whole genome sequencing new and its types including shortgun and clone by clone
How Tracking Companies Circumvented Ad Blockers Using WebSockets Bug
1. How Tracking Companies Circumvented
Ad Blockers Using WebSockets
Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda,
William Robertson, Christo Wilson
Northeastern University
3. Online Tracking
• Boom in online advertising.
• Ad networks pour in billions of dollars.
• Value for their investment?
2
4. Online Tracking
• Boom in online advertising.
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2
5. Online Tracking
• Boom in online advertising.
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
• User concern over tracking
• This has led to the proliferation of ad blockers
2
6. Online Tracking
• Boom in online advertising.
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
• User concern over tracking
• This has led to the proliferation of ad blockers
• Ad networks fight back
• E.g Using anti-ad blocking scripts
2
7. Google & Safari
• Google evaded Safari’s third-party cookie blocking policy
(Jonathan Mayer)
• … by submitting a form in an invisible iFrame
• Google was fined $22.5M by FTC
3
8. This Talk
How Ad Networks leveraged a bug in
Chrome API to bypass Ad Blockers
using WebSockets
4
9. This Talk
How Ad Networks leveraged a bug in
Chrome API to bypass Ad Blockers
using WebSockets
4
• What caused this?
• How this bug was leveraged by ad networks?
19. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
20. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
webRequest API
21. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
22. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
Usually borrowed
from EasyList
23. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList
24. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList
25. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
Usually borrowed
from EasyList
26. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
url
webRequest API
Usually borrowed
from EasyList
27. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
Usually borrowed
from EasyList
28. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList
29. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList
30. Ad Blockers
6
• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpeg
webRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed
from EasyList
32. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
33. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
34. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
35. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads
36. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads Patch
Landed
37. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
Original bug
reported
Users report
unblocked ads Patch
Landed
Chrome 58
released
38. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
* *
Original bug
reported
Users report
unblocked ads Patch
Landed
Chrome 58
released
* Represents when our crawls were done
39. AdBlock Evasion
• Due to a bug in chrome.webRequest API
• All ws/wss requests bypassed this extension
7
2012 2013 2014 2015 2016 2017 2018
* * * *
Original bug
reported
Users report
unblocked ads Patch
Landed
Chrome 58
released
* Represents when our crawls were done
42. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all inclusion
resources
43. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all inclusion
resources
This means we know
which resource included
which other resource
44. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all inclusion
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
This means we know
which resource included
which other resource
45. Data Crawling
8
100K websites
sampled from Alexa Visit 15
links / website
Collected chains for
all inclusion
resources
Filter all resources
which end in
web sockets
Filter
WebSockets
Detect A&A
WebSocketsMark web sockets
which are used by
A&A domains
Companies involved in
Advertising and Analytics are
collectively referred as A&A
This means we know
which resource included
which other resource
66. Sent Items Over Web Sockets
11
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S
67. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S
68. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets.
97% is 33across
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S
69. Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets.
97% is 33across
• ~1.5% WebSockets sends the entire DOM to Hotjar
Cookie
IP
User IDs
Fingerprinting
Variables
DOM
% Requests
0 20 40 60 80
WebSockets
HTTP/S
71. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S
72. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S
73. 12
Received Items Over Web Sockets
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S
74. 12
Received Items Over Web Sockets
Ads served from Lockerdome
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSockets
HTTP/S
75. Summary
• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted
WebSockets.
Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• HotJar was exfiltrating the entire DOM
• Lockerdome downloaded URLs to serve ads.
• We need to keep with the current practices of A&A companies.
13
76. Summary
• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted
WebSockets.
Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• HotJar was exfiltrating the entire DOM
• Lockerdome downloaded URLs to serve ads.
• We need to keep with the current practices of A&A companies.
13
Questions?
ahmad@ccs.neu.edu
77. Discussion Points
• What’s Next?
• Can these findings be used to fine advertisers or shape new
policies?
• Major Ad Exchanges abandoned WebSockets — Why?
• New web standards.
• Can be problematic? Where should we intervene?
• Surprising that it took few years to patch this bug
• WebRTC aspect of it.
14