SlideShare a Scribd company logo

How to track users

Download as PPTX, PDF
Ran Bar-Zik
Ran Bar-Zik

How users are being tracked? How Facebook, Google, and other tech giants can use flaws in web browsers and web architecture to track users? In this session. made in Reversim 2019 convention. I explained and showed several of those flaws and the exploitation of those flaws to track all users.

Technology
1 of 52
How to violate user’s privacy
Ran Bar-Zik Developer at Verizon Media Journalist at Haaertz Contact me at: Twitter: @barzik internet-israel.com 2
Legal information ▪ The Israeli Law ▪ GDPR 3
Why we learn it ▪ We are evil ▪ We want to protect ourselves and others ▪ We want cheap prices 4
Setting the stage We track on website only, assuming that domain is under my control. 5
For example Facebook, your friendly social network 6
7
This is how we are being tracked on global scale 8
Track method 1: Cookies LAAAMMMMEEEE 1.
1. Sent in every request. 2. Persistent. 3. Easy to detect :( 4. Easy to delete :( 10
Enters the forever cookie ALSO LAAAMMMEEEE 11
12
RESPAWNThe HOLY GRAIL 13
14
15 Remember: No good deed goes unpunished
Track method 2: Cookieless cookies No cookie no cry 2.
Etag cookie
18
LET’S EXPLOIT IT 19
How it works 1. Server sends the session value with etag. 2. User from now on send along If-None-Match. 3. No cookie and still `If-None-Match` header? Tsk tsk tsk respawn commenced! 20
How it can be defeated? 1. Disable all cache by dev tools. 2. Use incognito. 21
HSTS cookie
How it can be defeated? 1. Use incognito. 26
DNS cookies
See which request is being sent to DNS server and then measure it. http://dnscookie.com/
How it can be defeated? 1. VPNTOR 2. Clear DNS cache 30
Track method 3: IP LAAAMMMMEEEE 3.
How it can be defeated? 1. VPNTOR 32
Track method 4: WebRTC 4.
ifconfig | grep "inet " | grep -v 127.0.0.1 WebRTC exposes Internal IP 1. ifconfig | grep "inet " | grep -v 127.0.0.1 2. https://ip.voidsec.com/ 34
How it can be defeated? 1. VPNTOR + Disable WebRTC 35
Track method 5: Fingerprinting 5. https://amiunique.org/fp
How it is being used Gather the info Create hash Implement it 40
How it can be defeated? 1. No current way 41
Track method 6: Social Fingerprinting 6. https://robinlinus.github.io/socialmedia-leak/
How it can be defeated? 1. Use incognito 44
Track method 7: Password tracking 7. https://senglehardt.com/demo/no_boundaries/loginmanager/index.html
How it can be defeated? 1. No actual way, sorry guys. 50
Remember Only one breach is needed 51
Ran Bar-Zik : @barzik ▪ Follow me on Twitter, FB, Telegram ▪ My website: internet-israel.com ▪ Also at Haaretz 52

Recommended

Privacy & Social Media Marketing Bright Talk081009
Privacy & Social Media Marketing Bright Talk081009Privacy & Social Media Marketing Bright Talk081009
Privacy & Social Media Marketing Bright Talk081009
Susan Lyon-Hintze
 
Easy Income
Easy IncomeEasy Income
Easy Income
Simon Stravitz
 
MacMAD MacOS Security
MacMAD MacOS SecurityMacMAD MacOS Security
MacMAD MacOS Security
bos45
 
EU cookie law - solutions
EU cookie law - solutionsEU cookie law - solutions
EU cookie law - solutions
samie19
 
The ultimate guide to mining bitcoin with cryptotab
The ultimate guide to mining bitcoin with cryptotabThe ultimate guide to mining bitcoin with cryptotab
The ultimate guide to mining bitcoin with cryptotab
Said Dhaouadi
 
Social Media - Andrew Girdwood -BigMoutMedia
Social Media - Andrew Girdwood -BigMoutMediaSocial Media - Andrew Girdwood -BigMoutMedia
Social Media - Andrew Girdwood -BigMoutMedia
auexpo Conference
 
Internet Safety & Privacy
Internet Safety & PrivacyInternet Safety & Privacy
Internet Safety & Privacy
Alexine Marier
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 

Recommended

Privacy & Social Media Marketing Bright Talk081009
Privacy & Social Media Marketing Bright Talk081009Privacy & Social Media Marketing Bright Talk081009
Privacy & Social Media Marketing Bright Talk081009
Susan Lyon-Hintze
 
Easy Income
Easy IncomeEasy Income
Easy Income
Simon Stravitz
 
MacMAD MacOS Security
MacMAD MacOS SecurityMacMAD MacOS Security
MacMAD MacOS Security
bos45
 
EU cookie law - solutions
EU cookie law - solutionsEU cookie law - solutions
EU cookie law - solutions
samie19
 
The ultimate guide to mining bitcoin with cryptotab
The ultimate guide to mining bitcoin with cryptotabThe ultimate guide to mining bitcoin with cryptotab
The ultimate guide to mining bitcoin with cryptotab
Said Dhaouadi
 
Social Media - Andrew Girdwood -BigMoutMedia
Social Media - Andrew Girdwood -BigMoutMediaSocial Media - Andrew Girdwood -BigMoutMedia
Social Media - Andrew Girdwood -BigMoutMedia
auexpo Conference
 
Internet Safety & Privacy
Internet Safety & PrivacyInternet Safety & Privacy
Internet Safety & Privacy
Alexine Marier
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
Internet Dangers 2004
Internet Dangers 2004Internet Dangers 2004
Internet Dangers 2004
Donald E. Hester
 
Digital Internationalization Best Practices for Global Brands
Digital Internationalization Best Practices for Global BrandsDigital Internationalization Best Practices for Global Brands
Digital Internationalization Best Practices for Global Brands
edynamic
 
Log Out Cyber Awareness
Log Out Cyber AwarenessLog Out Cyber Awareness
Log Out Cyber Awareness
Apurv Singh Gautam
 
Cracking guide
Cracking guideCracking guide
Cracking guide
HarnilVaghasiya
 
GDPR_Skillcast Presentation Template (1).pptx
GDPR_Skillcast Presentation Template (1).pptxGDPR_Skillcast Presentation Template (1).pptx
GDPR_Skillcast Presentation Template (1).pptx
kimonesinghunicomerc
 
Internet Credibility
Internet CredibilityInternet Credibility
Internet Credibility
Amy Goldenburg
 
7 deadly front end sins
7 deadly front end sins7 deadly front end sins
7 deadly front end sins
Ran Bar-Zik
 
Javascript static code analysis
Javascript static code analysisJavascript static code analysis
Javascript static code analysis
Ran Bar-Zik
 
Quality code in wordpress
Quality code in wordpressQuality code in wordpress
Quality code in wordpress
Ran Bar-Zik
 
How to get your first job at the Israeli high tech industry
How to get your first job at the Israeli high tech industryHow to get your first job at the Israeli high tech industry
How to get your first job at the Israeli high tech industry
Ran Bar-Zik
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developers
Ran Bar-Zik
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
WordPress automation and CI
WordPress automation and CIWordPress automation and CI
WordPress automation and CI
Ran Bar-Zik
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
Ran Bar-Zik
 
Presentation skills - course example
Presentation skills - course examplePresentation skills - course example
Presentation skills - course example
Ran Bar-Zik
 
HTML5 for dummies
HTML5 for dummiesHTML5 for dummies
HTML5 for dummies
Ran Bar-Zik
 
Basic web dveleopers terms for UX and graphic designers
Basic web dveleopers terms for UX and graphic designersBasic web dveleopers terms for UX and graphic designers
Basic web dveleopers terms for UX and graphic designers
Ran Bar-Zik
 
HTML55 media api
HTML55 media apiHTML55 media api
HTML55 media api
Ran Bar-Zik
 
Features in Drupal 7/6
Features in Drupal 7/6Features in Drupal 7/6
Features in Drupal 7/6
Ran Bar-Zik
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

More Related Content

Similar to How to track users

Similar to How to track users (6)

Internet Dangers 2004
Internet Dangers 2004Internet Dangers 2004
Internet Dangers 2004
 
Digital Internationalization Best Practices for Global Brands
Digital Internationalization Best Practices for Global BrandsDigital Internationalization Best Practices for Global Brands
Digital Internationalization Best Practices for Global Brands
 
Log Out Cyber Awareness
Log Out Cyber AwarenessLog Out Cyber Awareness
Log Out Cyber Awareness
 
Cracking guide
Cracking guideCracking guide
Cracking guide
 
GDPR_Skillcast Presentation Template (1).pptx
GDPR_Skillcast Presentation Template (1).pptxGDPR_Skillcast Presentation Template (1).pptx
GDPR_Skillcast Presentation Template (1).pptx
 
Internet Credibility
Internet CredibilityInternet Credibility
Internet Credibility
 

More from Ran Bar-Zik

More from Ran Bar-Zik (13)

7 deadly front end sins
7 deadly front end sins7 deadly front end sins
7 deadly front end sins
 
Javascript static code analysis
Javascript static code analysisJavascript static code analysis
Javascript static code analysis
 
Quality code in wordpress
Quality code in wordpressQuality code in wordpress
Quality code in wordpress
 
How to get your first job at the Israeli high tech industry
How to get your first job at the Israeli high tech industryHow to get your first job at the Israeli high tech industry
How to get your first job at the Israeli high tech industry
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developers
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
WordPress automation and CI
WordPress automation and CIWordPress automation and CI
WordPress automation and CI
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
 
Presentation skills - course example
Presentation skills - course examplePresentation skills - course example
Presentation skills - course example
 
HTML5 for dummies
HTML5 for dummiesHTML5 for dummies
HTML5 for dummies
 
Basic web dveleopers terms for UX and graphic designers
Basic web dveleopers terms for UX and graphic designersBasic web dveleopers terms for UX and graphic designers
Basic web dveleopers terms for UX and graphic designers
 
HTML55 media api
HTML55 media apiHTML55 media api
HTML55 media api
 
Features in Drupal 7/6
Features in Drupal 7/6Features in Drupal 7/6
Features in Drupal 7/6
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

How to track users