Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Konark Modi, Tech Lead – Cliqz GmbH
@konarkmodi
What do travel, food & health
websites have in common?
Auditing websites &...
https://www.scribd.com/
https://giphy.com/gifs/cat-funny-5tSvsYJl4T4fC
Legit use cases for third-parties.
• Web analytics
• Content delivery network
• On- and offsite user journey and conversio...
@konarkmodi
Sample implementation of third-party
October ‘17
Source: https://twitter.com/sofipros
API making it easy to consume data
More details: https://medium.freecodecamp.org/how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b847...
Tell Tale URLs
“ A URL which contains sensitive data or can
lead you to a page which contains sensitive
information. “
Identifying leaks #1
Identifying leaks #1
~7 third-parties with whom this information was shared
Identifying leaks #2
Foodora leaking address details to 18 third-party domains.
Identifying leaks #3
Identifying leaks #3
Spotify leaking oAuth token to ~12 third-party domains.
Identifying leaks #4
Risks of Tell Tale URLs #1
• Websites are clearly leaking sensitive PII to plethora of third-parties.
Risks of Tell Tale URLs #2
• Websites are clearly leaking sensitive PII to plethora of third-parties.
• More often without...
Risks of Tell Tale URLs #3
• Websites are clearly leaking sensitive PII to plethora of third-parties.
• More often with us...
What about control ?
What about control ?
What about control ?
• British airways
• Ticketmaster
• NewEgg
• VisionDirect
More details: https://whotracks.me/blog/trac...
Are these problems hard to fix?
• Make sure all communication is over HTTPS.
• Private pages should have noindex meta tags...
Missing piece in the puzzle.
Missing piece in the puzzle.
Ø Open Source & Free
Ø Supports multiple
platforms.
Ø Save & Replay
functionality.
Ø Some API...
Missing piece in the puzzle.
https://mitmproxy.org/
Mitmproxy - Setup
1. Install mitmproxy
• https://docs.mitmproxy.org/stable/overview-installation/
2. Configure it on clien...
Mitmproxy - Setup
https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/
Demo #1
mitmproxy - Advanced Usage
Mitmproxy – Python API
https://github.com/mitmproxy/mitmproxy/tree/v4.x/examples/
Babel: Network analysis framework
Step 1: Convert mitm flow into JSON. Similar
to HAR format.
Babel: Network analysis framework
Step 2: Classify calls as first party and third-party.
Babel: Network analysis framework
Step 3: Who maxymiser.net belongs too. Done via
locally shipped copy of whotracks.me dat...
Babel: Network analysis framework
Step 4: Grade on security and privacy headers.
Using library from
https://github.com/moz...
Babel: Network analysis framework
Step 5: Hook up geo-ip database to list where the
server is hosted. This is important in...
Babel: Network analysis framework
Step 6: Introspection tool. To play with this
processed data.
Demo #2
Next Steps & Resources
• Security header analysis
• DLP based detection of sensitive data
• Open-source Babel
• Browser ex...
Offline discussion
Organizations with digital products that lack even the most basic data
security practices are living in a utopian world wh...
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
Upcoming SlideShare
Loading in …5
×

PyConWeb - 2019 Auditing websites & apps for privacy leaks.

What do travel, food & health websites have in common? Auditing websites & apps for privacy leaks

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

PyConWeb - 2019 Auditing websites & apps for privacy leaks.

  1. 1. Konark Modi, Tech Lead – Cliqz GmbH @konarkmodi What do travel, food & health websites have in common? Auditing websites & apps for privacy leaks
  2. 2. https://www.scribd.com/
  3. 3. https://giphy.com/gifs/cat-funny-5tSvsYJl4T4fC
  4. 4. Legit use cases for third-parties. • Web analytics • Content delivery network • On- and offsite user journey and conversion tracking • App performance • Audience measurement • Goal conversions • Content recommendation • Social sharing
  5. 5. @konarkmodi
  6. 6. Sample implementation of third-party
  7. 7. October ‘17
  8. 8. Source: https://twitter.com/sofipros
  9. 9. API making it easy to consume data
  10. 10. More details: https://medium.freecodecamp.org/how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b8474b
  11. 11. Tell Tale URLs “ A URL which contains sensitive data or can lead you to a page which contains sensitive information. “
  12. 12. Identifying leaks #1
  13. 13. Identifying leaks #1 ~7 third-parties with whom this information was shared
  14. 14. Identifying leaks #2 Foodora leaking address details to 18 third-party domains.
  15. 15. Identifying leaks #3
  16. 16. Identifying leaks #3 Spotify leaking oAuth token to ~12 third-party domains.
  17. 17. Identifying leaks #4
  18. 18. Risks of Tell Tale URLs #1 • Websites are clearly leaking sensitive PII to plethora of third-parties.
  19. 19. Risks of Tell Tale URLs #2 • Websites are clearly leaking sensitive PII to plethora of third-parties. • More often without users’ consent.
  20. 20. Risks of Tell Tale URLs #3 • Websites are clearly leaking sensitive PII to plethora of third-parties. • More often with users’ consent. • More dangerously without the websites realizing it.
  21. 21. What about control ?
  22. 22. What about control ?
  23. 23. What about control ? • British airways • Ticketmaster • NewEgg • VisionDirect More details: https://whotracks.me/blog/trackers- who-steal.html
  24. 24. Are these problems hard to fix? • Make sure all communication is over HTTPS. • Private pages should have noindex meta tags. • Limit the presence of third-party services on private pages. • Referrer-Policy on pages with sensitive data. • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy • Implement CSP and SRI. Even with a huge footprint of third-party services CSP, SRI are not enabled on majority of the websites. • CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP • SRI: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
  25. 25. Missing piece in the puzzle.
  26. 26. Missing piece in the puzzle. Ø Open Source & Free Ø Supports multiple platforms. Ø Save & Replay functionality. Ø Some API to configure, transform data as desired. Ø Supports Python.
  27. 27. Missing piece in the puzzle. https://mitmproxy.org/
  28. 28. Mitmproxy - Setup 1. Install mitmproxy • https://docs.mitmproxy.org/stable/overview-installation/ 2. Configure it on client 3. One time configuration of installing the mitmproxy CA certificate • https://docs.mitmproxy.org/stable/concepts-certificates/ 4. Trust the certificate.
  29. 29. Mitmproxy - Setup https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/
  30. 30. Demo #1
  31. 31. mitmproxy - Advanced Usage
  32. 32. Mitmproxy – Python API https://github.com/mitmproxy/mitmproxy/tree/v4.x/examples/
  33. 33. Babel: Network analysis framework Step 1: Convert mitm flow into JSON. Similar to HAR format.
  34. 34. Babel: Network analysis framework Step 2: Classify calls as first party and third-party.
  35. 35. Babel: Network analysis framework Step 3: Who maxymiser.net belongs too. Done via locally shipped copy of whotracks.me dataset.
  36. 36. Babel: Network analysis framework Step 4: Grade on security and privacy headers. Using library from https://github.com/mozilla/http-observatory
  37. 37. Babel: Network analysis framework Step 5: Hook up geo-ip database to list where the server is hosted. This is important in terms of data processing agreements that companies have.
  38. 38. Babel: Network analysis framework Step 6: Introspection tool. To play with this processed data.
  39. 39. Demo #2
  40. 40. Next Steps & Resources • Security header analysis • DLP based detection of sensitive data • Open-source Babel • Browser extension is already open-sourced: https://github.com/cliqz-oss/local-sheriff/ • Help organizations set-up Babel in testing phase as an audit tool.
  41. 41. Offline discussion
  42. 42. Organizations with digital products that lack even the most basic data security practices are living in a utopian world where people leave their safe open and never expect a burglar to walk in. - https://twitter.com/pi_modi Konark Modi Twitter: @konarkmodi Blog: https://medium.com/@konarkmodi

×