research-article

Open access

Cart-ology: Intercepting Targeted Advertising via Ad Network Identity Entanglement

Authors:

Paul PearceAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 2401 - 2414

https://doi.org/10.1145/3548606.3560641

Published: 07 November 2022 Publication History

Abstract

Targeted advertising is a pervasive practice in the advertising ecosystem, with complex representations of user identity central to targeting. Ad networks are incentivized to tie ephemeral cookies across devices to lasting durable identifiers such as email addresses in order to develop comprehensive cross-device user profiles. Third-party ad networks typically do not have relationships with users and must rely on external parties such as merchant websites for durable identity information, introducing intricate trust relationships. We find attackers can exploit these trust relationships to confuse an ad network into linking an unprivileged attacker's browser to a victim's identity, thus "impersonating" the victim to the ad network.

We present Advertising Identity Entanglement, a vulnerability to extract specific user browsing behavior from ad networks remotely, knowing only a victim's email address, with no access to the victim, ad network, or websites. This new fundamental flaw in cross-device tracking allows attackers to pass erroneous identity information to third-party ad networks, causing the networks to confuse attacker and victim. Once entangled, the attacker receives advertisements intended for the victim across the entire ad network. We find identity entanglement is a significant user privacy vulnerability where attackers can learn detailed victim browsing activity such as retail websites, products, and even specific apartments or hotels the victim has interacted with. The vulnerability is also bi-directional, with the attacker able to cause specific ads to be shown to the victim, introducing the possibility of embarrassment attacks and blackmail. We have disclosed the vulnerability; Criteo, one of the largest third-party ad networks, acknowledges the attack.

References

[1]

AdRoll. 2015. STATE of the INDUSTRY: A close look at retargeting and the programmatic marketer. https://www.iab.com/wp-content/uploads/2015/07/US_ AdRoll_State_of_the_Industry.pdf.

[2]

AdRoll. 2016. Demystifying Cross-Device Marketing. https://pages.adroll.com/rs/964-WFU-818/images/Collision_Adam_Berke_Marketing_Stage.pdf.

[3]

Google Ads. 2022. Tag your website for dynamic remarketing. https://support. google.com/google-ads/answer/3103357?hl=en&ref_topic=10070359#.

[4]

AWS. 2019. Identity Graphs on AWS. https://aws.amazon.com/neptune/identity-graphs-on-aws/.

[5]

Paul Barford, Igor Canadi, Darja Krushevskaja, Qiang Ma, and S. Muthukrishnan. 2014. Adscape: Harvesting and Analyzing Online Display Ads. In Proceedings of the 23rd International Conference on World Wide Web (Seoul, Korea) (WWW'14). Association for Computing Machinery, New York, NY, USA, 597--608. https://doi.org/10.1145/2566486.2567992

Digital Library

[6]

Muhammad Ahmad Bashir, Sajjad Arshad, William Robertson, and Christo Wilson. 2016. Tracing Information Flows Between Ad Exchanges Using Retargeted Ads. In Proceedings of the 25th USENIX Security Symposium (Security). Austin, TX.

Digital Library

[7]

Chetna Bindra. 2021. Building a privacy-first future for web advertising. https://blog.google/products/ads-commerce/2021-01-privacy-sandbox.

[8]

Dieter Bohn. 2021. Google delays blocking third-party cookies in Chrome until 2023. https://www.theverge.com/2021/6/24/22547339/google-chrome-cookiepocalypse-delayed-2023.

[9]

Adina Bresge. 2018. Online ads spoil Christmas surprises, raising privacy concerns. https://www.cbc.ca/news/science/online-ads-christmas-spoilers-1.4942461.

[10]

Justin Brookman, Phoebe Rouge, Aaron Alva, and Christina Yeung. 2017. Cross-Device Tracking: Measurement and Disclosures. Proc. Priv. Enhancing Technol. 2017, 2 (2017), 133--148.

[11]

Juan Miguel Carrascosa, Jakub Mikians, Ruben Cuevas, Vijay Erramilli, and Nikolaos Laoutaris. 2015. I Always Feel like Somebody's Watching Me: Measuring Online Behavioural Advertising. In Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies (Heidelberg, Germany) (CoNEXT '15). Association for Computing Machinery, New York, NY, USA, Article 13, 13 pages. https://doi.org/10.1145/2716281.2836098

Digital Library

[12]

Quan Chen, Panagiotis Ilia, Michalis Polychronakis, and Alexandros Kapravelos. 2021. Cookie Swap Party: Abusing First-Party Cookies for Web Tracking. In Proceedings of the 30th International World Wide Web Conference (WWW). Virtual Event.

Digital Library

[13]

Catalin Cimpanu. 2020. Apple blocks third-party cookies in Safari. https://www.zdnet.com/article/apple-blocks-third-party-cookies-in-safari/.

[14]

Eliza Crawford. 2020. Website Tracking: Why and How Do Websites Track You? https://www.cookiepro.com/blog/website-tracking.

[15]

Criteo. 2018. Criteo Ranked Number One in AdTech Worldwide Market Share According to Leading Analyst Firm Report. https://www.criteo.com/news/press-releases/2018/09/criteo-ranked-number-one-in-adtech-worldwide-market-share/.

[16]

Criteo. 2018. OneTag for CSP. https://www.criteo.com/wp-content/uploads/2018/09/CSPOneTag_v1.1.pdf.

[17]

Criteo. 2020. Criteo Ad Tech Explained - Shopper Graph. https://youtu.be/s3UVXOmCtmg.

[18]

Criteo. 2022. About Us. https://labs.criteo.com/about-us.

[19]

Criteo. 2022. Criteo OneTag advanced settings. https://help.criteo.com/kb/guide/en/criteo-onetag-advanced-settings-M2TiX6m90K/Steps/886908,887075.

[20]

Criteo. 2022. Shopper Graph | Criteo. https://www.criteo.com/technology/shopper-graph/.

[21]

The Trade Desk. 2021. How the advertising industry is preparing for life after cookies. https://www.thetradedesk.com/us/news/what-the-tech-is-unified-id-2-0.

[22]

Steven Englehardt, Jeffrey Han, and Arvind Narayanan. 2018. I never signed up for this! Privacy implications of email tracking. Proc. Priv. Enhancing Technol. 2018, 1 (2018), 109--126.

[23]

Ghostery GmbH. 2022. Ghostery. https://www.ghostery.com.

[24]

Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In Proceedings of the 27th International World Wide Web Conference (WWW).

Digital Library

[25]

Apple Inc. 2021. What is Hide My Email? https://support.apple.com/en-us/HT210425.

[26]

Arjaldo Karaj, Sam Macbeth, Rémi Berson, and Josep M. Pujol. 2018. Who-Tracks.Me: Shedding light on the opaque world of online tracking. (2018). arXiv:1804.08959 [cs.CY]

[27]

Pavel Kireyev, Koen Pauwels, and Sunil Gupta. 2016. Do display ads influence search? Attribution and dynamics in online advertising. International Journal of Research in Marketing 33, 3 (2016), 475--490. https://doi.org/10.1016/j.ijresmar. 2015.09.007

[28]

Steve Kroft. 2014. The Data Brokers: Selling your personal information. https://www.cbsnews.com/news/the-data-brokers-selling-your-personal-information.

[29]

Mathias Lécuyer, Guillaume Ducoffe, Francis Lan, Andrei Papancea, Theofilos Petsios, Riley Spahn, Augustin Chaintreau, and Roxana Geambasu. 2014. Xray: Enhancing the web's transparency with differential correlation. In Proceedings of the 23rd USENIX Security Symposium (Security). San Diego, CA.

[30]

Mathias Lecuyer, Riley Spahn, Yannis Spiliopolous, Augustin Chaintreau, Roxana Geambasu, and Daniel Hsu. 2015. Sunlight: Sunlight: Fine-grained Targeting Detection at Scale with Statistical Confidence. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). Denver, Colorado.

Digital Library

[31]

Evan Neufeld. 2016. Best practices in cross-device and cross-channel identity measurement. https://cimm-us.org/wp-content/uploads/2012/07/CIMM_Best-Practices-in-Cross-Device-and-Cross-Channel-Identity-Measurement.pdf.

[32]

Oliver. 2018. Does YouTube Recommend Videos Watched by People on the Same Wi-Fi as You? https://weakwifisolutions.com/does-youtube-recommend-videos-watched-by-people-on-the-same-wifi-as-you/.

[33]

Michalis Pachilakis, Panagiotis Papadopoulos, Evangelos P Markatos, and Nicolas Kourtellis. 2019. No More Chasing Waterfalls: A Measurement Study of the Header Bidding Ad-Ecosystem. In Proceedings of the 19th ACM Internet Measurement Conference (IMC). Amsterdam, Netherlands.

Digital Library

[34]

Emmanouil Papadogiannakis, Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P Markatos. 2021. User tracking in the post-cookie era: How websites bypass gdpr consent to track users. In Proceedings of the Web Conference 2021. 2130--2141.

Digital Library

[35]

Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P. Markatos. 2019. Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask. In Proceedings of the 28th International World Wide Web Conference (WWW). San Francisco, CA, USA.

[36]

Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don't) use password managers effectively. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS). Santa Clara, CA.

[37]

Franziska Roesner, Tadayoshi Kohno, and David Wetherall. 2012. Detecting and Defending Against Third-Party Tracking on the Web. In USENIX Symposium on Networked Systems Design and Implementation (NSDI).

[38]

Iskander Sanchez-Rola, Matteo Dell'Amico, Davide Balzarotti, Pierre-Antoine Vervier, and Leyla Bilge. 2021. Journey to the Center of the Cookie Ecosystem: Unraveling Actors' Roles and Relationships. In Proceedings of the 42th IEEE Symposium on Security and Privacy (Oakland). Virtual Event.

[39]

SimilarTech. 2022. Retargeting Technologies Market Share and Web Usage Statistics. https://www.similartech.com/categories/retargeting.

[40]

Konstantinos Solomos, Panagiotis Ilia, Sotiris Ioannidis, and Nicolas Kourtellis. 2019. {TALON}: an automated framework for cross-device tracking detection. In Proceedings of the 22th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Beijing, China.

[41]

Catherine E. Tucker. 2012. The economics of advertising and privacy. International Journal of Industrial Organization 30, 3 (2012), 326--329. https://doi.org/10.1016/j.ijindorg.2011.11.004 Selected Papers, European Association for Research in Industrial Economics 38th Annual Conference, Stockholm, Sweden, September 1--3, 2011.

[42]

Vishak. 2020. 12 Best Temporary Email Services To Protect Your Privacy In 2021. https://codeandhack.com/temporary-email-services-to-protect-privacy/.

[43]

Marissa Wood. 2019. Today's Firefox Blocks Third-Party Tracking Cookies and Cryptomining by Default. https://blog.mozilla.org/en/products/firefox/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/.

[44]

Yahoo! 2022. Supply Side Platform (SSP) Advertising | Yahoo Ad Tech. https://www.adtech.yahooinc.com/advertising/publishers/solutions/ssp.

[45]

Yahoo! 2022. Yahoo | Our Trusted Brands | Verizon Media. https://www.adtech.yahooinc.com/our-brands/yahoo.

[46]

Yahoo! 2022. Yahoo Native Dot Tags. https://developer.yahooinc.com/native/guide/audience-management/dottags.

[47]

Sebastian Zimmeck, Jie S Li, Hyungtae Kim, Steven M Bellovin, and Tony Jebara. 2017. A Privacy Analysis of Cross-device Tracking. In Proceedings of the 26th USENIX Security Symposium (Security). Vancouver, BC, Canada

Cited By

Dong ZLiu TDeng JWang HLi LYang MWang MXu GXu GBalzarotti DXu W(2024)Exploring covert third-party identifiers through external storage in the android new eraProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699154(4535-4552)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699154
Munir SSiby SIqbal UEnglehardt SShafiq ZTroncoso CMeng WJensen CCremers CKirda E(2023)CookieGraph: Understanding and Detecting First-Party Tracking CookiesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616586(3490-3504)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616586

Index Terms

Cart-ology: Intercepting Targeted Advertising via Ad Network Identity Entanglement
1. Security and privacy
  1. Software and application security
    1. Domain-specific security and privacy architectures
    2. Web application security

Recommendations

A privacy-aware framework for targeted advertising

Much of today's Internet ecosystem relies on online advertising for financial support. Since the effectiveness of advertising heavily depends on the relevance of the advertisements (ads) to user's interests, many online advertisers turn to targeted ...
Privacy in targeted advertising on mobile devices: a survey
Abstract
Targeted advertising has transformed the marketing landscape for a wide variety of businesses, by creating new opportunities for advertisers to reach prospective customers by delivering personalised ads, using an infrastructure of a number of ...
Intercepting mobile communications: the insecurity of 802.11
MobiCom '01: Proceedings of the 7th annual international conference on Mobile computing and networking

The 802.11 standard for wireless networks includes a Wired Equivalent Privacy (WEP) protocol, used to protect link-layer communications from eavesdropping and other attacks. We have discovered several serious security flaws in the protocol, stemming ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
1,321
Total Downloads

Downloads (Last 12 months)646
Downloads (Last 6 weeks)43

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dong ZLiu TDeng JWang HLi LYang MWang MXu GXu GBalzarotti DXu W(2024)Exploring covert third-party identifiers through external storage in the android new eraProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699154(4535-4552)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699154
Munir SSiby SIqbal UEnglehardt SShafiq ZTroncoso CMeng WJensen CCremers CKirda E(2023)CookieGraph: Understanding and Detecting First-Party Tracking CookiesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616586(3490-3504)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616586

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten