IEEE S&P Workshop on Technology and Consumer Protection (ConPro) San Francisco, CA, USA, May 2018

1. How Tracking Companies Circumvented
Ad Blockers Using WebSockets
Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda,
William Robertson, Christo Wilson
Northeastern University

2. Online Tracking
2

3. Online Tracking
• Boom in online advertising.
• Ad networks pour in billions of dollars.
• Value for their investment?
2

4. Online Tracking
• Boom in online advertising.
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2

5. Online Tracking
• Boom in online advertising.
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
• User concern over tracking
• This has led to the proliferation of ad blockers
2

6. Online Tracking
• Boom in online advertising.
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
• User concern over tracking
• This has led to the proliferation of ad blockers
• Ad networks fight back
• E.g Using anti-ad blocking scripts
2

7. Google & Safari
• Google evaded Safari’s third-party cookie blocking policy
(Jonathan Mayer)
• … by submitting a form in an invisible iFrame
• Google was fined $22.5M by FTC
3

8. This Talk
How Ad Networks leveraged a bug in
Chrome API to bypass Ad Blockers
using WebSockets
4

9. This Talk
How Ad Networks leveraged a bug in
Chrome API to bypass Ad Blockers
using WebSockets
4
• What caused this?
• How this bug was leveraged by ad networks?

10. Web Sockets
5

11. Web Sockets
5
HTTP/S

12. Web Sockets
5
HTTP/S

13. Web Sockets
5
HTTP/S
request
response

14. Web Sockets
5
HTTP/S
request
response
Chatting App

15. Web Sockets
5
HTTP/S
request
response
Chatting App
anything new?

16. Web Sockets
5
HTTP/S
request
response
Chatting App
anything new?
Web Socket

17. Web Sockets
5
HTTP/S
request
response
Chatting App
anything new?
Web Socket
bidirectional
ws:// or wss://
• Both client and server can send/receive data
• This is a persistent connection

18. Ad Blockers
6

19. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

20. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
webRequest API

21. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API

22. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
Usually borrowed
from EasyList

23. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList

24. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList

25. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList

26. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
webRequest API
Usually borrowed
from EasyList

27. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
Usually borrowed
from EasyList

28. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList

29. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList

30. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList

31. AdBlock Evasion
7

32. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7

33. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018

34. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported

35. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads

36. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads Patch
Landed

37. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads Patch
Landed
Chrome 58
released

38. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
* *
Original bug
reported
Users report
unblocked ads Patch
Landed
Chrome 58
released
* Represents when our crawls were done

39. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
* * * *
Original bug
reported
Users report
unblocked ads Patch
Landed
Chrome 58
released
* Represents when our crawls were done

40. Data Crawling
8

41. Data Crawling
8
100K websites
sampled from Alexa

42. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all inclusion
resources

43. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all inclusion
resources
This means we know
which resource included
which other resource

44. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all inclusion
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
This means we know
which resource included
which other resource

45. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all inclusion
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSocketsMark web sockets
which are used by
A&A domains
Companies involved in
Advertising and Analytics are
collectively referred as A&A
This means we know
which resource included
which other resource

46. High-Level Numbers
9

47. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.2 72.0 72 14
Apr 11-16, 2017 2.4 61.0 73.0 61 16
May 07-12, 2017 1.6 60.2 68.3 17 13
Oct 12-16, 2017 2.5 54.9 55.1 19 14
Before
Chrome 58

48. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.2 72.0 72 14
Apr 11-16, 2017 2.4 61.0 73.0 61 16
May 07-12, 2017 1.6 60.2 68.3 17 13
Oct 12-16, 2017 2.5 54.9 55.1 19 14
Before
Chrome 58
After
Chrome 58

49. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.2 72.0 72 14
Apr 11-16, 2017 2.4 61.0 73.0 61 16
May 07-12, 2017 1.6 60.2 68.3 17 13
Oct 12-16, 2017 2.5 54.9 55.1 19 14
• ~2% websites use web sockets.
Before
Chrome 58
After
Chrome 58

50. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.2 72.0 72 14
Apr 11-16, 2017 2.4 61.0 73.0 61 16
May 07-12, 2017 1.6 60.2 68.3 17 13
Oct 12-16, 2017 2.5 54.9 55.1 19 14
• ~2% websites use web sockets.
• 55-61 % sockets are initiated by A&A domains
Before
Chrome 58
After
Chrome 58

51. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.2 72.0 72 14
Apr 11-16, 2017 2.4 61.0 73.0 61 16
May 07-12, 2017 1.6 60.2 68.3 17 13
Oct 12-16, 2017 2.5 54.9 55.1 19 14
• ~2% websites use web sockets.
• 55-61 % sockets are initiated by A&A domains
• 55-73 % sockets contact an A&A domain
Before
Chrome 58
After
Chrome 58

52. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.2 72.0 72 14
Apr 11-16, 2017 2.4 61.0 73.0 61 16
May 07-12, 2017 1.6 60.2 68.3 17 13
Oct 12-16, 2017 2.5 54.9 55.1 19 14
• ~2% websites use web sockets.
• 55-61 % sockets are initiated by A&A domains
• 55-73 % sockets contact an A&A domain
• # Initiators drops after Chrome 58 release.
Before
Chrome 58
After
Chrome 58

53. High-Level Numbers
9
Crawl Dates
%Websites
with sockets
% Sockets
with A&A
Initiators
% Sockets
with A&A
Receivers
#Unique
A&A
Initiators
#Unique
A&A
Receivers
Apr 02-05, 2017 2.1 60.2 72.0 72 14
Apr 11-16, 2017 2.4 61.0 73.0 61 16
May 07-12, 2017 1.6 60.2 68.3 17 13
Oct 12-16, 2017 2.5 54.9 55.1 19 14
• ~2% websites use web sockets.
• 55-61 % sockets are initiated by A&A domains
• 55-73 % sockets contact an A&A domain
• # Initiators drops after Chrome 58 release.
• Small but persistent A&A receivers.
Before
Chrome 58
After
Chrome 58

54. Initiators and Receivers
10

55. Initiators and Receivers
10
Initiator ReceiverJavaScript

56. Initiators and Receivers
10
Initiator Receiver
ws/s
JavaScript

57. Initiators and Receivers
10
Initiator Receiver
ws/s
JavaScript

58. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 6
googlesyndication 6
cloudfront 4
sharethis 4
adnxs 3
Top A&A
Initiators
Initiator Receiver
ws/s
JavaScript

59. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 6
googlesyndication 6
cloudfront 4
sharethis 4
adnxs 3
Top A&A
Initiators
Initiator Receiver
ws/s
JavaScript

60. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 6
googlesyndication 6
cloudfront 4
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 15
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
JavaScript

61. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 6
googlesyndication 6
cloudfront 4
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 15
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
• Disqus provides
comment board services.
JavaScript

62. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 6
googlesyndication 6
cloudfront 4
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 15
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
• Disqus provides
comment board services.
• Zopim, Intercom,
Smartsupp provide live
chat services.
JavaScript

63. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 6
googlesyndication 6
cloudfront 4
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 15
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
• Disqus provides
comment board services.
• Zopim, Intercom,
Smartsupp provide live
chat services.
• 33across & Lockerdome
are advertising platforms.
JavaScript

64. Initiators and Receivers
10
A&A Initiator
#A&A
Receivers
facebook 11
google 11
doubleclick 9
youtube 8
addthis 8
hotjar 6
googlesyndication 6
cloudfront 4
sharethis 4
adnxs 3
A&A Receiver
#A&A
Initiators
realtime 27
33across 19
intercom 15
disqus 13
zopim 12
hotjar 11
feedjit 10
lockerdome 8
inspectlet 6
smartsupp 4
Top A&A
Initiators
Top A&A
Receivers
Initiator Receiver
ws/s
• Disqus provides
comment board services.
• Zopim, Intercom,
Smartsupp provide live
chat services.
• 33across & Lockerdome
are advertising platforms.
• Inspectlet & Hotjar are
session replay services.
JavaScript

65. Sent Items Over Web Sockets
11

66. Sent Items Over Web Sockets
11
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S

67. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S

68. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets.
97% is 33across
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S

69. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets.
97% is 33across
• ~1.5% WebSockets sends the entire DOM to Hotjar
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S

70. 12
Received Items Over Web Sockets

71. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S

72. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S

73. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S

74. 12
Received Items Over Web Sockets
Ads served from Lockerdome
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S

75. Summary
• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted
WebSockets.
Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• HotJar was exfiltrating the entire DOM
• Lockerdome downloaded URLs to serve ads.
• We need to keep with the current practices of A&A companies.
13

76. Summary
• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted
WebSockets.
Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• HotJar was exfiltrating the entire DOM
• Lockerdome downloaded URLs to serve ads.
• We need to keep with the current practices of A&A companies.
13
Questions?
ahmad@ccs.neu.edu

77. Discussion Points
• What’s Next?
• Can these findings be used to fine advertisers or shape new
policies?
• Major Ad Exchanges abandoned WebSockets — Why?
• New web standards.
• Can be problematic? Where should we intervene?
• Surprising that it took few years to patch this bug
• WebRTC aspect of it.
14

78. Backup Slides

79. Inclusion Chain
16
<html>
<body>
<script src=“tracker/script.js” </script>
<img src=“tracker/img.jpg”> </img>
<script src=“ads/script.js”> </script>
<iframe src=“frame.html”>
<html> <body>
<script src=“script_12.js”> </script>
<img src=“img_a.jpg”> </img>
</body> </html>
</iframe>
</body>
</html>
pub/
index.html
tracker/
script.js
tracker/
img.jpg
ads/
script.js
ads/
frame.html
ads/
script_12.js
ads/
img_a.jpg
adnet/
data.ws
Source code for ads/script_12.js
let ws =
new WebSocket(“ws://adnet/data.ws”, …);
ws.onopen = function (e) {ws.send(“…”);}
DOM Tree Inclusion Tree