nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

You Shall Not Register! Detecting Privacy Leaks Across Registration Forms

verfasst von : Manolis Chatzimpyrros, Konstantinos Solomos, Sotiris Ioannidis

Erschienen in: Computer Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Most of the modern web services offer their users the ability to be registered on them via dedicated registration pages. Most of the times, they use this method so the users can profit by accessing more content or privileged items. In these pages, users are typically requested to provide their names, email addresses, phone numbers and other personal information in order to create an account. As the purpose of the tracking ecosystem is to collect as many information and data from the user, this kind of Personally Identifiable Information (PII) might leak on the 3rd-Parties, when the users fill in the registration forms. In this work, we conduct a large-scale measurement analysis of the PII leakage via registration pages of the 200,000 most popular websites. We design and implement a scalable and easily replicable methodology, for detecting and filling registration forms in an automated way. Our analysis shows that a number of websites (\(\approx \)5%) leak PIIs to 3rd-Party trackers without any user’s consent, in a non-transparent fashion. Furthermore, we explore the techniques employed by 3rd-Parties in order to harvest user’s data, and we highlight the implications on user’s privacy.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Web Servers Protection Using Anomaly Detection for HTTP Requests

Nächstes Kapitel A Model Driven Approach for Cyber Security Scenarios Deployment

By corpus we describe the set of sites that we succesully visited, identified and filled in the registration forms.

The description on their site contains the terms: visual way to understand your users, scrolling heatmaps, eye tracking, scroll heatmaps, replicate.

Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. CCS 2014, pp. 674–689. ACM, New York (2014)

Englehardt, S., et al.: Cookies that give you away: the surveillance implications of web tracking. In: Proceedings of the 24th International Conference on World Wide Web. WWW 2015, Republic and Canton of Geneva, Switzerland, International World Wide Web Conferences Steering Committee, pp. 289–299 (2015)

Englehardt, S., Han, J., Narayanan, A.: I never signed up for this! privacy implications of email tracking. Proc. Priv. Enhanc. Technol. 2018(1), 109–126 (2018)CrossRef

Jay, M.: Top 9 Trending Web Development Technologies 2018 (2018). https://www.ipraxa.com/blog/web-development-technologies/

Flatword Solutions: Forms Processing Services (2018). https://www.flatworldsolutions.com/data-management/forms-processing.php

Solomos, K., Ilia, P., Ioannidis, S., Kourtellis, N.: \(\{\)TALON\(\}\): an automated framework for cross-device tracking detection. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (\(\{\)RAID\(\}\) 2019). (2020)

Starov, O., Gill, P., Nikiforakis, N.: Are you sure you want to contact us? Quantifying the leakage of pii via website contact forms. Proc. Priv. Enhanc. Technol. 2016(1), 20–33 (2016)CrossRef

Privacy team: The Trackers Who Steal (2018). https://whotracks.me/blog/trackers-who-steal.html

Papadopoulos, E.P., Diamantaris, M., Papadopoulos, P., Petsas, T., Ioannidis, S., Markatos, E.P.: The long-standing privacy debate: mobile websites vs mobile apps. In: Proceedings of the 26th International Conference on World Wide Web, WWW 2017, pp. 153–162. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2017)

10.

Papadopoulos, P., Rodriguez, P.R., Kourtellis, N., Laoutaris, N.: If you are not paying for it, you are the product: how much do advertisers pay to reach you? In: Proceedings of the 2017 Internet Measurement Conference, IMC 2017, pp. 142–156. ACM, New York (2017)

11.

Krishnamurthy, B., Naryshkin, K., Wills, C.: Privacy leakage vs. protection measures: the growing disconnect. In: Proceedings of the Web, vol. 2, pp. 1–10 (2011)

12.

Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 413–427. IEEE Computer Society, Washington, DC (2012)

13.

Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, NSDI 2012, p. 12. USENIX Association, Berkeley (2012)

14.

Olejnik, L., Minh-Dung, T., Castelluccia, C.: Selling off privacy at auction. In: Network and Distributed System Security Symposium (NDSS) (2014)

15.

Englehardt, S., Narayanan, A.: Online tracking: A 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1388–1401. ACM, New York (2016)

16.

Yu, Z., Macbeth, S., Modi, K., Pujol, J.M.: Tracking the trackers. In: Proceedings of the 25th International Conference on World Wide Web. WWW 2016, pp. 121–132. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2016)

17.

Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: 25th USENIX Security Symposium (USENIX Security 2016). USENIX Association, Austin (2016)

18.

Solomos, K., Ilia, P., Ioannidis, S., Kourtellis, N.: Clash of the trackers: measuring the evolution of the online tracking ecosystem. arXiv preprint arXiv:1907.12860 (2019)

19.

Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1CrossRef

20.

Acar, G., et al.: FPDetective: dusting the web for fingerprinters. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & #38; Communications Security, CCS 2013, pp. 1129–1140. ACM, New York (2013)

21.

Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 541–555. IEEE Computer Society, Washington, DC (2013)

22.

Nikiforakis, N., Joosen, W., Livshits, B.: Privaricator: deceiving fingerprinters with little white lies. In: Proceedings of the 24th International Conference on World Wide Web, WWW 2015, pp. 820–830. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2015)

23.

Panchenko, A., et al.: Website fingerprinting at internet scale. In: NDSS (2016)

24.

Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: Proceedings of Network & Distributed System Security Symposium (NDSS), Internet Society (2017)

25.

Krishnamurthy, B., Wills, C.E.: On the leakage of personally identifiable information via online social networks. In: Proceedings of the 2nd ACM workshop on Online social networks, pp. 7–12. ACM (2009)

26.

Mayer, J.: Tracking the trackers: where everybody knows your username. The Center for Internet and Society (2011)

27.

Terkki, E., Rao, A., Tarkoma, S.: Spying on android users through targeted ads. In: 2017 9th International Conference on Communication Systems and Networks (COMSNETS), pp. 87–94 (2017)

28.

Razaghpanah, A., et al.: Apps, trackers, privacy and regulators: a global study of the mobile tracking ecosystem. In: Proceedings of NDSS, NDSS 2018 (2018)

29.

Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 2012, pp. 101–112. ACM, New York (2012)

30.

Meng, W., Ding, R., Chung, S.P., Han, S., Lee, W.: The price of free: privacy leakage in personalized mobile in-apps ads. In: NDSS (2016)

31.

Ren, J., Rao, A., Lindorfer, M., Legout, A., Choffnes, D.: Recon: revealing and controlling pii leaks in mobile network traffic. In: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services, pp. 361–374. ACM (2016)

32.

Liu, B., Sheth, A., Weinsberg, U., Chandrashekar, J., Govindan, R.: Adreveal: improving transparency into online targeted advertising. In: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks, HotNets-XII, pp. 12:1–12:7. ACM, New York (2013)

33.

Lécuyer, M., et al.: Xray: enhancing the web’s transparency with differential correlation. In: USENIX Security Symposium, pp. 49–64 (2014)

34.

Selenium browser automation. https://www.seleniumhq.org/

35.

Browsermob proxy. a free utility to help web developers watch and manipulate network traffic from their ajax applications. https://bmp.lightbody.net/

36.

Alexa: The top 500 sites on the web (2018). https://www.alexa.com/topsites/category/Top/

37.

Mozilla: The HTML autocomplete attribute (2018). https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete

38.

Princeton university: a lexical database for English (2018). https://wordnet.princeton.edu/

39.

Hotjar: The fast & visual way to understand your users (2018). https://www.hotjar.com/

40.

Inspectlet: stop guessing what your visitors want (2018). https://www.inspectlet.com/

41.

Mouseflow: Mouseflow reveals why your visitors aren’t converting into customers (2018). https://mouseflow.com/

Titel: You Shall Not Register! Detecting Privacy Leaks Across Registration Forms
verfasst von: Manolis Chatzimpyrros
Konstantinos Solomos
Sotiris Ioannidis
Verlag: Springer International Publishing
Buch: Computer Security
Print ISBN: 978-3-030-42050-5

Electronic ISBN: 978-3-030-42051-2

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-42051-2_7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"