**TITLE HIDDEN-per chairs request**

Chang Seok Oh, Chris Kanich, Damon McCoy, Paul Pearce

    Research output: Chapter in Book/Report/Conference proceedingConference contribution


    Targeted advertising is a pervasive practice in the advertising ecosystem, with complex representations of user identity central to targeting. Ad networks are incentivized to tie ephemeral cookies across devices to lasting durable identifiers such as email addresses in order to develop comprehensive cross-device user profiles. Third-party ad networks typically do not have relationships with users and must rely on external parties such as merchant websites for durable identity information, introducing intricate trust relationships. We find attackers can exploit these trust relationships to confuse an ad network into linking an unprivileged attacker's browser to a victim's identity, thus "impersonating"the victim to the ad network. We present Advertising Identity Entanglement, a vulnerability to extract specific user browsing behavior from ad networks remotely, knowing only a victim's email address, with no access to the victim, ad network, or websites. This new fundamental flaw in cross-device tracking allows attackers to pass erroneous identity information to third-party ad networks, causing the networks to confuse attacker and victim. Once entangled, the attacker receives advertisements intended for the victim across the entire ad network. We find identity entanglement is a significant user privacy vulnerability where attackers can learn detailed victim browsing activity such as retail websites, products, and even specific apartments or hotels the victim has interacted with. The vulnerability is also bi-directional, with the attacker able to cause specific ads to be shown to the victim, introducing the possibility of embarrassment attacks and blackmail. We have disclosed the vulnerability; Criteo, one of the largest third-party ad networks, acknowledges the attack.

    Original languageEnglish (US)
    Title of host publicationCCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
    PublisherAssociation for Computing Machinery
    Number of pages14
    ISBN (Electronic)9781450394505
    StatePublished - Nov 7 2022
    Event28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 - Los Angeles, United States
    Duration: Nov 7 2022Nov 11 2022

    Publication series

    NameProceedings of the ACM Conference on Computer and Communications Security
    ISSN (Print)1543-7221


    Conference28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022
    Country/TerritoryUnited States
    CityLos Angeles


    • ad networks
    • targeted advertising
    • tracking
    • web privacy

    ASJC Scopus subject areas

    • Software
    • Computer Networks and Communications


    Dive into the research topics of '**TITLE HIDDEN-per chairs request**'. Together they form a unique fingerprint.

    Cite this