Virtually every desktop browser and adblocker can have its ad-tracking privacy or security bypassed by at least one software technique, a new study has found.
Researchers from the Catholic University in Leuven devised a framework to test the effectiveness of protections offered by the Chrome, Firefox, Safari, Opera, Edge, Tor, and Cliqz desktop browsers to a range of potential bypass mechanisms (mobile products weren’t tested).
In addition, 46 leading third-party extensions and blockers (AdBlock, AdGuard and Ghostery, et al) were pitted against the same bypasses, which included HTML tags, response headers, redirects, the AppCache and Service Worker APIs, JavaScript, and even browser PDF viewers.
Testing for these, the team discovered a complicated and sometimes confusing mixture of the bad, the good and the somewhat reassuring.
Overall, browsers and adblockers aren’t that bad at blocking tracking attempts, but some requests still seemed to slip through. Frankly, it’s difficult to generalise about this because it depends on which browser you are running and whether or not you are using a plug-in adblocker.
Mostly, tracking is about the third-party cookies advertisers bombard users with when they visit websites, which are used to track and map interests and behaviour. They can also be hijacked to aid malicious cross-site request forgery (CSRF) attacks where users have authenticated themselves (i.e. attacks on online banking).
On a positive note, when the team crawled Alexa’s top 10,000 most popular websites, they failed to find any that were abusing the software techniques they had tested.
That doesn’t mean that there isn’t a long list of sites outside the top 10,000 that might be doing this, but most users won’t encounter them regularly if they are.
So, what’s the benefit of knowing this? Mainly, it’s that the researchers appear to have discovered possible bypasses before they are being widely abused, which offers browser and blocker makers some direction for their efforts.
Clearly, despite a lot of noise from developers about adding security and blocking to desktop browsers and plug-ins, the fact that researchers were able to spot weaknesses is a sign that perhaps some of these efforts aren’t all they’re cracked up to be.
That’s hardly surprising – filling every line of attack on browser privacy and security must be a daunting task. According to the researchers, at least their framework offers a way of gauging future progress against an objective measure.
Nevertheless, concluded the researchers:
Overall, we found that browser implementations exhibited a highly inconsistent behavior with regard to enforcing policies on third-party requests, resulting in a high number of bypasses. This demonstrates the need for browsers, which continuously add new features, to be thoroughly evaluated.
An issue not addressed by this research is how much one will ever be able to expect from some browsers, particularly Google’s Chrome, the world’s number one by market share.
Chrome added a form of adblocking earlier in 2018 but, as critics pointed out at the time, it represented a compromise and didn’t go far enough according to some. Unfortunately, eroding privacy through tracking isn’t just important to advertisers and websites, but some browser makers too.
Anonymous
Tell the Ad Industry not to advertise and we won’t need suchApps
John IL
Its a cat and mouse game. I get more web sites asking for feedback. If they have aggressive and annoying ads I usual respond that the ads are preventing me from visiting your site. Maybe eventually they will either get the hint or go out of business.