No boundaries: Data exfiltration by third-party tracking scripts

Presented by Gunes Acar

Thursday, February 01, 2018
4:00 p.m.
ICSI Lecture Hall

Abstract:

I’ll present our findings on third-party tracking scripts that abuse their privileges to exfiltrate sensitive data and user identifiers. First, I’ll describe how a long-known vulnerability in browsers’built-in password managers is abused by third-party scripts for tracking. Second, I’ll present our findings on session replay scripts,which record keystrokes, mouse movements and contents of the web pages visited, and send them to third-party servers. Our findings show that the collection of page content cause sensitive information such as medical conditions, credit card details and other personal information to be sent to the third-party as part of the recording. The publications of our results [1, 2] have already prompted action from browser vendors, websites, and third parties that engage in those practices. I’ll give an overview those updates and conclude my talk by discussing potential countermeasures.

[1] https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-p...

[2] https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identiti...

Bio:

Gunes Acar is a postdoctoral research associate at Princeton University's Center for Information Technology Policy. His research interests involve web tracking measurement, anonymous communications,and IoT privacy and security. Gunes obtained his PhD at the COSIC research group of KU Leuven in Belgium under the supervision of Claudia Diaz and Bart Preneel. He co-authored several prominent papers on advanced web tracking mechanisms such as browser fingerprinting, canvas fingerprinting and evercookies.