I wish I could quit you, but cookies find a way: How to sidestep browser tracking protections

Chrome, Safari, Opera, Tor Browser at risk to various levels

Browsers' built-in tools that crumble web cookies that track you around the internet can be bypassed or rendered ineffective by malicious websites.

In a paper presented at the USENIX Security Symposium this week, a trio of researchers from KU Leuven in Belgium describe how they developed a framework to analyze the enforcement of browser-based policies governing third-party requests.

First-party requests refer to network requests for resources – text, images, videos, and the like – from the domain associated with the visited website. Third-party requests refer to network requests for resources from websites other than the one displayed in the browser address bar. When websites run ads, they generally include code that makes third-party requests to ad servers.

Modern browsers will place cookie files in response to both first- and third-party requests and they do so in a way that's open to security risks, like cross-site request forgery and cross-site script inclusion, and to privacy abuse, like third-party tracking.

To mitigate these threats, the various browsers implement policies that disallow certain behavior. For example, a developer creating a website can set the SameSite attribute on the site's cookie to indicate that it should accompany only first-party requests. Other examples include the tracking protection modes offered by Firefox and Safari and browser extensions that try to restrict third-party cookies.

Gaps in the system

The boffins from Belgium – Gertjan Franken, Tom Van Goethem and Wouter Joosen – used their testing framework and found that for 7 browsers, 31 ad blocking extensions and 15 anti-tracking extensions, the defenses put in place to prevent cookie abuse have gaps. Their test data is available on a website associated with their paper.

"Overall, we found that browser implementations exhibited a highly inconsistent behavior with regard to enforcing policies on third-party requests, resulting in a high number of bypasses," they state in their paper.

A number of the issues identified qualify as bugs, which they reported to concerned parties. For example, the researchers found that the option to block third-party cookies in Microsoft's Edge browser simply didn't work.

"For Edge, we found that, surprisingly, the option to block third-party cookies had no effect: all cookies that were sent in the instance with default settings, were also sent in the instance with custom settings," the paper says.

An Edge bug report was supposedly filed about this issue but the associated URL returns a page not found error.

For Firefox, the researchers found that the browser's Tracking Protection can be bypassed to allow cross-site requests to blacklisted domains and that requests initiated by the deprecated AppCache API can't easily be distinguished from requests coming from browser background processes, making such requests difficult to block.

Mozilla engineers are working on the Tracking Protection bug and have decided not to fix the AppCache issue because that API is being phased out.

Tor blimey, governor

Chrome, Safari and Opera all had issues too, as did the Tor browser. The Cliqz browser, a Firefox fork tuned for privacy, was tripped by the inclusion of a data: URL as the value of an img src attribute. The researchers suggest this confused the browser engine and prevented third-party cookies from being removed.

Here's the offending code:

<img src="data:image"  / svg+xml ,
<image xlink:href= 'https: //
third-party.com / leak '>
</ image>
</ svg> ">

The same held true for the ad blocking and anti-tracking extensions tested – a group that includes AdBlock Plus, Disconnect, Ghostery, and uBlock Origin, among others. For each one, there was at least one way to bypass promised protection.

The researchers expressed concern about the way some browsers, specifically Chrome and Opera, use the PDFium reader to render PDFs inside the browser. The extension can set cookies for third-party requests triggered by JavaScript code embedded in the PDFs.

"Because PDFs can be included in iframes, and thus made invisible to the end user, and because it can be used to send authenticated POST requests, this bypass technique could be used to track users or perform cross-site attacks without raising the attention of the victim," they observe in their paper.


Google bod wants cookies to crumble and be remade into something more secure


At the time they disclosed the issue, PDFium only sent requests and wasn't set up to receive response data. However, the researchers spotted a placeholder comment in the Chromium PDF handling source code indicating the intent to return a response, which could open the door to cross-site script injection and cross-site timing attacks.

Back in March when Google's engineers were discussing the researchers' bug report, it appeared the issue might not be easy to fix. Google software engineer Robert Cronin explained that PDFium qualifies as an extension even though it is built into the browser and extensions cannot modify other extensions for security reasons. The only real work around at the time was to use a different PDF rendering tool.

But after some back and forth, it was decided that a user's decision to block JavaScript in the browser should carry over to PDFs displayed in the browser and a patch landed in late May.

The KU Leuven trio argues that their findings demonstrate the need to continually test browsers as new features get added to ensure that privacy promises conform with capabilities. ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Brave roasts DuckDuckGo over Bing privacy exception
    Search biz hits back at 'misleading' claims, saga lifts lid on Microsoft's web tracking advice

    Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.

    Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.

    "For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022