Please use this identifier to cite or link to this item: https://hdl.handle.net/20.500.14279/31089
Title: Cookie swap party: Abusing first-party cookies for web tracking
Authors: Chen, Quan 
Ilia, Panagiotis 
Polychronakis, Michalis 
Kapravelos, Alexandros 
Major Field of Science: Engineering and Technology
Field Category: Electrical Engineering - Electronic Engineering - Information Engineering
Keywords: High level languages;Web browsers;Websites;Dynamic data;Javascript;Large-scale studies;Third parties;Tracking capability;User privacy;User tracking;HTTP
Issue Date: 19-Apr-2021
Source: 2021 World Wide Web Conference, WWW 2021, Ljubljana, 19 - 23 April 2021
Conference: The Web Conference 2021 - Proceedings of the World Wide Web Conference, WWW 2021 
Abstract: As a step towards protecting user privacy, most web browsers perform some form of third-party HTTP cookie blocking or periodic deletion by default, while users typically have the option to select even stricter blocking policies. As a result, web trackers have shifted their efforts to work around these restrictions and retain or even improve the extent of their tracking capability. In this paper, we shed light into the increasingly used practice of relying on first-party cookies that are set by third-party JavaScript code to implement user tracking and other potentially unwanted capabilities. Although unlike third-party cookies, first-party cookies are not sent automatically by the browser to third-parties on HTTP requests, this tracking is possible because any included third-party code runs in the context of the parent page, and thus can fully set or read existing first-party cookies - which it can then leak to the same or other third parties. Previous works that survey user privacy on the web in relation to cookies, third-party or otherwise, have not fully explored this mechanism. To address this gap, we propose a dynamic data flow tracking system based on Chromium to track the leakage of first-party cookies to third parties, and used it to conduct a large-scale study of the Alexa top 10K websites. In total, we found that 97.72% of the websites have first-party cookies that are set by third-party JavaScript, and that on 57.66% of these websites there is at least one such cookie that contains a unique user identifier that is diffused to multiple third parties. Our results highlight the privacy-intrusive capabilities of first-party cookies, even when a privacy-savvy user has taken mitigative measures such as blocking third-party cookies, or employing popular crowd-sourced filter lists such as EasyList/EasyPrivacy and the Disconnect list.
URI: https://hdl.handle.net/20.500.14279/31089
ISBN: 9781450383127
DOI: 10.1145/3442381.3449837
Rights: © ACM
Attribution-NonCommercial-NoDerivatives 4.0 International
Type: Conference Papers
Affiliation : North Carolina State University 
University of Illinois at Chicago 
Stony Brook University 
Appears in Collections:Δημοσιεύσεις σε συνέδρια /Conference papers or poster or presentation

CORE Recommender
Show full item record

SCOPUSTM   
Citations

16
checked on Mar 14, 2024

Page view(s)

89
Last Week
1
Last month
8
checked on Nov 21, 2024

Google ScholarTM

Check

Altmetric


This item is licensed under a Creative Commons License Creative Commons