Cookie Crumbs and Unwelcome JavaScript: Evaluating the hidden privacy threats posed by the “mashed-up” web

Abstract

Abstract Many modern websites are built on a "mash-up" of numerous web technologies and libraries. This combined with the ubiquity of third-party web tracking can open up a user to an increasingly large array of threats to her privacy from many angles. Our paper evaluates how the structure of the web can enable new forms of privacy violation and measures these new threats’ severity. In this paper, we first define a novel form of passive network surveillance we term "cookie linking." Through this method an eavesdropper observing a user’s HTTP tracking cookies on a network can transitively link shared pseudonymous cookies to reconstruct that user’s web browsing history, even if IP varies across time. Using simulated browsing profiles we find that an eavesdropper can reconstruct over 90% of a user’s past tracker-bearing web page visits through cookie linking. The privacy implications of cookie linking are made more acute by the prevalence of identity leakage. In a survey of top websites we find that over half of those sites leak the identity of logged-in users to an eavesdropper in unencrypted traffic. Thus the eavesdropper both identifies a user and uncovers a majority of her web history through passive means. Second, we evaluate how the third-party JavaScript-handling practices of popular sites further exposes users to potential privacy violations. We measure what sensitive information malicious third-party JavaScript can exfiltrate to a malicious server. We find that third-party JavaScript is very often permitted to execute in unsupervised environments, where it is free to collect everything from user cookies to keystrokes. Thus, many sites allow compromised third-party JavaScript to threaten a user’s privacy. The most effective method of preventing the above privacy violations is through blocking thirdparties on websites, often done via a browser plug-in. These may limit a site’s functionality, however, leaving users without a satisfactory option to protect themselves.