This document discusses privacy leaks on websites and apps. It describes common uses of third parties like analytics and recommendations. However, it notes that many websites leak sensitive personal information to numerous third parties without user consent. It proposes tools like Mitmproxy and a framework called Babel to analyze privacy and security practices, identify leaks, and grade sites on headers. Demoing these tools, it finds sites leaking data and discusses helping organizations audit privacy.

1. Konark Modi, Tech Lead – Cliqz GmbH
@konarkmodi
What do travel, food & health
websites have in common?
Auditing websites & apps for privacy leaks

4. https://www.scribd.com/

6. https://giphy.com/gifs/cat-funny-5tSvsYJl4T4fC

7. Legit use cases for third-parties.
• Web analytics
• Content delivery network
• On- and offsite user journey and conversion tracking
• App performance
• Audience measurement
• Goal conversions
• Content recommendation
• Social sharing

8. @konarkmodi

9. Sample implementation of third-party

10. October ‘17

11. Source: https://twitter.com/sofipros

16. API making it easy to consume data

17. More details: https://medium.freecodecamp.org/how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b8474b

18. Tell Tale URLs
“ A URL which contains sensitive data or can
lead you to a page which contains sensitive
information. “

19. Identifying leaks #1

20. Identifying leaks #1
~7 third-parties with whom this information was shared

21. Identifying leaks #2
Foodora leaking address details to 18 third-party domains.

22. Identifying leaks #3

23. Identifying leaks #3
Spotify leaking oAuth token to ~12 third-party domains.

24. Identifying leaks #4

26. Risks of Tell Tale URLs #1
• Websites are clearly leaking sensitive PII to plethora of third-parties.

27. Risks of Tell Tale URLs #2
• Websites are clearly leaking sensitive PII to plethora of third-parties.
• More often without users’ consent.

28. Risks of Tell Tale URLs #3
• Websites are clearly leaking sensitive PII to plethora of third-parties.
• More often with users’ consent.
• More dangerously without the websites realizing it.

29. What about control ?

30. What about control ?

31. What about control ?
• British airways
• Ticketmaster
• NewEgg
• VisionDirect
More details: https://whotracks.me/blog/trackers-
who-steal.html

32. Are these problems hard to fix?
• Make sure all communication is over HTTPS.
• Private pages should have noindex meta tags.
• Limit the presence of third-party services on private pages.
• Referrer-Policy on pages with sensitive data.
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
• Implement CSP and SRI. Even with a huge footprint of third-party
services CSP, SRI are not enabled on majority of the websites.
• CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• SRI: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

33. Missing piece in the puzzle.

34. Missing piece in the puzzle.
Ø Open Source & Free
Ø Supports multiple
platforms.
Ø Save & Replay
functionality.
Ø Some API to
configure, transform
data as desired.
Ø Supports Python.

35. Missing piece in the puzzle.
https://mitmproxy.org/

36. Mitmproxy - Setup
1. Install mitmproxy
• https://docs.mitmproxy.org/stable/overview-installation/
2. Configure it on client
3. One time configuration of installing the mitmproxy CA certificate
• https://docs.mitmproxy.org/stable/concepts-certificates/
4. Trust the certificate.

37. Mitmproxy - Setup
https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/

38. Demo #1

39. mitmproxy - Advanced Usage

40. Mitmproxy – Python API
https://github.com/mitmproxy/mitmproxy/tree/v4.x/examples/

41. Babel: Network analysis framework
Step 1: Convert mitm flow into JSON. Similar
to HAR format.

42. Babel: Network analysis framework
Step 2: Classify calls as first party and third-party.

43. Babel: Network analysis framework
Step 3: Who maxymiser.net belongs too. Done via
locally shipped copy of whotracks.me dataset.

44. Babel: Network analysis framework
Step 4: Grade on security and privacy headers.
Using library from
https://github.com/mozilla/http-observatory

45. Babel: Network analysis framework
Step 5: Hook up geo-ip database to list where the
server is hosted. This is important in terms of data
processing agreements that companies have.

46. Babel: Network analysis framework
Step 6: Introspection tool. To play with this
processed data.

47. Demo #2

48. Next Steps & Resources
• Security header analysis
• DLP based detection of sensitive data
• Open-source Babel
• Browser extension is already open-sourced: https://github.com/cliqz-oss/local-sheriff/
• Help organizations set-up Babel in testing phase as an audit tool.

49. Offline discussion

50. Organizations with digital products that lack even the most basic data
security practices are living in a utopian world where people leave their
safe open and never expect a burglar to walk in.
- https://twitter.com/pi_modi
Konark Modi
Twitter: @konarkmodi
Blog: https://medium.com/@konarkmodi