatting App
anything new?
Web Socket

15. Web Sockets
5
HTTP/S
request
response
Chatting App
anything new?
Web Socket
bidirectional
• Both client and server can send/receive data
• This is a persistent connection

16. Web Sockets
5
HTTP/S
request
response
Chatting App
anything new?
Web Socket
bidirectional
ws:// or wss://
• Both client and server can send/receive data
• This is a persistent connection

17. Ad Blockers
6

18. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

19. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
webRequest API

20. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API

21. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
Usually borrowed
from EasyList

22. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList

23. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList

24. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList

25. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
webRequest API
Usually borrowed
from EasyList

26. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
Usually borrowed
from EasyList

27. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList

28. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList

29. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList

30. AdBlock Evasion
7

31. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
webRequest API

32. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
webRequest API

33. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
webRequest API

34. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads
webRequest API

35. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads
Patch
Finalized
( Landed)
webRequest API

36. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads
Patch
Finalized
( Landed)
Chrome 58
released
webRequest API

37. AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
* * * *
Original bug
reported
Users report
unblocked ads
Patch
Finalized
( Landed)
Chrome 58
released
* Represents when our crawls were done
webRequest API

38. Data Crawling
8

39. Data Crawling
8
100K websites
sampled from Alexa

40. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources

41. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
This means we know
which resource included
which other resource

42. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
This means we know
which resource included
which other resource

43. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource

44. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource
pub/
index.html
srv.ws ads/
script.js
ads/
frame.html
ads/
img_a.jpg
adnet/
data.ws
Example Inclusion Tree

45. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource
pub/
index.html
srv.ws ads/
script.js
ads/
frame.html
ads/
img_a.jpg
adnet/
data.ws
Example Inclusion Tree
WebSocket
WebSocket

46. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource
pub/
index.html
srv.ws ads/
script.js
ads/
frame.html
adnet/
data.ws
Example Inclusion Tree
WebSocket
WebSocket

47. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all included
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSockets
Mark web sockets
which are used by
A&A domains
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs
This means we know
which resource included
which other resource
pub/
index.html
ads/
script.js
ads/
frame.html
adnet/
data.ws
Example Inclusion Tree
WebSocket

48. High-Level Numbers
9

49. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
Before
Chrome 58

50. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
Before
Chrome 58
After
Chrome 58

51. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
Before
Chrome 58
After
Chrome 58

52. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
Before
Chrome 58
After
Chrome 58
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs

53. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
• ~71 % sockets contact an A&A domain
Before
Chrome 58
After
Chrome 58
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs

54. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
• ~71 % sockets contact an A&A domain
• # Initiators drop after Chrome 58 release.
Before
Chrome 58
After
Chrome 58
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs

55. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
• ~71 % sockets contact an A&A domain
• # Initiators drop after Chrome 58 release.
• Small but persistent A&A receivers.
Before
Chrome 58
After
Chrome 58
A&A = Advertising and Analytics
e.g. DoubleClick, Criteo, Adnxs

56. Initiators and Receivers
10

57. Initiators and Receivers
10
Initiator ReceiverJavaScript

58. Initiators and Receivers
10
Initiator Receiver
ws/s
JavaScript

59. Initiators and Receivers
10
Initiator Receiver
ws/s
JavaScript

60. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 7
googlesyndication 6
twitter 5
sharethis 4
adnxs 3
Top A&A
Initiators
Initiator Receiver
ws/s
JavaScript

61. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 7
googlesyndication 6
twitter 5
sharethis 4
adnxs 3
Top A&A
Initiators
Initiator Receiver
ws/s
JavaScript

62. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 7
googlesyndication 6
twitter 5
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 16
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
JavaScript

63. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 7
googlesyndication 6
twitter 5
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 16
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
• Disqus provides
comment board services.
JavaScript

64. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 7
googlesyndication 6
twitter 5
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 16
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
• Disqus provides
comment board services.
• Zopim, Intercom,
Smartsupp provide live
chat services.
JavaScript

65. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 7
googlesyndication 6
twitter 5
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 16
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
• Disqus provides
comment board services.
• Zopim, Intercom,
Smartsupp provide live
chat services.
• 33across & Lockerdome
are advertising platforms.
JavaScript

66. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 7
googlesyndication 6
twitter 5
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 16
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
• Disqus provides
comment board services.
• Zopim, Intercom,
Smartsupp provide live
chat services.
• 33across & Lockerdome
are advertising platforms.
• Inspectlet & Hotjar are
session replay services.
JavaScript

67. Sent Items Over Web Sockets
11

68. Sent Items Over Web Sockets
11
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S

69. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S

70. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets.
97% is 33across
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S

71. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets.
97% is 33across
• ~1.6% WebSockets sends the entire DOM to
Hotjar, LuckyOrange, TruConversion
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S

72. 12
Received Items Over Web Sockets

73. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S

74. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S

75. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S

76. 12
Received Items Over Web Sockets
Ads served from Lockerdome
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S

77. Summary
• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted WebSockets.
Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• DOM exfiltration by HotJar, LuckyOrange, TruConversion
• Lockerdome downloaded URLs to serve ads.
• We need to keep up with the current practices of A&A companies.
13

78. Summary
• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted WebSockets.
Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• DOM exfiltration by HotJar, LuckyOrange, TruConversion
• Lockerdome downloaded URLs to serve ads.
• We need to keep up with the current practices of A&A companies.
13
Questions?
ahmad@ccs.neu.edu

79. Backup Slides

80. Inclusion Chain
15
<html>
<body>
<script src=“tracker/script.js” </script>
<img src=“tracker/img.jpg”> </img>
<script src=“ads/script.js”> </script>
<iframe src=“frame.html”>
<html> <body>
<script src=“script_12.js”> </script>
<img src=“img_a.jpg”> </img>
</body> </html>
</iframe>
</body>
</html>
pub/
index.html
tracker/
script.js
tracker/
img.jpg
ads/
script.js
ads/
frame.html
ads/
script_12.js
ads/
img_a.jpg
adnet/
data.ws
Source code for ads/script_12.js
let ws =
new WebSocket(“ws://adnet/data.ws”, …);
ws.onopen = function (e) {ws.send(“…”);}
DOM Tree Inclusion Tree