Please use this identifier to cite or link to this item:
https://hdl.handle.net/20.500.14279/31089
Title: | Cookie swap party: Abusing first-party cookies for web tracking | Authors: | Chen, Quan Ilia, Panagiotis Polychronakis, Michalis Kapravelos, Alexandros |
Major Field of Science: | Engineering and Technology | Field Category: | Electrical Engineering - Electronic Engineering - Information Engineering | Keywords: | High level languages;Web browsers;Websites;Dynamic data;Javascript;Large-scale studies;Third parties;Tracking capability;User privacy;User tracking;HTTP | Issue Date: | 19-Apr-2021 | Source: | 2021 World Wide Web Conference, WWW 2021, Ljubljana, 19 - 23 April 2021 | Conference: | The Web Conference 2021 - Proceedings of the World Wide Web Conference, WWW 2021 | Abstract: | As a step towards protecting user privacy, most web browsers perform some form of third-party HTTP cookie blocking or periodic deletion by default, while users typically have the option to select even stricter blocking policies. As a result, web trackers have shifted their efforts to work around these restrictions and retain or even improve the extent of their tracking capability. In this paper, we shed light into the increasingly used practice of relying on first-party cookies that are set by third-party JavaScript code to implement user tracking and other potentially unwanted capabilities. Although unlike third-party cookies, first-party cookies are not sent automatically by the browser to third-parties on HTTP requests, this tracking is possible because any included third-party code runs in the context of the parent page, and thus can fully set or read existing first-party cookies - which it can then leak to the same or other third parties. Previous works that survey user privacy on the web in relation to cookies, third-party or otherwise, have not fully explored this mechanism. To address this gap, we propose a dynamic data flow tracking system based on Chromium to track the leakage of first-party cookies to third parties, and used it to conduct a large-scale study of the Alexa top 10K websites. In total, we found that 97.72% of the websites have first-party cookies that are set by third-party JavaScript, and that on 57.66% of these websites there is at least one such cookie that contains a unique user identifier that is diffused to multiple third parties. Our results highlight the privacy-intrusive capabilities of first-party cookies, even when a privacy-savvy user has taken mitigative measures such as blocking third-party cookies, or employing popular crowd-sourced filter lists such as EasyList/EasyPrivacy and the Disconnect list. | URI: | https://hdl.handle.net/20.500.14279/31089 | ISBN: | 9781450383127 | DOI: | 10.1145/3442381.3449837 | Rights: | © ACM Attribution-NonCommercial-NoDerivatives 4.0 International |
Type: | Conference Papers | Affiliation : | North Carolina State University University of Illinois at Chicago Stony Brook University |
Appears in Collections: | Δημοσιεύσεις σε συνέδρια /Conference papers or poster or presentation |
CORE Recommender
SCOPUSTM
Citations
16
checked on Mar 14, 2024
Page view(s)
92
Last Week
1
1
Last month
7
7
checked on Dec 25, 2024
Google ScholarTM
Check
Altmetric
This item is licensed under a Creative Commons License