Quantifying the Fingerprintability of Browser Extensions

Slides:



Advertisements
Similar presentations
What is Multimedia ? Multi ( Multiple ) and Media ! So…. Information in multiple formats, including text, images, audio, video and animation :) It makes.
Advertisements

Iframes & Images Using HTML.
HTML 5. What is HTML5? HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML came in The web has changed.
Languages for Dynamic Web Documents
The Internet 8th Edition Tutorial 1 Browser Basics.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)
The Internet & Web Browsers Business Webpage Design Kelly Seale.
Chapter 11 Adding Media and Interactivity. Flash is a software program that allows you to create low-bandwidth, high-quality animations and interactive.
Danielle Baldwin, ITS Web Services CMS Administrator Application Overview and Joomla 1.5 RC 1 Highlights.
HTML5. What is HTML5? HTML5 will be the new standard for HTML. HTML5 is the next generation of HTML. HTML5 is still a work in progress. However, the major.
DHTML - Introduction Introduction to DHTML, the DOM, JS review.
Computer Concepts 2014 Chapter 7 The Web and .
WWW and HTML. Annoucement n Many people submitted the.vbp file and lost points n Can resubmit the.frm file to my , and get most.
The Internet 8th Edition Tutorial 9 Creating Effective Web Pages.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.
HTML Structure & syntax
Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.
Unit 1 – Web Concepts Instructor: Brent Presley. ASSIGNMENT Read Chapter 1 Complete lab 1 – Installing Portable Apps.
Tutorial 1: Browser Basics.
ASP.NET.. ASP.NET Environment ASP.NET is Microsoft's programming framework that enables the development of Web applications and services. It is an easy.
Chapter 8 Cookies And Security JavaScript, Third Edition.
INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.
DHTML - Introduction Chapter Introduction to DHTML, the DOM, JS review.
HTML Structure & syntax. Introduction This presentation introduces the following: Doctype declaration HTML Tags, Elements and Attributes Sections of a.
Week 1 – Beginners Content McAfee & Big Fish Games CoderDojo.
Chapter 7: DHTML: Object Model and Collections CIS 275—Web Application Development for Business I.
Session: 1. © Aptech Ltd. 2Introduction to the Web / Session 1  Explain the evolution of HTML  Explain the page structure used by HTML  List the drawbacks.
COP 3813 Intro to Internet Computing Prof. Roy Levow Lecture 1.
By Tharith Sriv. To write a web page you use: HHTML (HyperText Markup Language), AASP (Active Server Page), PPHP (HyperText Preprocessor), JJavaScript,
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Safe browsing - is an ad-blocker extension enough? AIMILIOS TSOUVELEKAKIS IT-DI-CSO IT LIGHTNING TALK – 12/
Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.
Are You Smarter Than a 5 th Grader? 1,000,000 5th Grade HTML 5th Grade Syntax 4th Grade HTML 4th Grade Syntax 3rd Grade HTML 3rd Grade Syntax 2nd Grade.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
ARE YOU SURE YOU WANT TO CONTACT US? On the privacy risks at website contact pages UISGCON, December 2015 Alex Starov.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
Chapter 1 Introduction to HTML, XHTML, and CSS HTML5 & CSS 7 th Edition.
Lesson 30: JavaScript and DHTML Fundamentals. Objectives Define and contrast client-side and server-side technologies used to create dynamic content for.
Microsoft Office 2008 for Mac – Illustrated Unit D: Getting Started with Safari.
Computer Concepts 2014 Chapter 7 The Web and .
SVG technology SVG technology is what we want? is what we want? Jaehoon Woo KNU Real-Time Systems Lab. KNU Real-Time Systems Lab.
1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)
The Internet & Web Browsers Business Webpage Design Created by Kelly Seale Adapted by Jill Einerson.
Web Analytics Fundamentals Presented by Tejaswi, Chandrika, Sunil.
Some from Chapter 11.9 – “Web” 4 th edition and SY306 Web and Databases for Cyber Operations Cookies and.
Chapter 13: DHTML: Object Model and Collections CIS 275—Web Application Development for Business I.
HTML Structure & syntax
Chapter 17 The Need for HTML 5.
Javascript and Dynamic Web Pages: Client Side Processing
Web Browser presentation Name/ Hassan AL-Abdulmohsen
© 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Chapter 4: HTML5 Media - <video> & <audio>
Practical Censorship Evasion Leveraging Content Delivery Networks
Processes The most important processes used in Web-based systems and their internal organization.
Article Authors – Oleksii Starov & Nick Nikiforakas
14 A Brief Look at JavaScript and jQuery.
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
WEB PROGRAMMING JavaScript.
About Multimedia Files
CSc 337 Lecture 27: Cookies.
Recitation on AdFisher
HTML Structure & syntax
Lab 1: D3 Setup John Fallon
Protecting Browsers from Extension Vulnerabilities
Cross Site Request Forgery (CSRF)
CSc 337 Lecture 25: Cookies.
Presentation transcript:

Quantifying the Fingerprintability of Browser Extensions XHOUND Quantifying the Fingerprintability of Browser Extensions Authors – Oleksii Starov and Nick Nikiforakis Presented By – Jordan Wong

Motivation Browser extensions enhance browsers Users have an average of 5 extensions Are there any costs to these extensions? Extensions allow you to be tracked Naïve countermeasures do not work Private browsing Deleting cookies https://cdn.thinkcodenyc.com/wp-content/uploads/2014/06/browser-extensions.jpg

Background Plugin Extension Types of tracking Deliver non-traditional HTML E.g. FlashPlayer JavaScript to get list of installed plugins Extension Extend browser functionality E.g. AdBlock Must analyze Document Object Model (DOM) Types of tracking Arbitrary domain – Tracking on any webpage Specific domain – Tracking on a specific webpage https://organicthemes.com/wp-content/uploads/2011/11/plugins.png?w=240

Purpose of this paper How many extensions introduce detectable DOM changes? What types of DOM changes are introduced? How many users are fingerprintable based on their extensions? Can a tracking script check what extensions are installed?

XHound A human can analyze the DOM and infer presence of extension But not scalable to ALL the available extensions XHound – Tool to determine DOM changes made by extensions 2 step approach Place hooks on functions of interest Dynamic analysis to stimulate DOM changing code https://pbs.twimg.com/profile_images/756896678289010688/W_ypJvEt.jpg

OnTheFlyDOM OnTheFlyDom library Create queried elements ‘on-the-fly’ Record created elements Return created elements Forces extensions to activate and make DOM changes

Methodology Need to compare DOM ‘before’ and ‘after’ extension Navigate to page with and without extension Webpage DOMs are dynamic Can’t determine cause of DOM changes

Methodology Visit honey pages Contains various elements Text Videos Images … Contains OnTheFlyDOM library ‘Redirect’ URL’s to localhost (780 URLs) http://images.clipartpanda.com/honey-clipart-honey-clipart-1.jpg

Fingerprintability of Extensions (1st RQ) Applied to top 10,000 extensions in Chrome store >9% are fingerprintable on arbitrary domain >16% are fingerprintable on specific domain Applied to top 1,000 extensions in Chrome store >13% are fingerprintable on arbitrary domain >23% are fingerprintable on specific domain

Fingerprintability of Extensions (1st RQ) Most fingerprintable by category Shopping Social media Longitudinal study (4 months) 88% still fingerprintable Same analysis performed on Firefox Same results

Types of DOM Modification (2nd RQ) 4 types of modification Adding a DOM element Deleting a DOM element Change a tag’s attribute Change text on a page

Fingerprintability based on user extensions(3rd RQ) 850 extensions and users were analyzed Users grouped into anonymity sets Each set represents users who have the same extension-based fingerprint The smaller the set, the more trackable the user 14% of users are uniquely identifiable based on their extensions

Can a tracking script determine installed extensions(4th RQ) Tracking script takes less than 5ms to check for an extension Users have an average of 5 extensions More information can be deduced based on user extensions Interests Income levels … https://www.vehicletrackingexperts.co.uk/wp-content/uploads/sites/7/2015/02/detective-tracking.png

Countermeasures Encapsulation Namespace pollution Shadow DOM – ‘Package element’ to separate presentation from content Does not work for all types of changes Namespace pollution Adding random DOM changes to the DOM Gives false positives to tracking scripts Hard to achieve – need to maintain original page functionality http://privacypolicies.com/blog/wp-content/uploads/2015/12/privacy-lock.png

Criticism – Browsers Did not consider effects of different browser versions There are other popular browsers which were not explored Safari Microsoft Edge Internet Explorer http://www.carldyke.com/browsers/image/browsers.png

Criticism – Extension Source Some extensions require setup before they can activate Redux DevTools Responsive WebTester XHound does not configure extensions Extension source Only Chrome store used Third party sources not considered https://www.google.com/chrome/assets/common/images/content/bagofapps.jpg

Criticism - Frameworks Multiple front-end frameworks Angular React Significantly different resulting DOMs May impact the fingerprintability of extensions but not considered http://www.polydron.co.uk/user/products/large/10-F400.jpg

Criticism Provided a convincing argument on the vulnerabilities Opportunity for future work

Thank you Q & A