**TITLE HIDDEN-per chairs request**

Chang Seok Oh; Chris Kanich; Damon McCoy; Paul Pearce

doi:10.1145/3548606.3560641

TITLE HIDDEN-per chairs request

Chang Seok Oh, Chris Kanich, Damon McCoy, Paul Pearce

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Targeted advertising is a pervasive practice in the advertising ecosystem, with complex representations of user identity central to targeting. Ad networks are incentivized to tie ephemeral cookies across devices to lasting durable identifiers such as email addresses in order to develop comprehensive cross-device user profiles. Third-party ad networks typically do not have relationships with users and must rely on external parties such as merchant websites for durable identity information, introducing intricate trust relationships. We find attackers can exploit these trust relationships to confuse an ad network into linking an unprivileged attacker's browser to a victim's identity, thus "impersonating"the victim to the ad network. We present Advertising Identity Entanglement, a vulnerability to extract specific user browsing behavior from ad networks remotely, knowing only a victim's email address, with no access to the victim, ad network, or websites. This new fundamental flaw in cross-device tracking allows attackers to pass erroneous identity information to third-party ad networks, causing the networks to confuse attacker and victim. Once entangled, the attacker receives advertisements intended for the victim across the entire ad network. We find identity entanglement is a significant user privacy vulnerability where attackers can learn detailed victim browsing activity such as retail websites, products, and even specific apartments or hotels the victim has interacted with. The vulnerability is also bi-directional, with the attacker able to cause specific ads to be shown to the victim, introducing the possibility of embarrassment attacks and blackmail. We have disclosed the vulnerability; Criteo, one of the largest third-party ad networks, acknowledges the attack.

Original language	English (US)
Title of host publication	CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	2401-2414
Number of pages	14
ISBN (Electronic)	9781450394505
DOIs	https://doi.org/10.1145/3548606.3560641
State	Published - Nov 7 2022
Event	28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 - Los Angeles, United States Duration: Nov 7 2022 → Nov 11 2022

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022
Country/Territory	United States
City	Los Angeles
Period	11/7/22 → 11/11/22

Keywords

ad networks
targeted advertising
tracking
web privacy

ASJC Scopus subject areas

Software
Computer Networks and Communications

Access to Document

10.1145/3548606.3560641

Cite this

**TITLE HIDDEN-per chairs request**. / Oh, Chang Seok; Kanich, Chris; McCoy, Damon et al.

CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2022. p. 2401-2414 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Oh, CS, Kanich, C, McCoy, D & Pearce, P 2022, **TITLE HIDDEN-per chairs request**. in CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 2401-2414, 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, United States, 11/7/22. https://doi.org/10.1145/3548606.3560641

@inproceedings{f7a297318a5044c9b64e98afcebf293a,

title = "**TITLE HIDDEN-per chairs request**",

abstract = "Targeted advertising is a pervasive practice in the advertising ecosystem, with complex representations of user identity central to targeting. Ad networks are incentivized to tie ephemeral cookies across devices to lasting durable identifiers such as email addresses in order to develop comprehensive cross-device user profiles. Third-party ad networks typically do not have relationships with users and must rely on external parties such as merchant websites for durable identity information, introducing intricate trust relationships. We find attackers can exploit these trust relationships to confuse an ad network into linking an unprivileged attacker's browser to a victim's identity, thus {"}impersonating{"}the victim to the ad network. We present Advertising Identity Entanglement, a vulnerability to extract specific user browsing behavior from ad networks remotely, knowing only a victim's email address, with no access to the victim, ad network, or websites. This new fundamental flaw in cross-device tracking allows attackers to pass erroneous identity information to third-party ad networks, causing the networks to confuse attacker and victim. Once entangled, the attacker receives advertisements intended for the victim across the entire ad network. We find identity entanglement is a significant user privacy vulnerability where attackers can learn detailed victim browsing activity such as retail websites, products, and even specific apartments or hotels the victim has interacted with. The vulnerability is also bi-directional, with the attacker able to cause specific ads to be shown to the victim, introducing the possibility of embarrassment attacks and blackmail. We have disclosed the vulnerability; Criteo, one of the largest third-party ad networks, acknowledges the attack.",

keywords = "ad networks, targeted advertising, tracking, web privacy",

author = "Oh, {Chang Seok} and Chris Kanich and Damon McCoy and Paul Pearce",

note = "Funding Information: The authors thank Masood Ali and the anonymous reviewers whose thoughtful feedback and engagement during rebuttals improved the work significantly. This work was supported in part by funding from ONR award N00014-18-1-2662 and NSF CNS award 2151837. Publisher Copyright: {\textcopyright} 2022 Owner/Author.; 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 ; Conference date: 07-11-2022 Through 11-11-2022",

year = "2022",

month = nov,

day = "7",

doi = "10.1145/3548606.3560641",

language = "English (US)",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "2401--2414",

booktitle = "CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - **TITLE HIDDEN-per chairs request**

AU - Oh, Chang Seok

AU - Kanich, Chris

AU - McCoy, Damon

AU - Pearce, Paul

N1 - Funding Information: The authors thank Masood Ali and the anonymous reviewers whose thoughtful feedback and engagement during rebuttals improved the work significantly. This work was supported in part by funding from ONR award N00014-18-1-2662 and NSF CNS award 2151837. Publisher Copyright: © 2022 Owner/Author.

PY - 2022/11/7

Y1 - 2022/11/7

N2 - Targeted advertising is a pervasive practice in the advertising ecosystem, with complex representations of user identity central to targeting. Ad networks are incentivized to tie ephemeral cookies across devices to lasting durable identifiers such as email addresses in order to develop comprehensive cross-device user profiles. Third-party ad networks typically do not have relationships with users and must rely on external parties such as merchant websites for durable identity information, introducing intricate trust relationships. We find attackers can exploit these trust relationships to confuse an ad network into linking an unprivileged attacker's browser to a victim's identity, thus "impersonating"the victim to the ad network. We present Advertising Identity Entanglement, a vulnerability to extract specific user browsing behavior from ad networks remotely, knowing only a victim's email address, with no access to the victim, ad network, or websites. This new fundamental flaw in cross-device tracking allows attackers to pass erroneous identity information to third-party ad networks, causing the networks to confuse attacker and victim. Once entangled, the attacker receives advertisements intended for the victim across the entire ad network. We find identity entanglement is a significant user privacy vulnerability where attackers can learn detailed victim browsing activity such as retail websites, products, and even specific apartments or hotels the victim has interacted with. The vulnerability is also bi-directional, with the attacker able to cause specific ads to be shown to the victim, introducing the possibility of embarrassment attacks and blackmail. We have disclosed the vulnerability; Criteo, one of the largest third-party ad networks, acknowledges the attack.

AB - Targeted advertising is a pervasive practice in the advertising ecosystem, with complex representations of user identity central to targeting. Ad networks are incentivized to tie ephemeral cookies across devices to lasting durable identifiers such as email addresses in order to develop comprehensive cross-device user profiles. Third-party ad networks typically do not have relationships with users and must rely on external parties such as merchant websites for durable identity information, introducing intricate trust relationships. We find attackers can exploit these trust relationships to confuse an ad network into linking an unprivileged attacker's browser to a victim's identity, thus "impersonating"the victim to the ad network. We present Advertising Identity Entanglement, a vulnerability to extract specific user browsing behavior from ad networks remotely, knowing only a victim's email address, with no access to the victim, ad network, or websites. This new fundamental flaw in cross-device tracking allows attackers to pass erroneous identity information to third-party ad networks, causing the networks to confuse attacker and victim. Once entangled, the attacker receives advertisements intended for the victim across the entire ad network. We find identity entanglement is a significant user privacy vulnerability where attackers can learn detailed victim browsing activity such as retail websites, products, and even specific apartments or hotels the victim has interacted with. The vulnerability is also bi-directional, with the attacker able to cause specific ads to be shown to the victim, introducing the possibility of embarrassment attacks and blackmail. We have disclosed the vulnerability; Criteo, one of the largest third-party ad networks, acknowledges the attack.

KW - ad networks

KW - targeted advertising

KW - tracking

KW - web privacy

UR - http://www.scopus.com/inward/record.url?scp=85143046760&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85143046760&partnerID=8YFLogxK

U2 - 10.1145/3548606.3560641

DO - 10.1145/3548606.3560641

M3 - Conference contribution

AN - SCOPUS:85143046760

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 2401

EP - 2414

BT - CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

T2 - 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022

Y2 - 7 November 2022 through 11 November 2022

ER -