-
Data Exfiltration by Hotjar Revisited
Authors:
Libor Polčák,
Alexandra Slezáková
Abstract:
Session replay scripts allow website owners to record the interaction of each web site visitor and aggregate the interaction to reveal the interests and problems of the visitors. However, previous research identified such techniques as privacy intrusive. This position paper updates the information on data collection by Hotjar. It revisits the previous findings to detect and describe the changes. T…
▽ More
Session replay scripts allow website owners to record the interaction of each web site visitor and aggregate the interaction to reveal the interests and problems of the visitors. However, previous research identified such techniques as privacy intrusive. This position paper updates the information on data collection by Hotjar. It revisits the previous findings to detect and describe the changes. The default policy to gather inputs changed; the recording script gathers only information from explicitly allowed input elements. Nevertheless, Hotjar does record content reflecting users' behaviour outside input HTML elements. Even though we propose changes that would prevent the leakage of the reflected content, we argue that such changes will most likely not appear in practice. The paper discusses improvements in handling TLS. Not only do web page operators interact with Hotjar through encrypted connections, but Hotjar scripts do not work on sites not protected by TLS. Hotjar respects the Do Not Track signal; however, users need to connect to Hotjar even in the presence of the Do Not Track setting. Worse, malicious web operators can trick Hotjar into recording sessions of users with the active Do Not Track setting. Finally, we propose and motivate the extension of GDPR Art. 25 obligations to processors.
△ Less
Submitted 20 September, 2023;
originally announced September 2023.
-
Data Protection and Security Issues With Network Error Logging
Authors:
Libor Polčák,
Kamil Jeřábek
Abstract:
Network Error Logging helps web server operators detect operational problems in real-time to provide fast and reliable services. This paper analyses Network Error Logging from two angles. Firstly, this paper overviews Network Error Logging from the data protection view. The ePrivacy Directive requires consent for non-essential access to the end devices. Nevertheless, the Network Error Logging desi…
▽ More
Network Error Logging helps web server operators detect operational problems in real-time to provide fast and reliable services. This paper analyses Network Error Logging from two angles. Firstly, this paper overviews Network Error Logging from the data protection view. The ePrivacy Directive requires consent for non-essential access to the end devices. Nevertheless, the Network Error Logging design does not allow limiting the tracking to consenting users. Other issues lay in GDPR requirements for transparency and the obligations in the contract between controllers and processors of personal data. Secondly, this paper explains Network Error Logging exploitations to deploy long-time trackers to the victim devices. Even though users should be able to disable Network Error Logging, it is not clear how to do so. Web server operators can mitigate the attack by configuring servers to preventively remove policies that adversaries might have added.
△ Less
Submitted 9 May, 2023;
originally announced May 2023.
-
Network Error Logging: HTTP Archive Analysis
Authors:
Kamil Jeřábek,
Libor Polčák
Abstract:
Network Error Logging helps web server operators detect operational problems in real-time to provide fast and reliable services. HTTP Archive provides detail information of historical data on HTTP requests. This paper leverages the data and provides a long term analysis of Network Error Logging deployment. The deployment raised from 0 to 11.73 % (almost 2,250,000 unique domains) since 2019. Curren…
▽ More
Network Error Logging helps web server operators detect operational problems in real-time to provide fast and reliable services. HTTP Archive provides detail information of historical data on HTTP requests. This paper leverages the data and provides a long term analysis of Network Error Logging deployment. The deployment raised from 0 to 11.73 % (almost 2,250,000 unique domains) since 2019. Current deployment is dominated by Cloudflare. Although we observed different policies, the default settings prevail. Third party collectors emerge raising the diversity needed to gather sound data. Even so, many service deploy self-hosted services. Moreover, we identify potentially malicious adversaries deploy collectors on randomly-generated domains and shortened URLs.
△ Less
Submitted 2 May, 2023;
originally announced May 2023.
-
JShelter: Give Me My Browser Back
Authors:
Libor Polčák,
Marek Saloň,
Giorgio Maone,
Radek Hranický,
Michael McMahon
Abstract:
The web is used daily by billions. Even so, users are not protected from many threats by default. This position paper builds on previous web privacy and security research and introduces JShelter, a webextension that fights to return the browser to users. Moreover, we introduce a library hel** with common webextension development tasks and fixing loopholes misused by previous research. JShelter f…
▽ More
The web is used daily by billions. Even so, users are not protected from many threats by default. This position paper builds on previous web privacy and security research and introduces JShelter, a webextension that fights to return the browser to users. Moreover, we introduce a library hel** with common webextension development tasks and fixing loopholes misused by previous research. JShelter focuses on fingerprinting prevention, limitations of rich web APIs, prevention of attacks connected to timing, and learning information about the device, the browser, the user, and surrounding physical environment and location. We discovered a loophole in the sensor timestamps that lets any page observe the device boot time if sensor APIs are enabled in Chromium-based browsers. JShelter provides a fingerprinting report and other feedback that can be used by future security research and data protection authorities. Thousands of users around the world use the webextension every day.
△ Less
Submitted 5 May, 2023; v1 submitted 4 April, 2022;
originally announced April 2022.