Dirty Clicks: A Study of the Usability and Security Implications of Click-related Behaviors on the Web

Sánchez-Rola, Iskander; Balzarotti, Davide; Kruegel, Christopher; Vigna, Giovanni; Santos, Igor

doi:10.1145/3366423.3380124

Cited by 8 publications

(3 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The crawler is fed with the aforementioned domains list, loads the corresponding web pages, and then recursively accesses three random pages from each domain, up to a distance of three clicks from the initial main page. This results in up to 13 different pages per domain, mimicking the configuration used in other privacy-related studies [20]. To avoid the detection of our automated browser by bot detectors, we implemented the most recently-proposed methods [21,22,23].…”

Section: A the Analysis Platformmentioning

confidence: 99%

Journey to the Center of the Cookie Ecosystem: Unraveling Actors' Roles and Relationships

Sánchez-Rola

Dell’Amico

Balzarotti

et al. 2021

2021 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

Web pages have been steadily increasing in complexity over time, including code snippets from several distinct origins and organizations. While this may be a known phenomenon, its implications on the panorama of cookie tracking received little attention until now. Our study focuses on filling this gap, through the analysis of crawl results that are both large-scale and finegrained, encompassing the whole set of events that lead to the creation and sharing of around 138 million cookies from crawling more than 6 million webpages.Our analysis lets us paint a highly detailed picture of the cookie ecosystem, discovering an intricate network of connections between players that reciprocally exchange information and include each other's content in web pages whose owners may not even be aware. We discover that, in most webpages, tracking cookies are set and shared by organizations at the end of complex chains that involve several middlemen. We also study the impact of cookie ghostwriting, i.e., a common practice where an entity creates cookies in the name of another party, or the webpage.We attribute and define a set of roles in the cookie ecosystem, related to cookie creation and sharing. We see that organizations can and do follow different patterns, including behaviors that previous studies could not uncover: for example, many cookie ghostwriters send cookies they create to themselves, which makes them able to perform cross-site tracking even for users that deleted third-party cookies in their browsers. While some organizations concentrate the flow of information on themselves, others behave as dispatchers, allowing other organizations to perform tracking on the pages that include their content.

show abstract

Section: A the Analysis Platformmentioning

confidence: 99%

Journey to the Center of the Cookie Ecosystem: Unraveling Actors' Roles and Relationships

Sánchez-Rola

Dell’Amico

Balzarotti

et al. 2021

2021 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Such crawlers were often deployed in large-scale scans to discover privacy leakages around the web, often using either the Tranco or the Alexa [2] top domain datasets as inputs. The resulting studies measured privacy leakages found in email tracking [21], link tracking [66], third-party cookies [67] (used on 70% of sites for tracking purposes), the ad ecosystem [23], HTTP headers [35], contact forms [72] (where 2.5% of the total number of contact forms leaked the user's PII through the URL query string), and registration forms [9]. Many other crawls characterized privacy leakages (often by looking at domains of third-party requests) more broadly on the web [3,34,38,39,69], or in specific sectors such as adult websites [44,76], health websites [37], online collaboration services [31], and the financial sector [65].…”

Section: Related Workmentioning

confidence: 99%

Who Knows I Like Jelly Beans? An Investigation Into Search Privacy

Sharif

Silva

Roturier

2022

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Internal site search is an integral part of how users navigate modern sites, from restaurant reservations to house hunting to searching for medical solutions. Search terms on these sites may contain sensitive information such as location, medical information, or sexual preferences; when further coupled with a user’s IP address or a browser’s user agent string, this information can become very specific, and in some cases possibly identifying. In this paper, we measure the various ways by which search terms are sent to third parties when a user submits a search query. We developed a methodology for identifying and interacting with search components, which we implemented on top of an instrumented headless browser. We used this crawler to visit the Tranco top one million websites and analyzed search term leakage across three vectors: URL query parameters, payloads, and the Referer HTTP header. Our crawler found that 512,701 of the top 1 million sites had internal site search. We found that 81.3% of websites containing internal site search sent (or leaked from a user’s perspective) our search terms to third parties in some form. We then compared our results to the expected results based on a natural language analysis of the privacy policies of those leaking websites (where available) and found that about 87% of those privacy policies do not mention search terms explicitly. However, about 75% of these privacy policies seem to mention the sharing of some information with third-parties in a generic manner. We then present a few countermeasures, including a browser extension to warn users about imminent search term leakage to third parties. We conclude this paper by making recommendations on clarifying the privacy implications of internal site search to end users.

show abstract

“…This action is risky because the user can click in dangerous elements when browsing some websites. [85] shows that these dangerous situations are extremely common in all types of domains, which makes a large number of users vulnerable to different possible attacks. Furthermore, in section II click related problems have been explained.…”

Section: ) General Questionsmentioning

confidence: 99%

Web Augmentation as a Technique to Diminish User Interactions in Repetitive Tasks

2021

View full text Add to dashboard Cite

The use of the World Wide Web has experienced extraordinary growth in the last decades. The Web has become the main source of information for millions of users. The number of websites offering content to users is countless. In order to personalise information according to their needs, users often have to visit multiple, unconnected pages. Users perform a number of actions to collect that information that requires concentration. If the number of Web resources is large, the activity becomes unpleasant. The problem increases when these tasks are performed frequently and repetitively. These tasks are time-consuming and lead users to experience frustration and disorientation during the activity, causing a loss of concentration that prolongs the activity over time. Web Augmentation combines different Web technologies to improve user experience on existing pages by adding content from different pages among other benefits. This article proposes Web Augmentation as a technique to reduce user interactions in repetitive tasks. To support the proposal, the paper introduces Excore, a browser extension for Web Augmentation that allows end-users to add content from different resources automatically. The article presents the benefits introduced by this approach as a response to the drawbacks experienced by users while performing their activities on the Web. The architecture of the platform and its operations are described by means of an example. A double evaluation of the extension is addressed, one qualitative and one quantitative. The results show that Excore reduces the number of interactions by 94.45% and the time to complete a task by 80.75%.

show abstract

Dirty Clicks: A Study of the Usability and Security Implications of Click-related Behaviors on the Web

Cited by 8 publications

References 19 publications

Journey to the Center of the Cookie Ecosystem: Unraveling Actors' Roles and Relationships

Journey to the Center of the Cookie Ecosystem: Unraveling Actors' Roles and Relationships

Who Knows I Like Jelly Beans? An Investigation Into Search Privacy

Web Augmentation as a Technique to Diminish User Interactions in Repetitive Tasks

Contact Info

Product

Resources

About