Presentation is loading. Please wait.

Presentation is loading. Please wait.

Article Authors – Oleksii Starov & Nick Nikiforakas

Similar presentations


Presentation on theme: "Article Authors – Oleksii Starov & Nick Nikiforakas"— Presentation transcript:

1 Article Authors – Oleksii Starov & Nick Nikiforakas
XHOUND Quantifying the Fingerprintability of Browser Extensions Article Authors – Oleksii Starov & Nick Nikiforakas Presented by – Ammar Bagasrawala

2 Motivation Advertisers try to capitalize on users’ online activity
Browser fingerprinting allows users to be tracked and uniquely identified Clearing cookies and using the browser’s private mode is ineffective Browser extensions can serve as features that enable fingerprinting

3 Adblock Chrome Extension
Background Plugins vs Extensions Plugins allow rich content to be displayed Extensions extend the functionality of the browser Can obtain list of plugins installed, but not list of extensions Can only detect extensions by observing the changes made to the DOM of web pages Adobe Flash Plugin Adblock Chrome Extension

4 Background Threat Models
Attacker is someone who is trying to identify a user by fingerprinting their extensions Some extensions can only be detected on specific pages 2 attack scenarios Tracking script on arbitrary domain where only content dependent extensions will be activated Tracking script on a popular domain where URL- dependent extensions will be activated

5 Goals of this Study How many popular extensions introduce on-page changes and are thus fingerprintable? What kind of on-page changes do browser extensions introduce? How fingerprintable are the extension profiles of real users? How can a tracking script check for the presence of browser extensions?

6 XHOUND Architecture Have to observe modifications to the DOM to detect extensions XHOUND used a 2 step approach to maximise detection Extension’s JavaScript patched to place hooks on functions Dynamic analysis used to stimulate DOM changing code segments OnTheFlyDOM library intercepts DOM queries XHOUND Patches document.getElementById (#element) Returns element Query OnTheFlyDOM creates #element

7 Obtaining Fingerprintability of Extensions
Extensions need to be used on webpages Pretended to visit popular domains, but actually visited static pages which contained the OnTheFlyDOM library Each extension exposed to 780 URLs, spanning 308 subdomains Static pages contained various content: Audio and video tags Images and tables Login forms

8 Fingerprintability of Extensions
9.2% of extensions introduce detectable DOM changes on any domain, while 16% fingerprintable on at least 1 URL Popular extensions are more fingerprintable Fingerprintability also dependent on categories 90% perform uniquely identifiable combinations of changes 86% have 1 on-page effect that belongs to no other extension Longitudinal analysis was conducted, and 88% were still fingerprintable Types of DOM Modifications Made Type Extensions In on-the-fly content New DOM node 78.7% 20.3% Changed attribute 41.6% 84.4% Removed DOM node 15.8% 59.9% Changed text 4.7% 61.5%

9 Fingerprintability of Users
Users must employ different sets of extensions to be uniquely identifiable 854 users were surveyed, who had unique extensions in total Average user had 5 extensions installed From 856 extensions, 174 were fingerprintable, and 93 were fingerprintable on any URL Anonymity sets used based on installed extensions. Results show 14% of users in all surveyed groups are uniquely identifiable

10 Extension Fingerprinting in Practice
Proof of concept extension fingerprinting script created Takes less than 5ms to check for presence of extension Fingerprinting process takes less than 1 second for 20 extensions Fingerprinting of extensions can lead to user interests, income level, and technological competence to be discovered These findings extend to mobile devices too </>

11 Countermeasures Encapsulation Namespace Pollution
Use of Shadow DOM to separate content from presentation Shadow DOM elements unable to be queried from main DOM Problem – requires synchronisation of both DOM trees Namespace Pollution Pollute DOM with changes from extensions Randomization of changes would complicate fingerprinting Problem – challenging to preserve the functionality of the webpages when changes introduced

12 Criticism Ad blockers were not fingerprinted
Techniques such as global lists like “document.forms” were not supported Low percentage of textual change observed Inclusion of these could have led to an indication of a more severe security issue

13 Questions?


Download ppt "Article Authors – Oleksii Starov & Nick Nikiforakas"

Similar presentations


Ads by Google