New research published this week shows that the process third-party advertisers use to target online users can be viewed or manipulated by online attackers who simply use their target’s email address. A team of four researchers from the Georgia Institute of Technology, the University of Illinois at Chicago (UIC), and New York University (NYU) presented their findings Wednesday at the ACM Computer and Communications Security Conference (CCS), a major security slot.
Today, most ads that appear on the Internet are tailored to people based on their browsing history, location, and a host of other factors collected by third-party ad networks. This data is collected by tracking cookies sent by third-party ad networks and associated with unique identifiers such as email addresses. These cookies allow advertisers to create enhanced profiles of Internet users, but researchers have found that this system can be hijacked by attackers.
Once an attacker learns a user’s email address, they can gain access to information collected by any third-party advertiser tracking a specific user’s targeted ad feed. This could allow attackers to view a person’s detailed web browsing history, such as retail and travel websites.
“Third-party ad networks have no direct connection to users. Therefore, if they want to track user activity across devices, they have to rely on identifying information such as email addresses provided to them from other websites,” he said. Professor in the School of Cybersecurity and Privacy (SCP) at Georgia Tech University. “Our work shows that the way information is transmitted to ad networks is dangerous and difficult to verify. If an attacker knows the victim’s email address, they can lie to the ad network by impersonating the user, which leads to real privacy issues.”
Researchers describe this trend as ad blackout, and it occurs when attackers trick ad networks into associating the attacker’s tracking cookie with a target’s email address, looping it over data collected by third parties. As Pearce and colleagues point out in their article, attackers can also use this process to send all kinds of advertisements to their targets.
“When using the Internet on my personal device, such as a phone or laptop, I don’t expect anyone who knows my personal email to manipulate what I see,” said UIC associate professor Chris Kanich. “This attack is particularly worrying and I’m relieved to use ad and tracking blockers in my browsers.”
To test the extent of this problem, the researchers created artificial users and profiles for their experiment without following real people. Knowing only the experimental user’s email address, the team was able to identify specific items and websites the victim interacted with.
Besides purchasing habits, the test also revealed that retargeted ads may contain sensitive location information. For example, if the victim interacts with some hotel and travel websites, the attacker may receive retargeted ads for the hotel the victim is viewing.
“An ad network that exposes travel plans to anyone with a potentially target’s email address is a significant privacy threat and potentially dangerous to those being harassed,” said Damon McCoy, an associate professor at NYU.
The researchers point out that tackling this problem without the support of ad networks is difficult, but ad blockers provide a reasonable initial opportunity to limit the disclosure of a user’s personal data. However, mitigating this threat should not be the sole responsibility of users. The team also suggests that if third-party ad networks encrypt the credential exchange process and ensure that the data is verified and correct, this will help mitigate the threat.
The research was presented in ACM CCS 22. Article entitled “Cart-ology: Intercepting Targeted Advertising via Ad Network Identity Entanglement”, SCP Ph.D. ChangSeok Oh is a student of Kanich, McCoy and Pearce. Criteo and Yahoo, one of the largest third-party ad networks in the market, were notified of the threat in accordance with ethical research guidelines.