Mir Masood Ali (University of Illinois Chicago), Binoy Chitale (Stony Brook University), Mohammad Ghasemisharif (University of Illinois Chicago), Chris Kanich (University of Illinois Chicago), Nick Nikiforakis (Stony Brook University), Jason Polakis (University of Illinois Chicago)

Modern web browsers constitute complex application platforms with a wide range of APIs and features. Critically, this includes a multitude of heterogeneous mechanisms that allow sites to store information that explicitly or implicitly alters client-side state or functionality. This behavior implicates any browser storage, cache, access control, and policy mechanism as a potential tracking vector. As demonstrated by prior work, tracking vectors can manifest through elaborate behaviors and exhibit varying characteristics that differ vastly across different browsing
contexts. In this paper we develop CanITrack, an automated, mechanism-agnostic framework for testing browser features and uncovering novel tracking vectors. Our system is designed for facilitating browser vendors and researchers by streamlining the systematic testing of browser mechanisms. It accepts methods to read and write entries for a mechanism and calls these methods across different browsing contexts to determine any potential tracking vulnerabilities that the mechanism may expose. To demonstrate our system’s capabilities we test 21 browser mechanisms and uncover a slew of tracking vectors, including 13 that enable third-party tracking and two that bypass the isolation offered by private browsing modes. Importantly, we show how two separate mechanisms from Google’s highly-publicized and widely-discussed Privacy Sandbox initiative can be leveraged for tracking. Our experimental findings have resulted in 20 disclosure reports across seven major browsers, which have set remediation efforts in motion. Overall, our study highlights the complex and formidable challenge that browsers currently face when trying to balance the adoption of new features and protecting the privacy of their users, as well as the potential benefit of incorporating CanITrack into their internal testing pipeline.

View More Papers

Ethical Challenges in Blockchain Network Measurement Research

Yuzhe Tang (Syracuse University), Kai Li (San Diego State University), and Yibo Wang and Jiaqi Chen (Syracuse University)

Read More

Applying Accessibility Metrics to Measure the Threat Landscape for...

John Breton, AbdelRahman Abdou (Carleton University)

Read More

ProbFlow : Using Probabilistic Programming in Anonymous Communication Networks

Hussein Darir (University of Illinois Urbana-Champaign), Geir Dullerud (University of Illinois Urbana-Champaign), Nikita Borisov (University of Illinois Urbana-Champaign)

Read More

Breaking and Fixing Virtual Channels: Domino Attack and Donner

Lukas Aumayr (TU Wien), Pedro Moreno-Sanchez (IMDEA Software Institute), Aniket Kate (Purdue University / Supra), Matteo Maffei (Christian Doppler Laboratory...

Read More