How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A...
Transcript of How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A...
![Page 1: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/1.jpg)
How Tracking Companies Circumvented Ad Blockers Using WebSockets
Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson
Northeastern University
![Page 2: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/2.jpg)
Online Tracking
2
![Page 3: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/3.jpg)
Online Tracking
Surge in online advertising (internet economy)
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2
![Page 4: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/4.jpg)
Online Tracking
Surge in online advertising (internet economy)
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2
User concern over tracking
• Led to the proliferation of ad blocking extensions
![Page 5: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/5.jpg)
Online Tracking
Surge in online advertising (internet economy)
• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.
2
User concern over tracking
• Led to the proliferation of ad blocking extensions
Ad networks fight back
• E.g Using anti ad blocking scripts
![Page 6: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/6.jpg)
Google & Safari
• Google evaded Safari’s third-party cookie blocking policy (Jonathan Mayer)
• … by submitting a form in an invisible iFrame
• Google was fined $22.5M by FTC
3
![Page 7: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/7.jpg)
This Talk
How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers
using WebSockets
4
![Page 8: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/8.jpg)
This Talk
How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers
using WebSockets
4
1. What caused this?
2. How this bug was leveraged by ad networks?
![Page 9: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/9.jpg)
Web Sockets
5
![Page 10: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/10.jpg)
Web Sockets
5
HTTP/S
![Page 11: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/11.jpg)
Web Sockets
5
HTTP/S request
response
![Page 12: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/12.jpg)
Web Sockets
5
HTTP/S request
response
Chatting App
![Page 13: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/13.jpg)
Web Sockets
5
HTTP/S request
response
Chatting Appanything new?
![Page 14: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/14.jpg)
Web Sockets
5
HTTP/S request
response
Chatting Appanything new?
Web Socket
![Page 15: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/15.jpg)
Web Sockets
5
HTTP/S request
response
Chatting Appanything new?
Web Socketbidirectional
• Both client and server can send/receive data • This is a persistent connection
![Page 16: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/16.jpg)
Web Sockets
5
HTTP/S request
response
Chatting Appanything new?
Web Socketbidirectional
ws:// or wss://
• Both client and server can send/receive data • This is a persistent connection
![Page 17: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/17.jpg)
Ad Blockers
6
![Page 18: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/18.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
![Page 19: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/19.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
webRequest API
![Page 20: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/20.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
![Page 21: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/21.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
Rule ListUsually borrowed from EasyList
![Page 22: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/22.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
Rule List
url
Usually borrowed from EasyList
![Page 23: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/23.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
Rule List
url
Usually borrowed from EasyList
![Page 24: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/24.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
Rule List
url
Usually borrowed from EasyList
![Page 25: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/25.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
Rule List
url
webRequest API
Usually borrowed from EasyList
![Page 26: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/26.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
Usually borrowed from EasyList
![Page 27: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/27.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed from EasyList
![Page 28: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/28.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed from EasyList
![Page 29: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/29.jpg)
Ad Blockers
6
• Chrome extension chrome.webRequest API• Extension can inspect / modify / drop outgoing requests
http://cnn.com/logo.jpegwebRequest API
Rule List
http://doubleclick.com/s1.js
url
webRequest API
url
Usually borrowed from EasyList
![Page 30: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/30.jpg)
AdBlock Evasion
7
![Page 31: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/31.jpg)
AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
webRequest API
![Page 32: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/32.jpg)
AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
webRequest API
![Page 33: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/33.jpg)
AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bugreported
webRequest API
![Page 34: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/34.jpg)
AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bugreported
Users report unblocked ads
webRequest API
![Page 35: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/35.jpg)
AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bugreported
Users report unblocked ads
Patch Finalized ( Landed)
webRequest API
![Page 36: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/36.jpg)
AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
Original bugreported
Users report unblocked ads
Patch Finalized ( Landed)
Chrome 58 released
webRequest API
![Page 37: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/37.jpg)
AdBlock Evasion
• Bug in
• ws/wss requests did not trigger the API
7
2012 2013 2014 2015 2016 2017 2018
* * * *
Original bugreported
Users report unblocked ads
Patch Finalized ( Landed)
Chrome 58 released* Represents when our crawls were done
webRequest API
![Page 38: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/38.jpg)
Data Crawling
8
![Page 39: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/39.jpg)
Data Crawling
8
100K websites sampled from Alexa
![Page 40: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/40.jpg)
Data Crawling
8
100K websites sampled from Alexa Visit 15
links / website
Collected chains for all included resources
![Page 41: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/41.jpg)
Data Crawling
8
100K websites sampled from Alexa Visit 15
links / website
Collected chains for all included resources
This means we know which resource included
which other resource
![Page 42: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/42.jpg)
Data Crawling
8
100K websites sampled from Alexa Visit 15
links / website
Collected chains for all included resources
Filter all resources which end in web sockets
Filter WebSockets
This means we know which resource included
which other resource
![Page 43: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/43.jpg)
Data Crawling
8
100K websites sampled from Alexa Visit 15
links / website
Collected chains for all included resources
Filter all resources which end in web sockets
Filter WebSockets
Detect A&A WebSockets
Mark web sockets which are used by
A&A domains
A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
This means we know which resource included
which other resource
![Page 44: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/44.jpg)
Data Crawling
8
100K websites sampled from Alexa Visit 15
links / website
Collected chains for all included resources
Filter all resources which end in web sockets
Filter WebSockets
Detect A&A WebSockets
Mark web sockets which are used by
A&A domains
A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
This means we know which resource included
which other resource
pub/ index.html
srv.ws ads/ script.js
ads/ frame.html
ads/ img_a.jpg
adnet/ data.ws
Example Inclusion Tree
![Page 45: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/45.jpg)
Data Crawling
8
100K websites sampled from Alexa Visit 15
links / website
Collected chains for all included resources
Filter all resources which end in web sockets
Filter WebSockets
Detect A&A WebSockets
Mark web sockets which are used by
A&A domains
A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
This means we know which resource included
which other resource
pub/ index.html
srv.ws ads/ script.js
ads/ frame.html
ads/ img_a.jpg
adnet/ data.ws
Example Inclusion Tree
WebSocket
WebSocket
![Page 46: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/46.jpg)
Data Crawling
8
100K websites sampled from Alexa Visit 15
links / website
Collected chains for all included resources
Filter all resources which end in web sockets
Filter WebSockets
Detect A&A WebSockets
Mark web sockets which are used by
A&A domains
A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
This means we know which resource included
which other resource
pub/ index.html
srv.ws ads/ script.js
ads/ frame.html
adnet/ data.ws
Example Inclusion Tree
WebSocket
WebSocket
![Page 47: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/47.jpg)
Data Crawling
8
100K websites sampled from Alexa Visit 15
links / website
Collected chains for all included resources
Filter all resources which end in web sockets
Filter WebSockets
Detect A&A WebSockets
Mark web sockets which are used by
A&A domains
A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
This means we know which resource included
which other resource
pub/ index.html
ads/ script.js
ads/ frame.html
adnet/ data.ws
Example Inclusion Tree
WebSocket
![Page 48: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/48.jpg)
High-Level Numbers
9
![Page 49: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/49.jpg)
High-Level Numbers
9
Crawl Dates %Websites with sockets
% Socketswith A&AInitiators
% Socketswith A&AReceivers
#Unique A&A
Initiators
#Unique A&A
ReceiversApr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
Before Chrome 58
![Page 50: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/50.jpg)
High-Level Numbers
9
Crawl Dates %Websites with sockets
% Socketswith A&AInitiators
% Socketswith A&AReceivers
#Unique A&A
Initiators
#Unique A&A
ReceiversApr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
Before Chrome 58
After Chrome 58
![Page 51: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/51.jpg)
High-Level Numbers
9
Crawl Dates %Websites with sockets
% Socketswith A&AInitiators
% Socketswith A&AReceivers
#Unique A&A
Initiators
#Unique A&A
ReceiversApr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
Before Chrome 58
After Chrome 58
![Page 52: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/52.jpg)
High-Level Numbers
9
Crawl Dates %Websites with sockets
% Socketswith A&AInitiators
% Socketswith A&AReceivers
#Unique A&A
Initiators
#Unique A&A
ReceiversApr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
Before Chrome 58
After Chrome 58
A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
![Page 53: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/53.jpg)
High-Level Numbers
9
Crawl Dates %Websites with sockets
% Socketswith A&AInitiators
% Socketswith A&AReceivers
#Unique A&A
Initiators
#Unique A&A
ReceiversApr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
• ~71 % sockets contact an A&A domain
Before Chrome 58
After Chrome 58
A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
![Page 54: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/54.jpg)
High-Level Numbers
9
Crawl Dates %Websites with sockets
% Socketswith A&AInitiators
% Socketswith A&AReceivers
#Unique A&A
Initiators
#Unique A&A
ReceiversApr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
• ~71 % sockets contact an A&A domain
• # Initiators drop after Chrome 58 release.
Before Chrome 58
After Chrome 58
A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
![Page 55: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/55.jpg)
High-Level Numbers
9
Crawl Dates %Websites with sockets
% Socketswith A&AInitiators
% Socketswith A&AReceivers
#Unique A&A
Initiators
#Unique A&A
ReceiversApr 02-05, 2017 2.1 60.6 73.7 75 16
Apr 11-16, 2017 2.4 61.3 74.6 63 18
May 07-12, 2017 1.6 60.2 69.7 19 15
Oct 12-16, 2017 2.5 63.4 63.7 23 18
• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
• ~71 % sockets contact an A&A domain
• # Initiators drop after Chrome 58 release.
• Small but persistent A&A receivers.
Before Chrome 58
After Chrome 58
A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs
![Page 56: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/56.jpg)
Initiators and Receivers
10
![Page 57: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/57.jpg)
Initiators and Receivers
10
Initiator ReceiverJavaScript
![Page 58: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/58.jpg)
Initiators and Receivers
10
Initiator Receiverws/s
JavaScript
![Page 59: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/59.jpg)
Initiators and Receivers
10
Initiator Receiverws/s
JavaScript
![Page 60: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/60.jpg)
Initiators and Receivers
10
A&A Initiator #A&AReceivers
facebook 11google 11
doubleclick 9youtube 8addthis 8
hotjar 7googlesyndication 6
twitter 5sharethis 4
adnxs 3
Top A&A Initiators
Initiator Receiverws/s
JavaScript
![Page 61: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/61.jpg)
Initiators and Receivers
10
A&A Initiator #A&AReceivers
facebook 11google 11
doubleclick 9youtube 8addthis 8
hotjar 7googlesyndication 6
twitter 5sharethis 4
adnxs 3
Top A&A Initiators
Initiator Receiverws/s
JavaScript
![Page 62: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/62.jpg)
Initiators and Receivers
10
A&A Initiator #A&AReceivers
facebook 11google 11
doubleclick 9youtube 8addthis 8
hotjar 7googlesyndication 6
twitter 5sharethis 4
adnxs 3
A&A Receiver #A&AInitiators
realtime 2733across 19intercom 16
disqus 13zopim 12hotjar 11feedjit 10
lockerdome 8inspectlet 6
smartsupp 4
Top A&A Initiators
Top A&A Receivers
Initiator Receiverws/s
JavaScript
![Page 63: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/63.jpg)
Initiators and Receivers
10
A&A Initiator #A&AReceivers
facebook 11google 11
doubleclick 9youtube 8addthis 8
hotjar 7googlesyndication 6
twitter 5sharethis 4
adnxs 3
A&A Receiver #A&AInitiators
realtime 2733across 19intercom 16
disqus 13zopim 12hotjar 11feedjit 10
lockerdome 8inspectlet 6
smartsupp 4
Top A&A Initiators
Top A&A Receivers
Initiator Receiverws/s
• Disqus provides comment board services.
JavaScript
![Page 64: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/64.jpg)
Initiators and Receivers
10
A&A Initiator #A&AReceivers
facebook 11google 11
doubleclick 9youtube 8addthis 8
hotjar 7googlesyndication 6
twitter 5sharethis 4
adnxs 3
A&A Receiver #A&AInitiators
realtime 2733across 19intercom 16
disqus 13zopim 12hotjar 11feedjit 10
lockerdome 8inspectlet 6
smartsupp 4
Top A&A Initiators
Top A&A Receivers
Initiator Receiverws/s
• Disqus provides comment board services.
• Zopim, Intercom, Smartsupp provide live chat services.
JavaScript
![Page 65: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/65.jpg)
Initiators and Receivers
10
A&A Initiator #A&AReceivers
facebook 11google 11
doubleclick 9youtube 8addthis 8
hotjar 7googlesyndication 6
twitter 5sharethis 4
adnxs 3
A&A Receiver #A&AInitiators
realtime 2733across 19intercom 16
disqus 13zopim 12hotjar 11feedjit 10
lockerdome 8inspectlet 6
smartsupp 4
Top A&A Initiators
Top A&A Receivers
Initiator Receiverws/s
• Disqus provides comment board services.
• Zopim, Intercom, Smartsupp provide live chat services.
• 33across & Lockerdome are advertising platforms.
JavaScript
![Page 66: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/66.jpg)
Initiators and Receivers
10
A&A Initiator #A&AReceivers
facebook 11google 11
doubleclick 9youtube 8addthis 8
hotjar 7googlesyndication 6
twitter 5sharethis 4
adnxs 3
A&A Receiver #A&AInitiators
realtime 2733across 19intercom 16
disqus 13zopim 12hotjar 11feedjit 10
lockerdome 8inspectlet 6
smartsupp 4
Top A&A Initiators
Top A&A Receivers
Initiator Receiverws/s
• Disqus provides comment board services.
• Zopim, Intercom, Smartsupp provide live chat services.
• 33across & Lockerdome are advertising platforms.
• Inspectlet & Hotjar are session replay services.
JavaScript
![Page 67: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/67.jpg)
Sent Items Over Web Sockets
11
![Page 68: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/68.jpg)
Sent Items Over Web Sockets
11
Cookie
IP
User IDs
Fingerprinting Variables
DOM
% Requests
0 20 40 60 80
WebSocketsHTTP/S
![Page 69: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/69.jpg)
Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
Cookie
IP
User IDs
Fingerprinting Variables
DOM
% Requests
0 20 40 60 80
WebSocketsHTTP/S
![Page 70: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/70.jpg)
Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets. 97% is 33across
Cookie
IP
User IDs
Fingerprinting Variables
DOM
% Requests
0 20 40 60 80
WebSocketsHTTP/S
![Page 71: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/71.jpg)
Sent Items Over Web Sockets
11
•Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets. 97% is 33across
• ~1.6% WebSockets sends the entire DOM to Hotjar, LuckyOrange, TruConversion
Cookie
IP
User IDs
Fingerprinting Variables
DOM
% Requests
0 20 40 60 80
WebSocketsHTTP/S
![Page 72: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/72.jpg)
12
Received Items Over Web Sockets
![Page 73: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/73.jpg)
12
Received Items Over Web SocketsHTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSocketsHTTP/S
![Page 74: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/74.jpg)
12
Received Items Over Web SocketsHTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSocketsHTTP/S
![Page 75: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/75.jpg)
12
Received Items Over Web SocketsHTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSocketsHTTP/S
![Page 76: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/76.jpg)
12
Received Items Over Web Sockets
Ads served from Lockerdome
HTML
JSON
JavaScript
Images
% Responses
0 10 20 30 40 50
WebSocketsHTTP/S
![Page 77: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/77.jpg)
Summary• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted WebSockets. Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• DOM exfiltration by HotJar, LuckyOrange, TruConversion
• Lockerdome downloaded URLs to serve ads.
• We need to keep up with the current practices of A&A companies.
13
![Page 78: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/78.jpg)
Summary• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted WebSockets. Abandoned after Chrome 58 was released.
• The culprits:
• 33across was harvesting fingerprinting data.
• DOM exfiltration by HotJar, LuckyOrange, TruConversion
• Lockerdome downloaded URLs to serve ads.
• We need to keep up with the current practices of A&A companies.
13
![Page 79: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/79.jpg)
Backup Slides
![Page 80: How Tracking Companies Circumvented Ad Blockers Using ...%Websites with sockets % Sockets with A&A Initiators % Sockets with A&A Receivers #Unique A&A Initiators #Unique A&A Receivers](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f21f6e6b4600924c80b8a26/html5/thumbnails/80.jpg)
Inclusion Chain
15
<html> <body>
<script src=“tracker/script.js” </script> <img src=“tracker/img.jpg”> </img>
<script src=“ads/script.js”> </script> <iframe src=“frame.html”>
<html> <body> <script src=“script_12.js”> </script> <img src=“img_a.jpg”> </img>
</body> </html> </iframe>
</body> </html>
pub/ index.html
tracker/ script.js
tracker/ img.jpg
ads/ script.js
ads/ frame.html
ads/ script_12.js
ads/ img_a.jpg
adnet/ data.ws
Source code for ads/script_12.js let ws = new WebSocket(“ws://adnet/data.ws”, …); ws.onopen = function (e) {ws.send(“…”);}
DOM Tree Inclusion Tree