The Cracked Cookie Jar HTTP Cookie Hijackingand the Exposure of Private Information

Suphannee Sivakornlowast Iasonas Polakislowast and Angelos D KeromytisDepartment of Computer Science

Columbia University New York USAsuphannee polakis angeloscscolumbiaedu

lowastJoint primary authors

AbstractmdashThe widespread demand for online privacy alsofueled by widely-publicized demonstrations of session hijackingattacks against popular websites has spearheaded the increasingdeployment of HTTPS However many websites still avoid ubiq-uitous encryption due to performance or compatibility issues Theprevailing approach in these cases is to force critical functionalityand sensitive data access over encrypted connections whileallowing more innocuous functionality to be accessed over HTTPIn practice this approach is prone to flaws that can exposesensitive information or functionality to third parties

In this paper we conduct an in-depth assessment of a diverseset of major websites and explore what functionality and infor-mation is exposed to attackers that have hijacked a userrsquos HTTPcookies We identify a recurring pattern across websites withpartially deployed HTTPS service personalization inadvertentlyresults in the exposure of private information The separationof functionality across multiple cookies with different scopesand inter-dependencies further complicates matters as impreciseaccess control renders restricted account functionality accessibleto non-session cookies Our cookie hijacking study reveals anumber of severe flaws attackers can obtain the userrsquos homeand work address and visited websites from Google Bing andBaidu expose the userrsquos complete search history and Yahooallows attackers to extract the contact list and send emails fromthe userrsquos account Furthermore e-commerce vendors such asAmazon and Ebay expose the userrsquos purchase history (partialand full respectively) and almost every website exposes theuserrsquos name and email address Ad networks like Doubleclickcan also reveal pages the user has visited To fully evaluate thepracticality and extent of cookie hijacking we explore multipleaspects of the online ecosystem including mobile apps browsersecurity mechanisms extensions and search bars To estimatethe extent of the threat we run IRB-approved measurementson a subset of our universityrsquos public wireless network for30 days and detect over 282K accounts exposing the cookiesrequired for our hijacking attacks We also explore how userscan protect themselves and find that while mechanisms such asthe EFFrsquos HTTPS Everywhere extension can reduce the attacksurface HTTP cookies are still regularly exposed The privacyimplications of these attacks become even more alarming whenconsidering how they can be used to deanonymize Tor users Ourmeasurements suggest that a significant portion of Tor users maycurrently be vulnerable to cookie hijacking

I INTRODUCTION

With an ever-increasing part of our everyday life revolvingaround the Internet and a large amount of personal databeing uploaded to services ensuring the privacy of our digitalcommunications has become a critical and pressing matter Inthe past few years there has been much discussion regarding

the necessity of securing web connections from prying eyesThe publicity garnered by the Firesheep extension [1] whichdemonstrated how easily attackers can hijack a userrsquos sessionwas a catalyst in expediting migration of critical user activityto mandatory HTTPS connections in major services (egtransmitting user credentials during the log-in process)

Nonetheless many major websites continue to serve contentover unencrypted connections which exposes the usersrsquo HTTPcookies to attackers monitoring their traffic Not enforcingubiquitous encrypted connections may be attributed to variousreasons ranging from potential increases to infrastructure costsand the loss of in-network functionality [2] to maintainingsupport for legacy clients If access control policies correctlyseparated privileges of authenticated (eg session cookies)and non-authenticated cookies (eg persistent tracking cook-ies) stolen HTTP cookies would not allow attackers to obtainany personal user information However that is not the casein practice [3] and things become worse as services continueto sacrifice security over usability Websites assign privilegesto HTTP cookies to personalize functionality as it improvesuser experience but avoid requesting re-authentication unlessabsolutely necessary as it impacts user engagement Whilesession hijacking has been extensively explored limited at-tention has been given to the privacy risks of non-sessioncookies being hijacked Castelluccia et al [4] demonstratedhow stolen HTTP cookies could allow attackers to reconstructa userrsquos Google search history

A subset of the problem we explore has been highlighted instudies that measured the exposure of personal or personallyidentifiable information (PII) in unencrypted traffic [5]ndash[8]However those studies are limited by nature and do notcapture the full extent of the privacy threat that users facedue to unencrypted connections First modern websites arehighly dynamic and information can be fetched in obfuscatedform and constructed on the client-side at runtime Secondwebsites may only serve private information over encryptedconnections while flawed access control separation rendersthat information accessible to HTTP cookies (we demonstratethis with Google Maps exposing a userrsquos address in GoogleSearch) Third eavesdropping is limited to the userrsquos actionsfor a specific time window and certain pieces of informationrequire specific actions to be exposed which may not occurduring the monitoring period Fourth we find that stolen HTTP

cookies can also access account functionality both explicitly(eg send an email from the userrsquos account) and implicitly(eg receive personalized query results from a search engine)

In this paper we explore the extent and severity of the un-safe practice followed by major services of partially adoptingencrypted connections and its ramifications for user privacyWe demonstrate how HTTP cookie hijacking attacks not onlyenable access to private and sensitive user information but canalso circumvent authentication requirements and gain accessto protected account functionality To our knowledge thisis the first in-depth study exploring the privacy implicationsof partial adoption of HTTPS We audit 25 major servicesselected from a variety of categories that include searchengines and e-commerce sites In each case we analyze theuse of HTTP cookies the combination of cookies required toexpose different types of information and functionality andsearch for inconsistencies in how cookies are evaluated Thisallows us to obtain a comprehensive understanding of thefeasibility and impact of this class of attacks in practice Weuncover flaws in major websites that allow attackers to obtaina plethora of sensitive user information and also to accessprotected account functionality As a precautionary measurewe conduct all experiments on our personal or test accounts

We conduct an IRB-approved measurement study on a sub-set of our universityrsquos public wireless network to understandthe browsing behavior of users when connected to unprotectedpublic networks On average we detect more than 8K uniqueaccounts exposing their cookies for hijacking each day Ourmeasurements have the sole purpose of estimating the numberof users that are susceptible to hijacking attacks we do notaccess any user accounts collect any personal informationor attempt to deanonymize any users

Furthermore we look at multiple practical aspects of cookiehijacking and identify how each component of this intricateecosystem can impact the attacks We find that partial deploy-ment of HSTS a security mechanism which is gaining tractionand supported by modern browsers does not present an actualobstacle to cookie hijacking as unencrypted connections tocertain pages or subdomains of a service still expose thecookies Furthermore client-side mechanisms like the HTTPSEverywhere extension can reduce the attack surface but cannot protect users when websites do not support ubiquitousencryption We also find that both Chrome and Firefox havea multitude of components that expose usersrsquo cookies Andwhile the apps we test are considerably more secure in Androidthan in iOS both platforms have official apps with millionsof users that use unencrypted connections

Due to the practicality of these attacks and the pervasive-ness of the vulnerable websites we investigate how cookiehijacking can lead to the deanonymization of Tor users Inour IRB-approved study we find that 75 of the outgoingconnections from a new exit node are over HTTP Basedon the comparison to the respective measurements from ouruniversityrsquos wireless network we believe that a large numberof Tor users may be exposed to HTTP cookie hijacking andsusceptible to deanonymization

Overall our goal is twofold First to alert developersof the pitfalls of partially enforcing HTTPS while offeringpersonalized functionality Second to inform users about theprotection offered by popular security and privacy-enhancingsystems and the caveats of not knowing the precise extent oftheir protection The main contributions of this paper arebull We conduct an in-depth study on the impact and gravity

of HTTP cookie hijacking attacks against major servicesOur findings demonstrate that a wide range of privateinformation and protected account functionality is acces-sible The diversity of these websites suggests that this isa widespread systemic risk of unencrypted connectionsand not a topical threat against a specific class of sites

bull Our measurement study demonstrates the extent of therisk we monitor part of our universityrsquos public wirelessnetwork over the course of one month and identifyover 282K user accounts that exposed the HTTP cookiesrequired for the hijacking attacks

bull Our analysis on the collateral exposure of cookies showsthat browser extensions search bars and mobile apps ofmajor vendors expose millions of users to risk

bull We explore how HSTS can impact HTTP cookie hi-jacking We demonstrate that partial deployment rendersthe mechanism ineffective as a single unencrypted con-nection may be sufficient for an attacker to obtain therequired cookies

bull We describe how major websites can be used asdeanonymization vectors against users that rely on the Torbundle for anonymity and find that existing mechanismscannot adequately protect users

bull We disclosed our findings to the services we auditedand the Tor community in an effort to assist them inprotecting their users from this significant privacy threat

The remainder of this paper is structured as follows inSection II we offer background information and motivationfor our work through a network traffic study In Section IIIwe offer details on our analysis of cookie hijacking attacksagainst popular services and explore the collateral exposureof user cookies by mobile apps and browser components inSection IV We explore the deanonymization risk that Torusers face in Section V and discuss general countermeasuresagainst cookie hijacking in Section VI We address the ethicalaspects of our research in Section VII discuss related workin Section VIII and conclude in Section IX

II BACKGROUND THREAT MODEL AND MOTIVATION

In this section we provide a short description of the securitymechanisms supported by browsers for protecting usersrsquo com-munications an overview of our threat model and motivationthrough a network traffic analysis study

A Browser security mechanisms

In recent years browsers have included support for varioussecurity mechanisms that are designed to protect users froma range of attacks (eg [9] [10]) The one most relevant toour work is HSTS as it can prevent HTTP cookie hijacking

Fig 1 Workflow of an HTTP cookie hijacking attack After the victimrsquos cookies are exposed on the unencrypted connection 1 and stolen 2 the attackercan append the stolen cookies when browsing the target websites 3 and gain access to the victimrsquos personal information and account functionality 4

attacks However we also mention certificate pinning asit is employed in Chrome and Firefox through the HSTSpreloading mechanism We refer the reader to [11] for a moredetailed description of HSTS and certificate pinning

HSTS The HTTP Strict Transport Security mecha-nism [12] allows websites to instruct browsers to only ini-tiate communication over HTTPS This is done through theStrict-Transport-Security HTTP header HSTS iscurrently supported by all major browsers and certain mobilebrowsers [13] A noteworthy point of failure is during theuserrsquos initial request before the HSTS header is receivedwhich exposes the user to hijacking if sent over HTTP Asa precautionary measure major browsers rely on a ldquopreloadedlistrdquo which proactively instructs them to connect to domainsover HTTPS This protects users during the initial request toa website and websites can request to be included in the listthrough an online form1 HSTS preloading is currently sup-ported by Chrome Firefox Safari and Internet Explorer [14]

Certificate pinning Adversaries may create or obtainfraudulent certificates that allow them to impersonate websitesas part of man-in-the-middle attacks [15] To prevent thatwebsites can specify a (limited) set of hashes for certificates inthe websitersquos X509 public key certificate chain Browsers areallowed to establish a secure connection to the domain only ifat least one of the predefined pinned keys matches one in thecertificate chain presented This was proposed as an extensionto HSTS [16] and is currently supported by (at least) Firefoxand Chrome The recent HPKP specification [17] describes anHTTP response header field for pinning certificates

B Threat model

Depending on the attackerrsquos ability and resources a userrsquosHTTP cookies can be hijacked through several techniquesTo demonstrate the severity of the threat we assume therole of a weak adversary and conduct experiments throughpassive eavesdropping Nonetheless we also investigate cookiecharacteristics that could be exploited by active adversaries forincreasing the scale of the attacks

1httpshstspreloadappspotcom

HTTP cookie hijacking The adversary monitors the trafficof a public wireless network eg that of a university campusor coffee shop Figure 1 presents the workflow of a cookiehijacking attack The user connects to the wireless network tobrowse the web The browser appends the userrsquos HTTP cookiesto the requests sent in cleartext over the unencrypted connec-tion ( 1 ) The traffic is being monitored by the eavesdropperwho extracts the userrsquos HTTP cookies from the network trace( 2 ) and connects to the vulnerable services using the stolencookies ( 3 ) The services ldquoidentifyrdquo the user from the cookiesand offer a personalized version of the website thus exposingthe userrsquos personal information and account functionality to theadversary ( 4 )

Cookie availability These attacks require the user to havepreviously logged into the service for the required cookies tobe available Having closed the browser since the previous login does not affect the attacks as these cookies persist acrossbrowsing sessions

Active adversary Attackers can follow more active ap-proaches which increase the scale of the attack or remove therequirement of physical proximity to the victims ie beingwithin range of the same WiFi access point This also enablesmore invasive attacks For example the attacker can injectcontent to force the userrsquos browser to send requests to specificvulnerable websites and expose the userrsquos cookies even if theuser does not explicitly visit those sites This could be achievedby compromising the wireless access point or scanning forand compromising vulnerable routers [18] Furthermore ifthe HTTP cookies targeted by the attacker do not have theHttpOnly flag set [19] they can be obtained through othermeans eg XSS attacks [20] Users of major services can alsobe exposed to such attacks from affiliated ad networks [21]

State-level adversary In the past few years there havebeen many revelations regarding mass user surveillance byintelligence agencies (eg the NSA [22]) Such entities couldpotentially deploy HTTP cookie hijacking attacks for ob-taining access to usersrsquo personal information Reports havedisclosed that GCHQ and NSA have been collecting usercookies at a large scale as part of user-tracking programs [23][24] As we demonstrate in Section III these collected cookies

Fig 1 Workflow of an HTTP cookie hijacking attack After the victimrsquos cookies are exposed on the unencrypted connection 1 and stolen 2 the attackercan append the stolen cookies when browsing the target websites 3 and gain access to the victimrsquos personal information and account functionality 4

attacks However we also mention certificate pinning asit is employed in Chrome and Firefox through the HSTSpreloading mechanism We refer the reader to [11] for a moredetailed description of HSTS and certificate pinning

HSTS The HTTP Strict Transport Security mecha-nism [12] allows websites to instruct browsers to only ini-tiate communication over HTTPS This is done through theStrict-Transport-Security HTTP header HSTS iscurrently supported by all major browsers and certain mobilebrowsers [13] A noteworthy point of failure is during theuserrsquos initial request before the HSTS header is receivedwhich exposes the user to hijacking if sent over HTTP Asa precautionary measure major browsers rely on a ldquopreloadedlistrdquo which proactively instructs them to connect to domainsover HTTPS This protects users during the initial request toa website and websites can request to be included in the listthrough an online form1 HSTS preloading is currently sup-ported by Chrome Firefox Safari and Internet Explorer [14]

Certificate pinning Adversaries may create or obtainfraudulent certificates that allow them to impersonate websitesas part of man-in-the-middle attacks [15] To prevent thatwebsites can specify a (limited) set of hashes for certificates inthe websitersquos X509 public key certificate chain Browsers areallowed to establish a secure connection to the domain only ifat least one of the predefined pinned keys matches one in thecertificate chain presented This was proposed as an extensionto HSTS [16] and is currently supported by (at least) Firefoxand Chrome The recent HPKP specification [17] describes anHTTP response header field for pinning certificates

B Threat model

Depending on the attackerrsquos ability and resources a userrsquosHTTP cookies can be hijacked through several techniquesTo demonstrate the severity of the threat we assume therole of a weak adversary and conduct experiments throughpassive eavesdropping Nonetheless we also investigate cookiecharacteristics that could be exploited by active adversaries forincreasing the scale of the attacks

1httpshstspreloadappspotcom

HTTP cookie hijacking The adversary monitors the trafficof a public wireless network eg that of a university campusor coffee shop Figure 1 presents the workflow of a cookiehijacking attack The user connects to the wireless network tobrowse the web The browser appends the userrsquos HTTP cookiesto the requests sent in cleartext over the unencrypted connec-tion ( 1 ) The traffic is being monitored by the eavesdropperwho extracts the userrsquos HTTP cookies from the network trace( 2 ) and connects to the vulnerable services using the stolencookies ( 3 ) The services ldquoidentifyrdquo the user from the cookiesand offer a personalized version of the website thus exposingthe userrsquos personal information and account functionality to theadversary ( 4 )

Cookie availability These attacks require the user to havepreviously logged into the service for the required cookies tobe available Having closed the browser since the previous login does not affect the attacks as these cookies persist acrossbrowsing sessions

Active adversary Attackers can follow more active ap-proaches which increase the scale of the attack or remove therequirement of physical proximity to the victims ie beingwithin range of the same WiFi access point This also enablesmore invasive attacks For example the attacker can injectcontent to force the userrsquos browser to send requests to specificvulnerable websites and expose the userrsquos cookies even if theuser does not explicitly visit those sites This could be achievedby compromising the wireless access point or scanning forand compromising vulnerable routers [18] Furthermore ifthe HTTP cookies targeted by the attacker do not have theHttpOnly flag set [19] they can be obtained through othermeans eg XSS attacks [20] Users of major services can alsobe exposed to such attacks from affiliated ad networks [21]

State-level adversary In the past few years there havebeen many revelations regarding mass user surveillance byintelligence agencies (eg the NSA [22]) Such entities couldpotentially deploy HTTP cookie hijacking attacks for ob-taining access to usersrsquo personal information Reports havedisclosed that GCHQ and NSA have been collecting usercookies at a large scale as part of user-tracking programs [23][24] As we demonstrate in Section III these collected cookies

TABLE ISTATISTICS OF OUTGOING CONNECTIONS FROM A SUBSET OF OUR

CAMPUSrsquo PUBLIC WIRELESS NETWORK FOR 30 DAYS

Protocol Connections Requests Vulnerable ExposedRequests Accounts

HTTP 685500365 1398044178 29908099 282459

HTTPS 772562024 ndash ndash ndash

HTTP requests to domains that we have audited and found to be vulnerable

could be used to amass a large amount of sensitive informationthat is exposed by major websites Furthermore in Section Vwe discuss how Tor users who are known to be targeted byintelligence agencies [25] can be deanonymized through thehijacked HTTP cookies of major services

C Motivation - Network Traffic Study

The feasibility of cookie hijacking attacks by eavesdroppersis dependant on the browsing behavior of users when con-nected to public wireless networks If users only visit websiteswith ubiquitous encryption or employ VPN tunneling solu-tions HTTP cookie hijacking can be prevented We conductan exploratory study of the traffic passing through the publicwireless network of our universityrsquos campus

IRB Before conducting any experiments we submitted arequest to our Institutional Review Board that clearly de-scribed our research goals collection methodology and thetype of data to be collected Once the request was approvedwe worked closely with the Network Security team of ouruniversityrsquos IT department for conducting the data collectionand analysis in a secure and privacy-preserving manner

Data collection In order to collect the data we setup alogging module on a network tap that received traffic frommultiple wireless access points positioned across our campusThe RSPAN was filtered to only forward outgoing trafficdestined to TCP ports 80 and 443 and had a throughput of 40-50 Mbs covering approximately 15 of the public wirelessoutgoing traffic Our data collection lasted for 30 days Weused the number of TCP SYN packets to calculate the numberof connections When the connection is over HTTP or HTTPSwe capture the destination domain name through the HTTPhost header and the TLS SNI extension respectively For eachHTTP request we log the destination domain and the name ofany HTTP cookies appended (eg SID) We also calculated aHMAC of the cookiersquos value (the random key was discardedafter data collection) The cookie names allow us to verifythat users are logged in and susceptible to cookie hijackingfor each service as we have explored the role of each cookieand also identified the subset required for the complete attack(described in Section III)

While we do not log the cookie value for privacy reasonsthe keyed hash value allows us to distinguish the same userwithin a service to obtain a more accurate estimation of thenumber of exposed accounts We must note that our approachhas limitations as the numbers we estimate may be higherthan the actual numbers a userrsquos cookie value may have

0

101

102

103

104

105

106

Google

Yahoo

Baidu

BingAm

azon

Ebay

Target

Walm

art

NYTim

es

Guardian

Huffington

MSN

Doubleclick

Youtube

Vu

lne

rab

le A

cco

un

ts (

log

)

Fig 2 Number of exposed accounts per service Services marked with ldquordquohave an explicit userID cookie (or field) that allows us to differentiate users

changed over the course of the monitoring period or theuser may use multiple devices (eg laptop and smartphone)However some services employ user-identifier cookies whichwe leverage for differentiating users even if the other cookievalues have changed Furthermore we cannot correlate thesame user across services as we do not collect source IPaddresses or other identifying information thus we refer tovulnerable accounts Nonetheless we consider this to be asmall trade-off for preserving usersrsquo privacy and consider ourapproximation accurate enough to highlight the extent of usersbeing exposed when browsing popular services

Findings Table I presents the aggregated numbers from thedata collected during our study During our monitoring weobserved more that 29 million requests towards the servicesthat we have found to be vulnerable This resulted in 282459accounts exposing the HTTP cookies required for carryingout the cookie hijacking attacks and gaining access to boththeir private information and account functionality Figure 2breaks the numbers down per service Search engines tend toexpose many logged in users with 67201 Google users beingexposed during our experiment Every category of servicesthat we looked at has at least one very popular service thatexposes over ten thousand users during the monitoring periodAd networks also pose a significant risk as they do not requireusers to login and ads are shown across a vast number ofdifferent websites which results in Doubleclick exposing morethan 124K users to privacy leakage

III REAL-WORLD PRIVACY LEAKAGE

In this section we present our study on the ramificationsof HTTP cookie hijacking attacks in real websites We auditthe top Alexa websites from a varied collection of categoriesusing test accounts (or our personal when necessary) andfind that HTTP cookie hijacking attacks affect the majorityof popular websites we tested Table II presents an overviewof the services and our results We provide details on theprivate information and account functionality we are able toaccess with stolen cookies for certain websites and describeother classes of attacks that become feasible Due to spaceconstraints certain services are described in Appendix A

TABLE IIOVERVIEW OF THE AUDITED WEBSITES AND SERVICES THE FEASIBILITY OF COOKIE HIJACKING ATTACKS AND THE TYPE OF USER INFORMATION AND

ACCOUNT FUNCTIONALITY THEY EXPOSE

Service HTTPS Cookie XSS Cookie Information and Account Functionality ExposedAdoption Hijacking Hijacking

Google partial 3 7first and last name username email address profile picture home and work address search optimizationclick history of websites returned in search results

Baidu partial 3 3 username email address profile picture entire search history address of any saved location

Bing partial 3 3first name profile photo viewedit search history (incl images and videos) links clicked from search resultsfrequent search terms saved locations information in interest manager edit interest manager

Yahoo partial 3 3username full name email address viewedit search history vieweditpost answers and questions in YahooAnswers (anonymous or eponymous) viewedit finance portfolio view subject and sender of latest incomingemails extract contact list and send email as user

Youtube partial 3 7 view and change (through pollution attacks) recommended videos and channels

Amazon partial 3 3

view user credentials (username email address or mobile number) viewedit profile picture view recom-mended items view user wish lists view recently browsed items view recently bought items viewedititems in cart view shipping name and city view current balance view userrsquos review (even anonymous)send email of products or wishlist on behalf of user obtain email addresses of previously emailed contacts

Ebay partial 3 3delivery name and address viewedit items in cart viewedit purchase history view items for sale viewprevious bids view userrsquos messages viewedit watch list and wish lists

MSN partial 3 3 first and last name email address profile pictureWalmart partial 3 3 first name email address viewedit items in cart view delivery postcode write product review

Target partial 3 3first name email address viewedit items in cart recently viewed items view and modify wish list sendemail about products or wish list

CNN partial 3 3viewedit profile (full name postal address email address phone number profile picture) viewedit linkedFacebook account writedelete article comments recently viewed content on iReport

New York Times partial 3 3username email address viewedit basic profile (display name location personal website bio profilepicture) username email address viewedit list of saved articles share article via email on behalf of user

Huffington Post partial 3 partial profile can be viewed and edited (login name profile photo email address biography postal code locationsubscriptions fans comments and followings) change account password delete account

The Guardian partial 3 3username view public section of profile (profile picture bio interests) userrsquos comments replies tags andcategories of viewed articles post comments on articles as user

Doubleclick partial 3 3 ads show content targeted to userrsquos profile characteristics or recently viewed contentSkype partial 7 7 -LinkedIn partial 7 7 -Craigslist partial 7 7 -Chase Bank partial 7 7 -Bank of America partial 7 7 -Facebook full 7 7 NATwitter full 7 7 NAGoogle+ full 7 7 NALive (Hotmail) full 7 7 NAGmail full 7 7 NAPaypal full 7 7 NA

While these services do not have ubiquitous HTTPS no personalization is offered over HTTP pages

Threat persistence Invalidating session cookies when auser logs out is standard practice High-value services do soeven after a short time of user inactivity We examined whetherthe services also invalidate the HTTP cookies required for ourhijacking attacks We found that even if the user explicitly logsout after the attacker has stolen the cookies almost all cookiesstill retain access privileges and can carry out the attackThus attackers can maintain access to the victimrsquos personalinformation and account functionality until the cookiesrsquo setexpiration date which can be after several months (Googlecookies expire after 2 years) Ebay was the only service outof the vulnerable that invalidates the cookies after loggingout Those cookies do not instruct the browser to expire uponexiting indicating that Ebay manages the cookiesrsquo validity onthe server side Below we also discuss the unusual behaviorof Youtube for users that are not logged in

A GoogleTypically the adversary can steal the victimrsquos HTTP cookie

for Google by observing a connection to any page hosted ongooglecom for which encryption is not enforced

Cookie hijacking Google automatically redirects usersconnecting over HTTP to googlecom to HTTPS to protecttheir searches from eavesdropping However upon the initialrequest before being redirected and enforcing encrypted com-munication the browser will send the HTTP cookies Further-more the user can also use the address bar for visiting Googleservices eg the user can type ldquowwwgooglecommapsrdquoto visit Google Maps Under these usage scenarios the browserwill again expose the userrsquos HTTP cookies and if an adversaryis monitoring the traffic she can hijack them Redirecting in-stead of enforcing HTTPS is most likely a conscious decisionfor supporting legacy clients that do not run HTTPS (outdatedUser Agents are not redirected)

Browser behavior The adversary must observe an un-ecrypted connection to googlecom which may not occurunder all scenarios However a very typical scenario is forthe victim to use the browserrsquos address bar Consequently tounderstand the conditions under which the requirements willhold we explore how popular browsers handle user input inthe address bar when trying to visit googlecom As shown

TABLE IIIBROWSER BEHAVIOR FOR USER INPUT IN ADDRESS BAR

Browser Connect over HTTP

Desktop

Chrome (v 45) 3Firefox (v 41) 3Safari (v 80) 3Internet Explorer (v 11) 3Opera (v 32) 3

Mobile

Safari (iOS 9) 3Chrome (v46 Android 511) 7 (conditionally)

user input googlecom wwwgooglecom

()googlecom iff using SSL must use an acceptablecertificate

name googlecom include_subdomains truepins google

Now we force HTTPS for subtrees of googlecom name mailgooglecom include_subdomains true

mode force-https pins google

Listing 1 Subset of rules in Chromersquos HSTS-preload file

in Table III for straightforward user input popular browserswill connect to googlecom over HTTP Due to the auto-complete feature of certain browsers (eg Firefox) even if thevictim only types ldquogooglerdquo the auto-complete mechanismwill add ldquocomrdquo and the browser will again connect overHTTP Therefore under common browsing patterns the exist-ing design will expose a userrsquos cookie when visiting the mainsearch engine Interestingly while the default iOS browser(Safari) exhibits the same behavior Chrome on Android willconnect to Google over HTTPS to securely prefetch pageresources However if users turn this option off to improveperformance2 Android Chrome will also connect over HTTP

HSTS preloading As described in Section II majorbrowsers employ pre-loading lists for HSTS As can be seenin Listing 1 the preloaded HSTS policy for Chrome doesnot actually force the browser to connect to googlecomover HTTPS It does however employ certificate pinning itrequires an acceptable certificate if the browser is alreadyconnecting over HTTPS This is applied to all local country-based variations of Googlersquos search engine and the main pageitself On the other hand critical Google subdomains supportHSTS preloading and are explicitly forced to connect overHTTPS As a result users that visit the Google search enginethrough the address bar will most likely connect over anunencrypted channel and their cookies will be exposed

Information leakage If the adversary simply visitsgooglecom using the stolen cookie no sensitive informa-tion will be accessible as the browser is redirected to HTTPSHowever if the adversary ldquoforcesrdquo the browser to visit Googleover HTTP sensitive information can be accessed During ourauditing we have identified the following

2httpssupportgooglecomchromeanswer1385029

Personal information Due to the cookie Google considersthe victim logged-in resulting in personal information beingleaked As can be seen in Figure 3(a) we gain access to theuserrsquos name and surname Gmail address and profile picture

Location Google Maps allows users to set their Home andWork addresses for easily obtaining directions tofrom otherdestinations While Google Maps requires HTTPS whichprevents us from acquiring any information if the adver-sary connects to googlecom over HTTP and searches forldquohomerdquo or ldquoworkrdquo the search results will contain a widget ofGoogle Maps revealing the respective address An example canbe seen in Figure 3(b) Accessibility to location informationcan expose the user to physical threats [26] [27]

Browsing history Using the stolen cookie the adversary canstart issuing Google searches for various terms of interest Ifthe search results contain links that the user has previouslyvisited through the search engine Google will reveal howmany times the page has been visited and the date of thelast visit Users can opt-out of historical information beingincluded in their search results however this option is enabledby default If enabled the adversary can search for a varietyof terms and infer sensitive data about the user Figure 3(a)shows an example scenario where the adversary obtains suchinformation Depending on the attackerrsquos goal she couldemploy a precompiled dictionary of sensitive keywords forfinding sensitive web activity or a dictionary of the mostpopular Google search terms for recovering parts of the userrsquosweb visiting history While previous work demonstrated thatunencrypted sessions could enable attackers to reconstructa userrsquos Google search history [4] this is the first to ourknowledge attack that discovers webpages visited by the userthrough Google

Exploiting search optimization Google search may returnresults that have been personalized for the user either byinserting specific entries or changing the rank of specificresults Previous work has demonstrated a methodology formeasuring personalization in Google search results [28] Byadapting this technique the adversary can extract entriesfrom the search results that have been returned based oncharacteristics of the victimrsquos profile

Shopping Using the HTTP googlecom cookie whenvisiting Googlersquos shopping page which runs mainly overHTTP will reveal the userrsquos first and last name Gmail handleGoogle profile It also allows viewing and editing the userrsquosshortlist (items under consideration)

Pollution attacks If the attacker issues search queries usingthe stolen cookies the search terms are treated as if originatingfrom the user and added to the search history This allows theadversary to affect the victimrsquos contextual and persistent searchpersonalization through pollution attacks [29]

Youtube exhibits a strange behavior that we did not comeacross in other services If the victim is logged in the stolencookie does not reveal any information However if the victimis not logged in the cookie that is exposed gives access tothe userrsquos recommended channels and videos which can bechanged through pollution attacks Furthermore information

(a) Profile and History (b) Location

Fig 3 Private information obtainable from userrsquos Google account through HTTP cookie hijacking

about the userrsquos music interests can be used to infer privateattributes [30]

B Bing

According to a recent report [31] Bing handles approxi-mately 204 of the desktop searches originating from theUS Bing is also the default search engine for Siri iPhonersquosvoice-driven assistant as well as all Microsoft-based productsWhen auditing Bing we found that by default all connectionsare served over HTTP ie all searches are sent in clear-textUsers have to explicitly type https in the browserrsquos addressbar to be protected from eavesdropping

Personal information Bing will expose the userrsquos firstname and profile photo The profile photo can be used toobtain more information of the user through face recognitionand publicly available data in other websites [32]

Location If the victim has saved any locations on BingMaps they are also exposed Apart from the work or homeaddresses this may include other locations the user has visitedin the past (eg bars health clinics)

Interest Manager This recently introduced feature allowsusers to select interests from a variety of topics Based on thecategory this can reveal private information including financialassets and political inclination

Search and browsing history Once the adversary stealsthe cookie she can retrieve the userrsquos search history includingthose in the images and videos categories Apart from a widgetdisplaying the users most recent and most frequent searchqueries the search history page also reveals the page that theuser visited from each search

Pollution attacks The attacker can also issue search queriesfor conducting a pollution attack and subsequently deletethose entries for stealthiness This will remove any trails ofthe attack and prevent the victim from detecting it

C Yahoo

Depending on the type of browser and whether it isbeing run for the first time visiting yahoocom through theaddress bar will either connect to HTTP and then redirect toHTTPS or maintain the unencrypted connection Howeverlinks in the main Yahoo page are all redirected throughhttphsrdyahoocom Even if the user explicitly

Fig 4 Extracting contact list and sending email from the victimrsquos accountin Yahoo

connects to Yahoo over HTTPS if any link in the homepage isclicked it will connect to that subdomain over an unencryptedconnection Therefore regardless of how the victim connectswe have identified three HTTP cookies (Y F T) that areexposed to eavesdroppers We first describe the informationand functionality that attackers can access and then how weperform a cookie forging attack to remove the requirements forthe user to browse specific subdomains while being monitored

Personal information The Y and T cookies set foryahoocom allow the attacker to obtain the userrsquos first nameThe full last name and email address can also be obtained aswe explain below

Yahoo Mail To facilitate sharing posts with friends articlesin Yahoo contain an ldquoEmail to friendsrdquo button which presentsa popup window in which the adversary can add an arbitrarymessage as shown in Figure 4 Furthermore the Sender fieldhas auto-complete functionality which allows us to obtain thevictimrsquos complete contact list These features combined can beleveraged for deploying effective phishing or spam campaignsThe contactsrsquo emails can be used for acquiring informationabout those users from other services and deploying person-alized spam campaigns [33] The widget also contains theuserrsquos full name and email address Extracting the contactsrequires all three cookies set for the main domain while send-ing the email requires them for the newsyahoocom or

the financeyahoocom subdomain depending on whichsection the article is located in

If the user hovers over or clicks on the mail notificationbutton the attacker can also access the incoming mail widgetwhich reveals the Sender and partial Subject (up to 21characters) of the 8 most recent incoming emails This is dueto a cookie being attributed an ldquoauthenticatedrdquo status Thislasts approximately one hour after which it cannot access thewidget If at any point the user accesses the notification buttonagain the hijacked cookie is re-authorized

Yahoo Search Having acquired the main domain andsearch subdomain Y and T cookies the adversary can gainaccess to the victimrsquos complete search history Apart fromviewing the searched terms these cookies allow editing thehistory and removing previous searches However Yahoo ex-plicitly states that even if past searches are deleted user searchdata is still logged This enables stealthy pollution attacksafter issuing search queries for influencing the personalizationprofile of the user the adversary can then delete all issuedsearches and remove traces of the attack

Yahoo Answers One of the many services offered byYahoo is a popular ldquoquestion and answerrdquo site where userscan ask any type of question and other members of thecommunity can provide answers (albeit sometimes with ques-tionable quality [34]) Users posting questions or answers maychoose to remain anonymous for a given question especiallyif the topic is considered sensitive [35] Upon auditing Yahoowe found that the victimrsquos HTTP cookie allows partial controlover the account the adversary is able to ask or answer ques-tions (either eponymously or anonymously) and also to viewand edit previous questions and answers posted by the vic-tim Thus the adversary can effectively ldquodeanonymizerdquo postsand obtain potentially sensitive information about the victimwhich was posted under the assumption of anonymity Theadversary can also post comments as the victim in the com-ment section of news articles This requires the Y T cookiesfor the yahoocom domain and the answersyahoocomsubdomain

Yahoo Finance Another service offered by Yahoo is relatedto financial news and functionality and also offers tools forusers to manage their personal finances This includes creatingportfolios with their stock information etc The Y and Tcookies for the main domain and finance subdomain allow theattacker to view and edit the victimrsquos portfolio If the victimvisits the finance page the corresponding cookies are exposed

Cookie forging Different cookie combinations provideaccess to specific user information or account functionalityand depending on the subdomain on which the information ishosted the respective cookies for those domains are requiredHowever we can use a cookie acquired from one (sub)domainto craft the same cookie for a different subdomain and gainaccess to the specific information or functionality For exam-ple if the user only visits the main Yahoo homepage duringthe monitoring period the attacker will obtain the Y F Tcookies for yahoocom The attacker can then ldquoforgerdquo thosecookies for the searchyahoocom subdomain using the

corresponding value attributes of the hijacked cookies andsubsequently gain access to the userrsquos search history

D Baidu

Baidu is the leading search engine in the Chinese languageand among the top 5 sites according to Alexa To createan account in Baidu the user is required to register eitherwith a Chinese mobile phone number or just provide anemail address The majority of pages in Baidu are servedover an unencrypted connection As with the other searchengines we tested the HTTP cookie can expose significantprivate information to attackers Apart from the profile pictureand username the userrsquos email address is also revealedFurthermore the userrsquos entire search history can be retrievedand pollution attacks are feasible Finally Baidu Maps allowsusers to save locations similar to Bing Maps and all savedlocations can be obtained through the hijacked HTTP cookie

E E-commerce Websites

Amazon The homepage follows the common approach ofredirecting to HTTPS if connected to over HTTP Howeverproduct pages are served over HTTP and as a result usersrsquocookies will be exposed during their browsing sessions

Personal Information The adversary can obtain the infor-mation used by the victim for logging in this includes thevictimrsquos username email address andor cell phone numberFurthermore when proceeding to checkout items in the cartAmazon also reveals the userrsquos full name and city (used forshipping) Viewing and changing the userrsquos profile picture isalso permitted Amazon also allows users to post their reviewsunder a pseudonym which is not connected to the userrsquos nameHowever the adversary can view the userrsquos reviews (whichmay include sensitive items) thus breaking the pseudonymousnature of those reviews Previous work has demonstrated theprivacy risks of recommender systems and experiments inAmazon indicated that sensitive purchases can be inferredfrom the userrsquos review history [36]

Account History The userrsquos HTTP cookie is sufficientfor accessing private information regarding previous actionsSpecifically the adversary can obtain information regardingrecently viewed items and recommendations that are basedon the userrsquos browsing and purchase history The wish-listswhere the user has added items of interest are also accessibleFurthermore the adversary can obtain information regardingpreviously purchased items either through the recommenda-tion page or through product pages (which depict date ofpurchase) In an extensive study on privacy-related aspects ofonline purchasing behavior [37] users rated the creation of adetailed profile from their purchase history and other personalinformation as one of the most troubling scenarios

Shopping Cart The userrsquos cart is also accessible andthe adversary can see the items currently in the userrsquos cartAdditionally the cart can be modified and existing items canbe removed and other items can be added

Vendor-assisted spam We also found that the cookie ex-poses functionality that can be leveraged for deploying spam

campaigns to promote specific items that are presented asldquoendorsedrdquo by the victim The widget has an auto-completefeature that reveals the contacts that the user has emailed inthe past The attacker can either send emails about a specificitem or a wish-list and can add text in the emailrsquos bodyURLs can be included while the email is sent as simpletext email providers such as Gmail render it as a click-able link Since the emails are actually sent by Amazon(no-replyamazoncom) they are most likely to passany spam detection heuristics Furthermore the From fieldcontains the victimrsquos username further strengthening the per-sonalized nature of the spamphishing email

Extortion scams Previous work has revealed how scammersextorted money from users through One Click Fraud scamsby threatening to reveal ldquoembarrassingrdquo details about theusersrsquo online activities [38] In a similar vein the attackercan employ two different scam scenarios In the first case ifthe attacker identifies potentially embarrassing item(s) in theuserrsquos viewing or purchase history she can send an email tothe user disclosing knowledge about the item(s) and otherpersonal information obtained about the user and requestmoney to not share that information with the userrsquos contacts(even if no contact information has been collected) In thesecond scenario the attacker can send an email blackmailingthe user to pay money otherwise she will send an email tothe victimrsquos friends and family with information about his cartthat is full of embarrassing items Subsequently the attackerwill add such items to the userrsquos cart or wishlist and sendthe corresponding email through Amazon to the victimrsquos ownemail address as proof of her capabilities

Walmart Apart from the information exposed in thewebsite the cookiersquos value attribute contains 34 fields ofinformation about the user and his account (see Appendix A)

F News Media

Information acquired from media outlets can reveal charac-teristics and traits of the user (eg political inclination) anddemographic information [39] We audited the websites of sev-eral of the most popular print or broadcast news organizations(see Appendix A)

G Indirect Information Exposure - Ad Networks

We explore the impact of hijacking ad network cookies On-line ads account for a significant portion of website real estateand their ubiquitous nature has been discussed extensively inthe context of user tracking (eg [40] [41]) Here we focuson Doubleclick which is owned by Google as it is the mostprevalent advertising network with a presence on 80 of thewebsites that provide advertisements [42] As opposed to mostof the previous services where the user had to explicitly visitthe website3 the cookies of an ad network can be exposedby visiting any of a large number of websites that display adsfrom the respective network While the symbiotic nature ofservice providers and data aggregators is complicated the ads

3We found a popular e-commerce homepage that issues a Google searchrequest over HTTP exposing the userrsquos cookies

presented while browsing with stolen user cookies from adnetworks can be used to infer sensitive information

An interesting aspect of hijacking ad-network cookies is thatthey result in side-channel information leakage We describetwo scenarios which leak different types of information

Attack scenario 1 Consider a scenario where user U has anaccount on the social networking service X and has disclosedvarious pieces of personal information in the profile Let usalso consider that U is knowledgeable and has correctly setprivacy settings to restrict public visibility of that informa-tion and X has gone to great lengths to protect users frominformation leakage and also enforces ubiquitous encryptionacross the website including connections to third parties (egwhen fetching ads) However website X offers personalizedadvertising and ad network A has obtained personal informa-tion of U by setting different selection criteria over time andidentifying U across websites through an HTTP cookie Nowlets consider that while being monitored by the attacker Ubrowses a completely unrelated website Y which serves adsby ad network A and does not enforce encrypted connectionsEven though U does not have an account on Y the browsersends the HTTP cookie for A which can be used to identify Uand return an ad that is tailored to match information disclosedby U in the original website X The attacker can hijack theexposed HTTP cookie for A and receive ads tailored forU Based on the content of these ads the attacker can inferpersonal information of U

Attack scenario 2 User U is browsing through an e-commerce site E which uses the ad network A to advertise itsproducts in other websites U searches for items that belongto a specific category C and after the site returns a list ofrelevant products U clicks on a link and views the page ofproduct P A short time later the attacker visits an unrelatedwebsite that is known to show various ads and appends Ursquosstolen HTTP cookie for the ad network A The attacker is thenpresented with several ads relevant to Ursquos browsing historySome are more generic and expose information about Ursquosgender while others explicitly refer to category C and evendepict the specific item P

Information leakage We conducted a small number ofmanual experiments for identifying cases of personal informa-tion being leaked by Doubleclick Previous work has shownthat ads presented to users may be personalized based onthe userrsquos profile characteristics [43] associated to sensitivetopics [44] [45] (eg substance abuse health issues sexualinclination) and that advertisers can even obtain private userinformation not explicitly provided by the service [46]

Here we describe one of our experiments for scenario 2 Webrowsed maternity clothes on a popular e-commerce websiteand visited the page of a few returned products We thenbrowsed other sites from a different machine connected to adifferent subnet and appended the Doubleclick HTTP cookiefrom the previous browsing session We were presented withads from the e-commerce website advertising womenrsquos cloth-ing Several ads even advertised a specific maternity productwhose page we had visited (see screenshots in Appendix A)

TABLE IVCOOKIE EXPOSURE BY POPULAR BROWSER EXTENSIONS AND APPS

Name Type Browser Cookie leaked

Google Maps app Chrome NA 3Google Search app Chrome NA 3Google News app Chrome 10M 3

Amazon Assistant extension Chrome 11M 3Bing Rewards extension Chrome 74K 3eBay for Chrome extension Chrome 325K 3Google Dictionary extension Chrome 27M 3Google Hangouts extension Chrome 64M 7Google Image Search extension Chrome 10M 7Google Mail Checker extension Chrome 42M 7Google Translate extension Chrome 55M 7Yahoo Mail Notification extension Chrome 12M 7

Amazon default search bar Firefox NA 3Bing default search bar Firefox NA 7Ebay default search bar Firefox NA 3Google default search bar Firefox NA 7Yahoo default search bar Firefox NA 7

Amazon 1Button extension Firefox 157K 3Bing Search extension (unofficial) Firefox 28K 3eBay Sidebar extension Firefox 36K 3Google Image Search extension Firefox 48K 3Google Translator extension (unofficial) Firefox 794K 3Yahoo Toolbar extension Firefox 31K 3

Depending on the time lapsed between the user browsingthe e-commerce site and the attacker browsing with hijackedcookies there is a decrease in the frequency of ads that containthe viewed product However we found that even after severalhours we received ads that continued to promote the exactproduct and womenrsquos clothing ads even after several days

IV COLLATERAL COOKIE EXPOSURE

In this section we explore other means by which a userrsquosHTTP cookies may be exposed

A Browser Components

According to a manifest file analysis of over 30K Chromeextensions [47] a higher number of extensions requestedpermission for connecting to Google over HTTP compared toHTTPS The same was true for wildcarded (http)permission requests This indicates that a considerable numberof extensions may be weakening security by connecting overunencrypted connections to websites that also support en-crypted connections To that end we explore whether browsercomponents expose users to cookie hijacking attacks

We analyze a selection of the most popular browser com-ponents for Chrome and Firefox that have been released bymajor vendors we have audited Our aim is not to conduct anexhaustive evaluation but to obtain an understanding of theimplementation practices for browser components and assertwhether they also suffer from a limited use of encryptionWhile we experiment with a relatively small number ofcomponents we consider any discovered exposure indicativeof general practices as official extensions from major vendorsare likely to adhere to certain quality standards As Googlehas discontinued the development of extensions for Firefoxwe cannot do a direct cross-browser comparison for most ofits components

TABLE VCOOKIE EXPOSURE BY OFFICIAL MOBILE APPS

Application Platform Version Cookie leaked

Amazon iOS 532 NA 7Amazon iOS 521 NA 3Amazon Android 281015 10-50M 7

Bing Search iOS 57 NA 3Bing Search Android 5525151078 1-5M 3Spotlight (Bing) iOS iOS91 NA conditionallySiri (Bing) iOS iOS91 NA 7

Ebay iOS 410 NA conditionallyEbay Android 41022 100-500M conditionally

Google iOS 90 NA 7Google Android 542819 1B+ 7Gmail iOS 41 NA 7Gmail Android 56103338659 1-5B 7Google Search Bar Android 542819 NA 7

Yahoo Mail iOS 400 NA conditionallyYahoo Mail Android 492 100-500M 7Yahoo News iOS 630 NA 3Yahoo News Android 181015 10-50M 7Yahoo Search iOS 402 NA 7Yahoo Search Android 402 1-5M 7Yahoo Sports iOS 574 NA 3Yahoo Sports Android 563 5-10M 7

Table IV lists the web components we have evaluated theirreported number of downloads if available and if they leak thecookies required for our hijacking attacks Our experimentsyield a number of surprising findings The 3 Chrome appsreleased by Google we tested expose the HTTP cookieswhile their extensions present mixed results with 4 out of 9leaking the cookie As one of those is Google Dictionarywith over 27 million downloads a significant number ofChrome users is vulnerable to considerable risk Every Firefoxextension we tested along with two of the default search barsactually expose the required HTTP cookies over unencryptedconnections Interestingly Googlersquos Search by Image exten-sion is secure for Chrome but not for Firefox As there isno official Bing app for Firefox we test the most popularone and we also audit a popular unofficial Google translatorextension with over 794K users both of which turn out to bevulnerable Overall these findings highlight the privacy threatsthat millions of users face due to browser components

B Mobile Devices

Mobile devices have become ubiquitous and account for alarge part of the time users spend online Due to the quotarestrictions in mobile data plans users frequently connectto public WiFi access points According to Cisco [48] anestimated 45 of mobile traffic is ldquooffloadedrdquo to WiFi con-nections While this is not restricted to public WiFi networksit is indicative of user behavior with a recent survey reportingthat 72 of the participants connect to public WiFi [49] Toexplore the feasibility of our HTTP cookie hijacking attacksagainst users on mobile devices we audited the official iOSand Android apps for the most popular services that we foundto expose private information and account functionality

The overview of our results is shown in Table V It isnoteworthy that Bing differentiates mobile cookies and as a

TABLE VIHTTPONLY ATTRIBUTE OF THE COOKIES REQUIRED FOR HIJACKING

ACCOUNTS AND THE FEASIBILITY OF CONDUCTING THE ATTACKS WITHTHE COOKIES THAT ARE OBTAINABLE REMOTELY

Site HttpOnly nonmdashHttpOnlyXSS

Hijacking

Amazon mdash x-main 3

Bing mdash _U WLS 3

Baidu mdash BDUSS 3

CNN mdash CNNid authid 3

Doubleclick mdash id 3

Ebay mdash cid nonsession 3

Google HSID SID 7

Guardian mdash GU_U 3

HuffingtonPost huffpost_shuffpost_user

7huffpost_user_idlast_login_username

MSN MSNRPSAuth mdash 7

New York Times mdash NYT-S 7

Target mdashWC_PERSISTENT

3guestDisplayNameUserLocation

Walmart mdash customer CID 3

Yahoo F T Y partial

Youtube VISITOR_INFO1_LIVE mdash 7

result hijacked mobile cookies expose the search and clickhistory that has been conducted only over the mobile devicethe remaining personal information presented in Section III-Bis still obtainable Spotlight the system-wide search featureof iOS is also powered by Bing When the user issues asearch query Spotlight connects over HTTPS to Apple serversHowever the search results contain a ldquoShow more in Bingrdquobutton and if clicked will open the browser showing thesearch results and leak the userrsquos HTTP Bing cookie For Sirithe voice-guided assistant the Bing results are opened in thebrowser over HTTPS preventing cookie hijacking Once againYahoo follows poor security practices as 3 out of 4 iOS appsleak the userrsquos cookies As expected both versions of Gmailprotect the cookies while iOS Amazon apps prior to version532 expose the cookie Furthermore both Amazon iOS appscontain cookies that reveal information about the userrsquos deviceand mobile carrier (details in Appendix A) For both platformsthe Ebay app will expose the cookies under certain conditionsFirst Ebay sellers are allowed to customize their item pagesand often add links to other items they are selling if theseller has added an HTTP Ebay link to those items the cookiewill be exposed if a link is clicked by the user Empiricallywe found that that these HTTP links are common The otherscenario is if the user clicks on the ldquoCustomer Supportrdquo menu

C Active Attacks

Remote hijacking We analyze the cookies of each servicein depth and identify what information the attacker can obtainremotely eg by stealing the userrsquos cookies through an XSS

attack While the HttpOnly attribute can prevent attackersfrom remotely obtaining cookies through browser scripts ourfindings reveal limited adoption indicating that the situationhas not improved in recent years [19]

As can be seen in Table VI websites with multiple cookiesnever set the attribute for all Most websites set the attributefor some cookies but allow other cookies to be accessed byscripts Furthermore Amazon and Target have the HttpOnlyattribute set to false for all their cookies Surprisingly666 of the websites that are vulnerable to our cookie hi-jacking attacks also expose users to remote cookie hijackingFor Yahoo while we cannot access all the information andaccount functionality described previously several instancesremain possible (eg search history username etc) Eventhough the attack cannot be done for Huffington Post as thehuffpost_s cookie has the flag set the remaining cookiesstill expose the userrsquos username and email address

V DEANONYMIZATION RISK FOR TOR USERS

In this section we investigate if more privacy-conscioususers are protected against our presented cookie hijackingattacks Specifically we explore how users employing theTor bundle (Tor Browser with pre-installed extensions) canbe deanonymized by adversaries In this case we consider avariation of the threat model from the previous sections theadversary monitors Tor exit nodes instead of public wirelessaccess points We do not consider content-injection or activeattacks such as SSL stripping [10] for weakening protection

A Experimental Analysis

We repeat our experiments from Section III on a subset ofthe audited websites To understand the protection that privacy-conscious users can obtain we experiment with three differentclient-side setups In the first case we simulate a user that usesFirefox and connects over the Tor network [50] for increasedprotection The second user is more well-informed and hasinstalled the HTTPS Everywhere browser extension for betterprotection The final case is of a user that has selected thedefault configuration of the Tor bundle which includes the TorBrowser (a modified Firefox) and other extensions (includingHTTPS Everywhere)

HTTPS Everywhere This browser extension [51] is theresult of collaboration between EFF and the Tor Project Theextension contains per domain rule-sets for a large number ofdomains4 which instruct the re-writing of links within pages toforce encrypted connections However websites may containpages or subdomains whose functionality breaks over HTTPSFor those cases each websitersquos rule-set will contain exceptionsfor identifying links pointing to problematic pages which arenot overwritten and are connected to over HTTP The rule-sets are created and maintained by the community whichrequires a significant amount of manual effort and can result inincomplete rules Certain sites (eg doubleclicknet ebaycom)are turned off by default as their functionality breaks if turned

4httpswwwefforghttps-everywhereatlas

TABLE IIOVERVIEW OF THE AUDITED WEBSITES AND SERVICES THE FEASIBILITY OF COOKIE HIJACKING ATTACKS AND THE TYPE OF USER INFORMATION AND

ACCOUNT FUNCTIONALITY THEY EXPOSE

Service HTTPS Cookie XSS Cookie Information and Account Functionality ExposedAdoption Hijacking Hijacking

Google partial 3 7first and last name username email address profile picture home and work address search optimizationclick history of websites returned in search results

Baidu partial 3 3 username email address profile picture entire search history address of any saved location

Bing partial 3 3first name profile photo viewedit search history (incl images and videos) links clicked from search resultsfrequent search terms saved locations information in interest manager edit interest manager

Yahoo partial 3 3username full name email address viewedit search history vieweditpost answers and questions in YahooAnswers (anonymous or eponymous) viewedit finance portfolio view subject and sender of latest incomingemails extract contact list and send email as user

Youtube partial 3 7 view and change (through pollution attacks) recommended videos and channels

Amazon partial 3 3

view user credentials (username email address or mobile number) viewedit profile picture view recom-mended items view user wish lists view recently browsed items view recently bought items viewedititems in cart view shipping name and city view current balance view userrsquos review (even anonymous)send email of products or wishlist on behalf of user obtain email addresses of previously emailed contacts

Ebay partial 3 3delivery name and address viewedit items in cart viewedit purchase history view items for sale viewprevious bids view userrsquos messages viewedit watch list and wish lists

MSN partial 3 3 first and last name email address profile pictureWalmart partial 3 3 first name email address viewedit items in cart view delivery postcode write product review

Target partial 3 3first name email address viewedit items in cart recently viewed items view and modify wish list sendemail about products or wish list

CNN partial 3 3viewedit profile (full name postal address email address phone number profile picture) viewedit linkedFacebook account writedelete article comments recently viewed content on iReport

New York Times partial 3 3username email address viewedit basic profile (display name location personal website bio profilepicture) username email address viewedit list of saved articles share article via email on behalf of user

Huffington Post partial 3 partial profile can be viewed and edited (login name profile photo email address biography postal code locationsubscriptions fans comments and followings) change account password delete account

The Guardian partial 3 3username view public section of profile (profile picture bio interests) userrsquos comments replies tags andcategories of viewed articles post comments on articles as user

Doubleclick partial 3 3 ads show content targeted to userrsquos profile characteristics or recently viewed contentSkype partial 7 7 -LinkedIn partial 7 7 -Craigslist partial 7 7 -Chase Bank partial 7 7 -Bank of America partial 7 7 -Facebook full 7 7 NATwitter full 7 7 NAGoogle+ full 7 7 NALive (Hotmail) full 7 7 NAGmail full 7 7 NAPaypal full 7 7 NA

While these services do not have ubiquitous HTTPS no personalization is offered over HTTP pages

Threat persistence Invalidating session cookies when auser logs out is standard practice High-value services do soeven after a short time of user inactivity We examined whetherthe services also invalidate the HTTP cookies required for ourhijacking attacks We found that even if the user explicitly logsout after the attacker has stolen the cookies almost all cookiesstill retain access privileges and can carry out the attackThus attackers can maintain access to the victimrsquos personalinformation and account functionality until the cookiesrsquo setexpiration date which can be after several months (Googlecookies expire after 2 years) Ebay was the only service outof the vulnerable that invalidates the cookies after loggingout Those cookies do not instruct the browser to expire uponexiting indicating that Ebay manages the cookiesrsquo validity onthe server side Below we also discuss the unusual behaviorof Youtube for users that are not logged in

A GoogleTypically the adversary can steal the victimrsquos HTTP cookie

for Google by observing a connection to any page hosted ongooglecom for which encryption is not enforced

Cookie hijacking Google automatically redirects usersconnecting over HTTP to googlecom to HTTPS to protecttheir searches from eavesdropping However upon the initialrequest before being redirected and enforcing encrypted com-munication the browser will send the HTTP cookies Further-more the user can also use the address bar for visiting Googleservices eg the user can type ldquowwwgooglecommapsrdquoto visit Google Maps Under these usage scenarios the browserwill again expose the userrsquos HTTP cookies and if an adversaryis monitoring the traffic she can hijack them Redirecting in-stead of enforcing HTTPS is most likely a conscious decisionfor supporting legacy clients that do not run HTTPS (outdatedUser Agents are not redirected)

Browser behavior The adversary must observe an un-ecrypted connection to googlecom which may not occurunder all scenarios However a very typical scenario is forthe victim to use the browserrsquos address bar Consequently tounderstand the conditions under which the requirements willhold we explore how popular browsers handle user input inthe address bar when trying to visit googlecom As shown

TABLE IIIBROWSER BEHAVIOR FOR USER INPUT IN ADDRESS BAR

Browser Connect over HTTP

Desktop

Chrome (v 45) 3Firefox (v 41) 3Safari (v 80) 3Internet Explorer (v 11) 3Opera (v 32) 3

Mobile

Safari (iOS 9) 3Chrome (v46 Android 511) 7 (conditionally)

user input googlecom wwwgooglecom

()googlecom iff using SSL must use an acceptablecertificate

name googlecom include_subdomains truepins google

Now we force HTTPS for subtrees of googlecom name mailgooglecom include_subdomains true

mode force-https pins google

Listing 1 Subset of rules in Chromersquos HSTS-preload file

in Table III for straightforward user input popular browserswill connect to googlecom over HTTP Due to the auto-complete feature of certain browsers (eg Firefox) even if thevictim only types ldquogooglerdquo the auto-complete mechanismwill add ldquocomrdquo and the browser will again connect overHTTP Therefore under common browsing patterns the exist-ing design will expose a userrsquos cookie when visiting the mainsearch engine Interestingly while the default iOS browser(Safari) exhibits the same behavior Chrome on Android willconnect to Google over HTTPS to securely prefetch pageresources However if users turn this option off to improveperformance2 Android Chrome will also connect over HTTP

HSTS preloading As described in Section II majorbrowsers employ pre-loading lists for HSTS As can be seenin Listing 1 the preloaded HSTS policy for Chrome doesnot actually force the browser to connect to googlecomover HTTPS It does however employ certificate pinning itrequires an acceptable certificate if the browser is alreadyconnecting over HTTPS This is applied to all local country-based variations of Googlersquos search engine and the main pageitself On the other hand critical Google subdomains supportHSTS preloading and are explicitly forced to connect overHTTPS As a result users that visit the Google search enginethrough the address bar will most likely connect over anunencrypted channel and their cookies will be exposed

Information leakage If the adversary simply visitsgooglecom using the stolen cookie no sensitive informa-tion will be accessible as the browser is redirected to HTTPSHowever if the adversary ldquoforcesrdquo the browser to visit Googleover HTTP sensitive information can be accessed During ourauditing we have identified the following

2httpssupportgooglecomchromeanswer1385029

Personal information Due to the cookie Google considersthe victim logged-in resulting in personal information beingleaked As can be seen in Figure 3(a) we gain access to theuserrsquos name and surname Gmail address and profile picture

Location Google Maps allows users to set their Home andWork addresses for easily obtaining directions tofrom otherdestinations While Google Maps requires HTTPS whichprevents us from acquiring any information if the adver-sary connects to googlecom over HTTP and searches forldquohomerdquo or ldquoworkrdquo the search results will contain a widget ofGoogle Maps revealing the respective address An example canbe seen in Figure 3(b) Accessibility to location informationcan expose the user to physical threats [26] [27]

Browsing history Using the stolen cookie the adversary canstart issuing Google searches for various terms of interest Ifthe search results contain links that the user has previouslyvisited through the search engine Google will reveal howmany times the page has been visited and the date of thelast visit Users can opt-out of historical information beingincluded in their search results however this option is enabledby default If enabled the adversary can search for a varietyof terms and infer sensitive data about the user Figure 3(a)shows an example scenario where the adversary obtains suchinformation Depending on the attackerrsquos goal she couldemploy a precompiled dictionary of sensitive keywords forfinding sensitive web activity or a dictionary of the mostpopular Google search terms for recovering parts of the userrsquosweb visiting history While previous work demonstrated thatunencrypted sessions could enable attackers to reconstructa userrsquos Google search history [4] this is the first to ourknowledge attack that discovers webpages visited by the userthrough Google

Exploiting search optimization Google search may returnresults that have been personalized for the user either byinserting specific entries or changing the rank of specificresults Previous work has demonstrated a methodology formeasuring personalization in Google search results [28] Byadapting this technique the adversary can extract entriesfrom the search results that have been returned based oncharacteristics of the victimrsquos profile

Shopping Using the HTTP googlecom cookie whenvisiting Googlersquos shopping page which runs mainly overHTTP will reveal the userrsquos first and last name Gmail handleGoogle profile It also allows viewing and editing the userrsquosshortlist (items under consideration)

Pollution attacks If the attacker issues search queries usingthe stolen cookies the search terms are treated as if originatingfrom the user and added to the search history This allows theadversary to affect the victimrsquos contextual and persistent searchpersonalization through pollution attacks [29]

Youtube exhibits a strange behavior that we did not comeacross in other services If the victim is logged in the stolencookie does not reveal any information However if the victimis not logged in the cookie that is exposed gives access tothe userrsquos recommended channels and videos which can bechanged through pollution attacks Furthermore information

(a) Profile and History (b) Location

Fig 3 Private information obtainable from userrsquos Google account through HTTP cookie hijacking

about the userrsquos music interests can be used to infer privateattributes [30]

B Bing

According to a recent report [31] Bing handles approxi-mately 204 of the desktop searches originating from theUS Bing is also the default search engine for Siri iPhonersquosvoice-driven assistant as well as all Microsoft-based productsWhen auditing Bing we found that by default all connectionsare served over HTTP ie all searches are sent in clear-textUsers have to explicitly type https in the browserrsquos addressbar to be protected from eavesdropping

Personal information Bing will expose the userrsquos firstname and profile photo The profile photo can be used toobtain more information of the user through face recognitionand publicly available data in other websites [32]

Location If the victim has saved any locations on BingMaps they are also exposed Apart from the work or homeaddresses this may include other locations the user has visitedin the past (eg bars health clinics)

Interest Manager This recently introduced feature allowsusers to select interests from a variety of topics Based on thecategory this can reveal private information including financialassets and political inclination

Search and browsing history Once the adversary stealsthe cookie she can retrieve the userrsquos search history includingthose in the images and videos categories Apart from a widgetdisplaying the users most recent and most frequent searchqueries the search history page also reveals the page that theuser visited from each search

Pollution attacks The attacker can also issue search queriesfor conducting a pollution attack and subsequently deletethose entries for stealthiness This will remove any trails ofthe attack and prevent the victim from detecting it

C Yahoo

Depending on the type of browser and whether it isbeing run for the first time visiting yahoocom through theaddress bar will either connect to HTTP and then redirect toHTTPS or maintain the unencrypted connection Howeverlinks in the main Yahoo page are all redirected throughhttphsrdyahoocom Even if the user explicitly

Fig 4 Extracting contact list and sending email from the victimrsquos accountin Yahoo

connects to Yahoo over HTTPS if any link in the homepage isclicked it will connect to that subdomain over an unencryptedconnection Therefore regardless of how the victim connectswe have identified three HTTP cookies (Y F T) that areexposed to eavesdroppers We first describe the informationand functionality that attackers can access and then how weperform a cookie forging attack to remove the requirements forthe user to browse specific subdomains while being monitored

Personal information The Y and T cookies set foryahoocom allow the attacker to obtain the userrsquos first nameThe full last name and email address can also be obtained aswe explain below

Yahoo Mail To facilitate sharing posts with friends articlesin Yahoo contain an ldquoEmail to friendsrdquo button which presentsa popup window in which the adversary can add an arbitrarymessage as shown in Figure 4 Furthermore the Sender fieldhas auto-complete functionality which allows us to obtain thevictimrsquos complete contact list These features combined can beleveraged for deploying effective phishing or spam campaignsThe contactsrsquo emails can be used for acquiring informationabout those users from other services and deploying person-alized spam campaigns [33] The widget also contains theuserrsquos full name and email address Extracting the contactsrequires all three cookies set for the main domain while send-ing the email requires them for the newsyahoocom or

the financeyahoocom subdomain depending on whichsection the article is located in

If the user hovers over or clicks on the mail notificationbutton the attacker can also access the incoming mail widgetwhich reveals the Sender and partial Subject (up to 21characters) of the 8 most recent incoming emails This is dueto a cookie being attributed an ldquoauthenticatedrdquo status Thislasts approximately one hour after which it cannot access thewidget If at any point the user accesses the notification buttonagain the hijacked cookie is re-authorized

Yahoo Search Having acquired the main domain andsearch subdomain Y and T cookies the adversary can gainaccess to the victimrsquos complete search history Apart fromviewing the searched terms these cookies allow editing thehistory and removing previous searches However Yahoo ex-plicitly states that even if past searches are deleted user searchdata is still logged This enables stealthy pollution attacksafter issuing search queries for influencing the personalizationprofile of the user the adversary can then delete all issuedsearches and remove traces of the attack

Yahoo Answers One of the many services offered byYahoo is a popular ldquoquestion and answerrdquo site where userscan ask any type of question and other members of thecommunity can provide answers (albeit sometimes with ques-tionable quality [34]) Users posting questions or answers maychoose to remain anonymous for a given question especiallyif the topic is considered sensitive [35] Upon auditing Yahoowe found that the victimrsquos HTTP cookie allows partial controlover the account the adversary is able to ask or answer ques-tions (either eponymously or anonymously) and also to viewand edit previous questions and answers posted by the vic-tim Thus the adversary can effectively ldquodeanonymizerdquo postsand obtain potentially sensitive information about the victimwhich was posted under the assumption of anonymity Theadversary can also post comments as the victim in the com-ment section of news articles This requires the Y T cookiesfor the yahoocom domain and the answersyahoocomsubdomain

Yahoo Finance Another service offered by Yahoo is relatedto financial news and functionality and also offers tools forusers to manage their personal finances This includes creatingportfolios with their stock information etc The Y and Tcookies for the main domain and finance subdomain allow theattacker to view and edit the victimrsquos portfolio If the victimvisits the finance page the corresponding cookies are exposed

Cookie forging Different cookie combinations provideaccess to specific user information or account functionalityand depending on the subdomain on which the information ishosted the respective cookies for those domains are requiredHowever we can use a cookie acquired from one (sub)domainto craft the same cookie for a different subdomain and gainaccess to the specific information or functionality For exam-ple if the user only visits the main Yahoo homepage duringthe monitoring period the attacker will obtain the Y F Tcookies for yahoocom The attacker can then ldquoforgerdquo thosecookies for the searchyahoocom subdomain using the

corresponding value attributes of the hijacked cookies andsubsequently gain access to the userrsquos search history

D Baidu

Baidu is the leading search engine in the Chinese languageand among the top 5 sites according to Alexa To createan account in Baidu the user is required to register eitherwith a Chinese mobile phone number or just provide anemail address The majority of pages in Baidu are servedover an unencrypted connection As with the other searchengines we tested the HTTP cookie can expose significantprivate information to attackers Apart from the profile pictureand username the userrsquos email address is also revealedFurthermore the userrsquos entire search history can be retrievedand pollution attacks are feasible Finally Baidu Maps allowsusers to save locations similar to Bing Maps and all savedlocations can be obtained through the hijacked HTTP cookie

E E-commerce Websites

Amazon The homepage follows the common approach ofredirecting to HTTPS if connected to over HTTP Howeverproduct pages are served over HTTP and as a result usersrsquocookies will be exposed during their browsing sessions

Personal Information The adversary can obtain the infor-mation used by the victim for logging in this includes thevictimrsquos username email address andor cell phone numberFurthermore when proceeding to checkout items in the cartAmazon also reveals the userrsquos full name and city (used forshipping) Viewing and changing the userrsquos profile picture isalso permitted Amazon also allows users to post their reviewsunder a pseudonym which is not connected to the userrsquos nameHowever the adversary can view the userrsquos reviews (whichmay include sensitive items) thus breaking the pseudonymousnature of those reviews Previous work has demonstrated theprivacy risks of recommender systems and experiments inAmazon indicated that sensitive purchases can be inferredfrom the userrsquos review history [36]

Account History The userrsquos HTTP cookie is sufficientfor accessing private information regarding previous actionsSpecifically the adversary can obtain information regardingrecently viewed items and recommendations that are basedon the userrsquos browsing and purchase history The wish-listswhere the user has added items of interest are also accessibleFurthermore the adversary can obtain information regardingpreviously purchased items either through the recommenda-tion page or through product pages (which depict date ofpurchase) In an extensive study on privacy-related aspects ofonline purchasing behavior [37] users rated the creation of adetailed profile from their purchase history and other personalinformation as one of the most troubling scenarios

Shopping Cart The userrsquos cart is also accessible andthe adversary can see the items currently in the userrsquos cartAdditionally the cart can be modified and existing items canbe removed and other items can be added

Vendor-assisted spam We also found that the cookie ex-poses functionality that can be leveraged for deploying spam

campaigns to promote specific items that are presented asldquoendorsedrdquo by the victim The widget has an auto-completefeature that reveals the contacts that the user has emailed inthe past The attacker can either send emails about a specificitem or a wish-list and can add text in the emailrsquos bodyURLs can be included while the email is sent as simpletext email providers such as Gmail render it as a click-able link Since the emails are actually sent by Amazon(no-replyamazoncom) they are most likely to passany spam detection heuristics Furthermore the From fieldcontains the victimrsquos username further strengthening the per-sonalized nature of the spamphishing email

Extortion scams Previous work has revealed how scammersextorted money from users through One Click Fraud scamsby threatening to reveal ldquoembarrassingrdquo details about theusersrsquo online activities [38] In a similar vein the attackercan employ two different scam scenarios In the first case ifthe attacker identifies potentially embarrassing item(s) in theuserrsquos viewing or purchase history she can send an email tothe user disclosing knowledge about the item(s) and otherpersonal information obtained about the user and requestmoney to not share that information with the userrsquos contacts(even if no contact information has been collected) In thesecond scenario the attacker can send an email blackmailingthe user to pay money otherwise she will send an email tothe victimrsquos friends and family with information about his cartthat is full of embarrassing items Subsequently the attackerwill add such items to the userrsquos cart or wishlist and sendthe corresponding email through Amazon to the victimrsquos ownemail address as proof of her capabilities

Walmart Apart from the information exposed in thewebsite the cookiersquos value attribute contains 34 fields ofinformation about the user and his account (see Appendix A)

F News Media

Information acquired from media outlets can reveal charac-teristics and traits of the user (eg political inclination) anddemographic information [39] We audited the websites of sev-eral of the most popular print or broadcast news organizations(see Appendix A)

G Indirect Information Exposure - Ad Networks

We explore the impact of hijacking ad network cookies On-line ads account for a significant portion of website real estateand their ubiquitous nature has been discussed extensively inthe context of user tracking (eg [40] [41]) Here we focuson Doubleclick which is owned by Google as it is the mostprevalent advertising network with a presence on 80 of thewebsites that provide advertisements [42] As opposed to mostof the previous services where the user had to explicitly visitthe website3 the cookies of an ad network can be exposedby visiting any of a large number of websites that display adsfrom the respective network While the symbiotic nature ofservice providers and data aggregators is complicated the ads

3We found a popular e-commerce homepage that issues a Google searchrequest over HTTP exposing the userrsquos cookies

presented while browsing with stolen user cookies from adnetworks can be used to infer sensitive information

An interesting aspect of hijacking ad-network cookies is thatthey result in side-channel information leakage We describetwo scenarios which leak different types of information

Attack scenario 1 Consider a scenario where user U has anaccount on the social networking service X and has disclosedvarious pieces of personal information in the profile Let usalso consider that U is knowledgeable and has correctly setprivacy settings to restrict public visibility of that informa-tion and X has gone to great lengths to protect users frominformation leakage and also enforces ubiquitous encryptionacross the website including connections to third parties (egwhen fetching ads) However website X offers personalizedadvertising and ad network A has obtained personal informa-tion of U by setting different selection criteria over time andidentifying U across websites through an HTTP cookie Nowlets consider that while being monitored by the attacker Ubrowses a completely unrelated website Y which serves adsby ad network A and does not enforce encrypted connectionsEven though U does not have an account on Y the browsersends the HTTP cookie for A which can be used to identify Uand return an ad that is tailored to match information disclosedby U in the original website X The attacker can hijack theexposed HTTP cookie for A and receive ads tailored forU Based on the content of these ads the attacker can inferpersonal information of U

Attack scenario 2 User U is browsing through an e-commerce site E which uses the ad network A to advertise itsproducts in other websites U searches for items that belongto a specific category C and after the site returns a list ofrelevant products U clicks on a link and views the page ofproduct P A short time later the attacker visits an unrelatedwebsite that is known to show various ads and appends Ursquosstolen HTTP cookie for the ad network A The attacker is thenpresented with several ads relevant to Ursquos browsing historySome are more generic and expose information about Ursquosgender while others explicitly refer to category C and evendepict the specific item P

Information leakage We conducted a small number ofmanual experiments for identifying cases of personal informa-tion being leaked by Doubleclick Previous work has shownthat ads presented to users may be personalized based onthe userrsquos profile characteristics [43] associated to sensitivetopics [44] [45] (eg substance abuse health issues sexualinclination) and that advertisers can even obtain private userinformation not explicitly provided by the service [46]

Here we describe one of our experiments for scenario 2 Webrowsed maternity clothes on a popular e-commerce websiteand visited the page of a few returned products We thenbrowsed other sites from a different machine connected to adifferent subnet and appended the Doubleclick HTTP cookiefrom the previous browsing session We were presented withads from the e-commerce website advertising womenrsquos cloth-ing Several ads even advertised a specific maternity productwhose page we had visited (see screenshots in Appendix A)

TABLE IVCOOKIE EXPOSURE BY POPULAR BROWSER EXTENSIONS AND APPS

Name Type Browser Cookie leaked

Google Maps app Chrome NA 3Google Search app Chrome NA 3Google News app Chrome 10M 3

Amazon Assistant extension Chrome 11M 3Bing Rewards extension Chrome 74K 3eBay for Chrome extension Chrome 325K 3Google Dictionary extension Chrome 27M 3Google Hangouts extension Chrome 64M 7Google Image Search extension Chrome 10M 7Google Mail Checker extension Chrome 42M 7Google Translate extension Chrome 55M 7Yahoo Mail Notification extension Chrome 12M 7

Amazon default search bar Firefox NA 3Bing default search bar Firefox NA 7Ebay default search bar Firefox NA 3Google default search bar Firefox NA 7Yahoo default search bar Firefox NA 7

Amazon 1Button extension Firefox 157K 3Bing Search extension (unofficial) Firefox 28K 3eBay Sidebar extension Firefox 36K 3Google Image Search extension Firefox 48K 3Google Translator extension (unofficial) Firefox 794K 3Yahoo Toolbar extension Firefox 31K 3

Depending on the time lapsed between the user browsingthe e-commerce site and the attacker browsing with hijackedcookies there is a decrease in the frequency of ads that containthe viewed product However we found that even after severalhours we received ads that continued to promote the exactproduct and womenrsquos clothing ads even after several days

IV COLLATERAL COOKIE EXPOSURE

In this section we explore other means by which a userrsquosHTTP cookies may be exposed

A Browser Components

According to a manifest file analysis of over 30K Chromeextensions [47] a higher number of extensions requestedpermission for connecting to Google over HTTP compared toHTTPS The same was true for wildcarded (http)permission requests This indicates that a considerable numberof extensions may be weakening security by connecting overunencrypted connections to websites that also support en-crypted connections To that end we explore whether browsercomponents expose users to cookie hijacking attacks

We analyze a selection of the most popular browser com-ponents for Chrome and Firefox that have been released bymajor vendors we have audited Our aim is not to conduct anexhaustive evaluation but to obtain an understanding of theimplementation practices for browser components and assertwhether they also suffer from a limited use of encryptionWhile we experiment with a relatively small number ofcomponents we consider any discovered exposure indicativeof general practices as official extensions from major vendorsare likely to adhere to certain quality standards As Googlehas discontinued the development of extensions for Firefoxwe cannot do a direct cross-browser comparison for most ofits components

TABLE VCOOKIE EXPOSURE BY OFFICIAL MOBILE APPS

Application Platform Version Cookie leaked

Amazon iOS 532 NA 7Amazon iOS 521 NA 3Amazon Android 281015 10-50M 7

Bing Search iOS 57 NA 3Bing Search Android 5525151078 1-5M 3Spotlight (Bing) iOS iOS91 NA conditionallySiri (Bing) iOS iOS91 NA 7

Ebay iOS 410 NA conditionallyEbay Android 41022 100-500M conditionally

Google iOS 90 NA 7Google Android 542819 1B+ 7Gmail iOS 41 NA 7Gmail Android 56103338659 1-5B 7Google Search Bar Android 542819 NA 7

Yahoo Mail iOS 400 NA conditionallyYahoo Mail Android 492 100-500M 7Yahoo News iOS 630 NA 3Yahoo News Android 181015 10-50M 7Yahoo Search iOS 402 NA 7Yahoo Search Android 402 1-5M 7Yahoo Sports iOS 574 NA 3Yahoo Sports Android 563 5-10M 7

Table IV lists the web components we have evaluated theirreported number of downloads if available and if they leak thecookies required for our hijacking attacks Our experimentsyield a number of surprising findings The 3 Chrome appsreleased by Google we tested expose the HTTP cookieswhile their extensions present mixed results with 4 out of 9leaking the cookie As one of those is Google Dictionarywith over 27 million downloads a significant number ofChrome users is vulnerable to considerable risk Every Firefoxextension we tested along with two of the default search barsactually expose the required HTTP cookies over unencryptedconnections Interestingly Googlersquos Search by Image exten-sion is secure for Chrome but not for Firefox As there isno official Bing app for Firefox we test the most popularone and we also audit a popular unofficial Google translatorextension with over 794K users both of which turn out to bevulnerable Overall these findings highlight the privacy threatsthat millions of users face due to browser components

B Mobile Devices

Mobile devices have become ubiquitous and account for alarge part of the time users spend online Due to the quotarestrictions in mobile data plans users frequently connectto public WiFi access points According to Cisco [48] anestimated 45 of mobile traffic is ldquooffloadedrdquo to WiFi con-nections While this is not restricted to public WiFi networksit is indicative of user behavior with a recent survey reportingthat 72 of the participants connect to public WiFi [49] Toexplore the feasibility of our HTTP cookie hijacking attacksagainst users on mobile devices we audited the official iOSand Android apps for the most popular services that we foundto expose private information and account functionality

The overview of our results is shown in Table V It isnoteworthy that Bing differentiates mobile cookies and as a

TABLE VIHTTPONLY ATTRIBUTE OF THE COOKIES REQUIRED FOR HIJACKING

ACCOUNTS AND THE FEASIBILITY OF CONDUCTING THE ATTACKS WITHTHE COOKIES THAT ARE OBTAINABLE REMOTELY

Site HttpOnly nonmdashHttpOnlyXSS

Hijacking

Amazon mdash x-main 3

Bing mdash _U WLS 3

Baidu mdash BDUSS 3

CNN mdash CNNid authid 3

Doubleclick mdash id 3

Ebay mdash cid nonsession 3

Google HSID SID 7

Guardian mdash GU_U 3

HuffingtonPost huffpost_shuffpost_user

7huffpost_user_idlast_login_username

MSN MSNRPSAuth mdash 7

New York Times mdash NYT-S 7

Target mdashWC_PERSISTENT

3guestDisplayNameUserLocation

Walmart mdash customer CID 3

Yahoo F T Y partial

Youtube VISITOR_INFO1_LIVE mdash 7

result hijacked mobile cookies expose the search and clickhistory that has been conducted only over the mobile devicethe remaining personal information presented in Section III-Bis still obtainable Spotlight the system-wide search featureof iOS is also powered by Bing When the user issues asearch query Spotlight connects over HTTPS to Apple serversHowever the search results contain a ldquoShow more in Bingrdquobutton and if clicked will open the browser showing thesearch results and leak the userrsquos HTTP Bing cookie For Sirithe voice-guided assistant the Bing results are opened in thebrowser over HTTPS preventing cookie hijacking Once againYahoo follows poor security practices as 3 out of 4 iOS appsleak the userrsquos cookies As expected both versions of Gmailprotect the cookies while iOS Amazon apps prior to version532 expose the cookie Furthermore both Amazon iOS appscontain cookies that reveal information about the userrsquos deviceand mobile carrier (details in Appendix A) For both platformsthe Ebay app will expose the cookies under certain conditionsFirst Ebay sellers are allowed to customize their item pagesand often add links to other items they are selling if theseller has added an HTTP Ebay link to those items the cookiewill be exposed if a link is clicked by the user Empiricallywe found that that these HTTP links are common The otherscenario is if the user clicks on the ldquoCustomer Supportrdquo menu

C Active Attacks

Remote hijacking We analyze the cookies of each servicein depth and identify what information the attacker can obtainremotely eg by stealing the userrsquos cookies through an XSS

attack While the HttpOnly attribute can prevent attackersfrom remotely obtaining cookies through browser scripts ourfindings reveal limited adoption indicating that the situationhas not improved in recent years [19]

As can be seen in Table VI websites with multiple cookiesnever set the attribute for all Most websites set the attributefor some cookies but allow other cookies to be accessed byscripts Furthermore Amazon and Target have the HttpOnlyattribute set to false for all their cookies Surprisingly666 of the websites that are vulnerable to our cookie hi-jacking attacks also expose users to remote cookie hijackingFor Yahoo while we cannot access all the information andaccount functionality described previously several instancesremain possible (eg search history username etc) Eventhough the attack cannot be done for Huffington Post as thehuffpost_s cookie has the flag set the remaining cookiesstill expose the userrsquos username and email address

V DEANONYMIZATION RISK FOR TOR USERS

In this section we investigate if more privacy-conscioususers are protected against our presented cookie hijackingattacks Specifically we explore how users employing theTor bundle (Tor Browser with pre-installed extensions) canbe deanonymized by adversaries In this case we consider avariation of the threat model from the previous sections theadversary monitors Tor exit nodes instead of public wirelessaccess points We do not consider content-injection or activeattacks such as SSL stripping [10] for weakening protection

A Experimental Analysis

We repeat our experiments from Section III on a subset ofthe audited websites To understand the protection that privacy-conscious users can obtain we experiment with three differentclient-side setups In the first case we simulate a user that usesFirefox and connects over the Tor network [50] for increasedprotection The second user is more well-informed and hasinstalled the HTTPS Everywhere browser extension for betterprotection The final case is of a user that has selected thedefault configuration of the Tor bundle which includes the TorBrowser (a modified Firefox) and other extensions (includingHTTPS Everywhere)

HTTPS Everywhere This browser extension [51] is theresult of collaboration between EFF and the Tor Project Theextension contains per domain rule-sets for a large number ofdomains4 which instruct the re-writing of links within pages toforce encrypted connections However websites may containpages or subdomains whose functionality breaks over HTTPSFor those cases each websitersquos rule-set will contain exceptionsfor identifying links pointing to problematic pages which arenot overwritten and are connected to over HTTP The rule-sets are created and maintained by the community whichrequires a significant amount of manual effort and can result inincomplete rules Certain sites (eg doubleclicknet ebaycom)are turned off by default as their functionality breaks if turned

4httpswwwefforghttps-everywhereatlas

TABLE IIIBROWSER BEHAVIOR FOR USER INPUT IN ADDRESS BAR

Browser Connect over HTTP

Desktop

Chrome (v 45) 3Firefox (v 41) 3Safari (v 80) 3Internet Explorer (v 11) 3Opera (v 32) 3

Mobile

Safari (iOS 9) 3Chrome (v46 Android 511) 7 (conditionally)

user input googlecom wwwgooglecom

()googlecom iff using SSL must use an acceptablecertificate

name googlecom include_subdomains truepins google

Now we force HTTPS for subtrees of googlecom name mailgooglecom include_subdomains true

mode force-https pins google

Listing 1 Subset of rules in Chromersquos HSTS-preload file

in Table III for straightforward user input popular browserswill connect to googlecom over HTTP Due to the auto-complete feature of certain browsers (eg Firefox) even if thevictim only types ldquogooglerdquo the auto-complete mechanismwill add ldquocomrdquo and the browser will again connect overHTTP Therefore under common browsing patterns the exist-ing design will expose a userrsquos cookie when visiting the mainsearch engine Interestingly while the default iOS browser(Safari) exhibits the same behavior Chrome on Android willconnect to Google over HTTPS to securely prefetch pageresources However if users turn this option off to improveperformance2 Android Chrome will also connect over HTTP

HSTS preloading As described in Section II majorbrowsers employ pre-loading lists for HSTS As can be seenin Listing 1 the preloaded HSTS policy for Chrome doesnot actually force the browser to connect to googlecomover HTTPS It does however employ certificate pinning itrequires an acceptable certificate if the browser is alreadyconnecting over HTTPS This is applied to all local country-based variations of Googlersquos search engine and the main pageitself On the other hand critical Google subdomains supportHSTS preloading and are explicitly forced to connect overHTTPS As a result users that visit the Google search enginethrough the address bar will most likely connect over anunencrypted channel and their cookies will be exposed

Information leakage If the adversary simply visitsgooglecom using the stolen cookie no sensitive informa-tion will be accessible as the browser is redirected to HTTPSHowever if the adversary ldquoforcesrdquo the browser to visit Googleover HTTP sensitive information can be accessed During ourauditing we have identified the following

2httpssupportgooglecomchromeanswer1385029

Personal information Due to the cookie Google considersthe victim logged-in resulting in personal information beingleaked As can be seen in Figure 3(a) we gain access to theuserrsquos name and surname Gmail address and profile picture

Location Google Maps allows users to set their Home andWork addresses for easily obtaining directions tofrom otherdestinations While Google Maps requires HTTPS whichprevents us from acquiring any information if the adver-sary connects to googlecom over HTTP and searches forldquohomerdquo or ldquoworkrdquo the search results will contain a widget ofGoogle Maps revealing the respective address An example canbe seen in Figure 3(b) Accessibility to location informationcan expose the user to physical threats [26] [27]

Browsing history Using the stolen cookie the adversary canstart issuing Google searches for various terms of interest Ifthe search results contain links that the user has previouslyvisited through the search engine Google will reveal howmany times the page has been visited and the date of thelast visit Users can opt-out of historical information beingincluded in their search results however this option is enabledby default If enabled the adversary can search for a varietyof terms and infer sensitive data about the user Figure 3(a)shows an example scenario where the adversary obtains suchinformation Depending on the attackerrsquos goal she couldemploy a precompiled dictionary of sensitive keywords forfinding sensitive web activity or a dictionary of the mostpopular Google search terms for recovering parts of the userrsquosweb visiting history While previous work demonstrated thatunencrypted sessions could enable attackers to reconstructa userrsquos Google search history [4] this is the first to ourknowledge attack that discovers webpages visited by the userthrough Google

Exploiting search optimization Google search may returnresults that have been personalized for the user either byinserting specific entries or changing the rank of specificresults Previous work has demonstrated a methodology formeasuring personalization in Google search results [28] Byadapting this technique the adversary can extract entriesfrom the search results that have been returned based oncharacteristics of the victimrsquos profile

Shopping Using the HTTP googlecom cookie whenvisiting Googlersquos shopping page which runs mainly overHTTP will reveal the userrsquos first and last name Gmail handleGoogle profile It also allows viewing and editing the userrsquosshortlist (items under consideration)

Pollution attacks If the attacker issues search queries usingthe stolen cookies the search terms are treated as if originatingfrom the user and added to the search history This allows theadversary to affect the victimrsquos contextual and persistent searchpersonalization through pollution attacks [29]

Youtube exhibits a strange behavior that we did not comeacross in other services If the victim is logged in the stolencookie does not reveal any information However if the victimis not logged in the cookie that is exposed gives access tothe userrsquos recommended channels and videos which can bechanged through pollution attacks Furthermore information

(a) Profile and History (b) Location

Fig 3 Private information obtainable from userrsquos Google account through HTTP cookie hijacking

about the userrsquos music interests can be used to infer privateattributes [30]

B Bing

According to a recent report [31] Bing handles approxi-mately 204 of the desktop searches originating from theUS Bing is also the default search engine for Siri iPhonersquosvoice-driven assistant as well as all Microsoft-based productsWhen auditing Bing we found that by default all connectionsare served over HTTP ie all searches are sent in clear-textUsers have to explicitly type https in the browserrsquos addressbar to be protected from eavesdropping

Personal information Bing will expose the userrsquos firstname and profile photo The profile photo can be used toobtain more information of the user through face recognitionand publicly available data in other websites [32]

Location If the victim has saved any locations on BingMaps they are also exposed Apart from the work or homeaddresses this may include other locations the user has visitedin the past (eg bars health clinics)

Interest Manager This recently introduced feature allowsusers to select interests from a variety of topics Based on thecategory this can reveal private information including financialassets and political inclination

Search and browsing history Once the adversary stealsthe cookie she can retrieve the userrsquos search history includingthose in the images and videos categories Apart from a widgetdisplaying the users most recent and most frequent searchqueries the search history page also reveals the page that theuser visited from each search

Pollution attacks The attacker can also issue search queriesfor conducting a pollution attack and subsequently deletethose entries for stealthiness This will remove any trails ofthe attack and prevent the victim from detecting it

C Yahoo

Depending on the type of browser and whether it isbeing run for the first time visiting yahoocom through theaddress bar will either connect to HTTP and then redirect toHTTPS or maintain the unencrypted connection Howeverlinks in the main Yahoo page are all redirected throughhttphsrdyahoocom Even if the user explicitly

Fig 4 Extracting contact list and sending email from the victimrsquos accountin Yahoo

connects to Yahoo over HTTPS if any link in the homepage isclicked it will connect to that subdomain over an unencryptedconnection Therefore regardless of how the victim connectswe have identified three HTTP cookies (Y F T) that areexposed to eavesdroppers We first describe the informationand functionality that attackers can access and then how weperform a cookie forging attack to remove the requirements forthe user to browse specific subdomains while being monitored

Personal information The Y and T cookies set foryahoocom allow the attacker to obtain the userrsquos first nameThe full last name and email address can also be obtained aswe explain below

Yahoo Mail To facilitate sharing posts with friends articlesin Yahoo contain an ldquoEmail to friendsrdquo button which presentsa popup window in which the adversary can add an arbitrarymessage as shown in Figure 4 Furthermore the Sender fieldhas auto-complete functionality which allows us to obtain thevictimrsquos complete contact list These features combined can beleveraged for deploying effective phishing or spam campaignsThe contactsrsquo emails can be used for acquiring informationabout those users from other services and deploying person-alized spam campaigns [33] The widget also contains theuserrsquos full name and email address Extracting the contactsrequires all three cookies set for the main domain while send-ing the email requires them for the newsyahoocom or

the financeyahoocom subdomain depending on whichsection the article is located in

If the user hovers over or clicks on the mail notificationbutton the attacker can also access the incoming mail widgetwhich reveals the Sender and partial Subject (up to 21characters) of the 8 most recent incoming emails This is dueto a cookie being attributed an ldquoauthenticatedrdquo status Thislasts approximately one hour after which it cannot access thewidget If at any point the user accesses the notification buttonagain the hijacked cookie is re-authorized

Yahoo Search Having acquired the main domain andsearch subdomain Y and T cookies the adversary can gainaccess to the victimrsquos complete search history Apart fromviewing the searched terms these cookies allow editing thehistory and removing previous searches However Yahoo ex-plicitly states that even if past searches are deleted user searchdata is still logged This enables stealthy pollution attacksafter issuing search queries for influencing the personalizationprofile of the user the adversary can then delete all issuedsearches and remove traces of the attack

Yahoo Answers One of the many services offered byYahoo is a popular ldquoquestion and answerrdquo site where userscan ask any type of question and other members of thecommunity can provide answers (albeit sometimes with ques-tionable quality [34]) Users posting questions or answers maychoose to remain anonymous for a given question especiallyif the topic is considered sensitive [35] Upon auditing Yahoowe found that the victimrsquos HTTP cookie allows partial controlover the account the adversary is able to ask or answer ques-tions (either eponymously or anonymously) and also to viewand edit previous questions and answers posted by the vic-tim Thus the adversary can effectively ldquodeanonymizerdquo postsand obtain potentially sensitive information about the victimwhich was posted under the assumption of anonymity Theadversary can also post comments as the victim in the com-ment section of news articles This requires the Y T cookiesfor the yahoocom domain and the answersyahoocomsubdomain

Yahoo Finance Another service offered by Yahoo is relatedto financial news and functionality and also offers tools forusers to manage their personal finances This includes creatingportfolios with their stock information etc The Y and Tcookies for the main domain and finance subdomain allow theattacker to view and edit the victimrsquos portfolio If the victimvisits the finance page the corresponding cookies are exposed

Cookie forging Different cookie combinations provideaccess to specific user information or account functionalityand depending on the subdomain on which the information ishosted the respective cookies for those domains are requiredHowever we can use a cookie acquired from one (sub)domainto craft the same cookie for a different subdomain and gainaccess to the specific information or functionality For exam-ple if the user only visits the main Yahoo homepage duringthe monitoring period the attacker will obtain the Y F Tcookies for yahoocom The attacker can then ldquoforgerdquo thosecookies for the searchyahoocom subdomain using the

corresponding value attributes of the hijacked cookies andsubsequently gain access to the userrsquos search history

D Baidu

Baidu is the leading search engine in the Chinese languageand among the top 5 sites according to Alexa To createan account in Baidu the user is required to register eitherwith a Chinese mobile phone number or just provide anemail address The majority of pages in Baidu are servedover an unencrypted connection As with the other searchengines we tested the HTTP cookie can expose significantprivate information to attackers Apart from the profile pictureand username the userrsquos email address is also revealedFurthermore the userrsquos entire search history can be retrievedand pollution attacks are feasible Finally Baidu Maps allowsusers to save locations similar to Bing Maps and all savedlocations can be obtained through the hijacked HTTP cookie

E E-commerce Websites

Amazon The homepage follows the common approach ofredirecting to HTTPS if connected to over HTTP Howeverproduct pages are served over HTTP and as a result usersrsquocookies will be exposed during their browsing sessions

Personal Information The adversary can obtain the infor-mation used by the victim for logging in this includes thevictimrsquos username email address andor cell phone numberFurthermore when proceeding to checkout items in the cartAmazon also reveals the userrsquos full name and city (used forshipping) Viewing and changing the userrsquos profile picture isalso permitted Amazon also allows users to post their reviewsunder a pseudonym which is not connected to the userrsquos nameHowever the adversary can view the userrsquos reviews (whichmay include sensitive items) thus breaking the pseudonymousnature of those reviews Previous work has demonstrated theprivacy risks of recommender systems and experiments inAmazon indicated that sensitive purchases can be inferredfrom the userrsquos review history [36]

Account History The userrsquos HTTP cookie is sufficientfor accessing private information regarding previous actionsSpecifically the adversary can obtain information regardingrecently viewed items and recommendations that are basedon the userrsquos browsing and purchase history The wish-listswhere the user has added items of interest are also accessibleFurthermore the adversary can obtain information regardingpreviously purchased items either through the recommenda-tion page or through product pages (which depict date ofpurchase) In an extensive study on privacy-related aspects ofonline purchasing behavior [37] users rated the creation of adetailed profile from their purchase history and other personalinformation as one of the most troubling scenarios

Shopping Cart The userrsquos cart is also accessible andthe adversary can see the items currently in the userrsquos cartAdditionally the cart can be modified and existing items canbe removed and other items can be added

Vendor-assisted spam We also found that the cookie ex-poses functionality that can be leveraged for deploying spam

campaigns to promote specific items that are presented asldquoendorsedrdquo by the victim The widget has an auto-completefeature that reveals the contacts that the user has emailed inthe past The attacker can either send emails about a specificitem or a wish-list and can add text in the emailrsquos bodyURLs can be included while the email is sent as simpletext email providers such as Gmail render it as a click-able link Since the emails are actually sent by Amazon(no-replyamazoncom) they are most likely to passany spam detection heuristics Furthermore the From fieldcontains the victimrsquos username further strengthening the per-sonalized nature of the spamphishing email

Extortion scams Previous work has revealed how scammersextorted money from users through One Click Fraud scamsby threatening to reveal ldquoembarrassingrdquo details about theusersrsquo online activities [38] In a similar vein the attackercan employ two different scam scenarios In the first case ifthe attacker identifies potentially embarrassing item(s) in theuserrsquos viewing or purchase history she can send an email tothe user disclosing knowledge about the item(s) and otherpersonal information obtained about the user and requestmoney to not share that information with the userrsquos contacts(even if no contact information has been collected) In thesecond scenario the attacker can send an email blackmailingthe user to pay money otherwise she will send an email tothe victimrsquos friends and family with information about his cartthat is full of embarrassing items Subsequently the attackerwill add such items to the userrsquos cart or wishlist and sendthe corresponding email through Amazon to the victimrsquos ownemail address as proof of her capabilities

Walmart Apart from the information exposed in thewebsite the cookiersquos value attribute contains 34 fields ofinformation about the user and his account (see Appendix A)

F News Media

Information acquired from media outlets can reveal charac-teristics and traits of the user (eg political inclination) anddemographic information [39] We audited the websites of sev-eral of the most popular print or broadcast news organizations(see Appendix A)

G Indirect Information Exposure - Ad Networks

We explore the impact of hijacking ad network cookies On-line ads account for a significant portion of website real estateand their ubiquitous nature has been discussed extensively inthe context of user tracking (eg [40] [41]) Here we focuson Doubleclick which is owned by Google as it is the mostprevalent advertising network with a presence on 80 of thewebsites that provide advertisements [42] As opposed to mostof the previous services where the user had to explicitly visitthe website3 the cookies of an ad network can be exposedby visiting any of a large number of websites that display adsfrom the respective network While the symbiotic nature ofservice providers and data aggregators is complicated the ads

3We found a popular e-commerce homepage that issues a Google searchrequest over HTTP exposing the userrsquos cookies

presented while browsing with stolen user cookies from adnetworks can be used to infer sensitive information

An interesting aspect of hijacking ad-network cookies is thatthey result in side-channel information leakage We describetwo scenarios which leak different types of information

Attack scenario 1 Consider a scenario where user U has anaccount on the social networking service X and has disclosedvarious pieces of personal information in the profile Let usalso consider that U is knowledgeable and has correctly setprivacy settings to restrict public visibility of that informa-tion and X has gone to great lengths to protect users frominformation leakage and also enforces ubiquitous encryptionacross the website including connections to third parties (egwhen fetching ads) However website X offers personalizedadvertising and ad network A has obtained personal informa-tion of U by setting different selection criteria over time andidentifying U across websites through an HTTP cookie Nowlets consider that while being monitored by the attacker Ubrowses a completely unrelated website Y which serves adsby ad network A and does not enforce encrypted connectionsEven though U does not have an account on Y the browsersends the HTTP cookie for A which can be used to identify Uand return an ad that is tailored to match information disclosedby U in the original website X The attacker can hijack theexposed HTTP cookie for A and receive ads tailored forU Based on the content of these ads the attacker can inferpersonal information of U

Attack scenario 2 User U is browsing through an e-commerce site E which uses the ad network A to advertise itsproducts in other websites U searches for items that belongto a specific category C and after the site returns a list ofrelevant products U clicks on a link and views the page ofproduct P A short time later the attacker visits an unrelatedwebsite that is known to show various ads and appends Ursquosstolen HTTP cookie for the ad network A The attacker is thenpresented with several ads relevant to Ursquos browsing historySome are more generic and expose information about Ursquosgender while others explicitly refer to category C and evendepict the specific item P

Information leakage We conducted a small number ofmanual experiments for identifying cases of personal informa-tion being leaked by Doubleclick Previous work has shownthat ads presented to users may be personalized based onthe userrsquos profile characteristics [43] associated to sensitivetopics [44] [45] (eg substance abuse health issues sexualinclination) and that advertisers can even obtain private userinformation not explicitly provided by the service [46]

Here we describe one of our experiments for scenario 2 Webrowsed maternity clothes on a popular e-commerce websiteand visited the page of a few returned products We thenbrowsed other sites from a different machine connected to adifferent subnet and appended the Doubleclick HTTP cookiefrom the previous browsing session We were presented withads from the e-commerce website advertising womenrsquos cloth-ing Several ads even advertised a specific maternity productwhose page we had visited (see screenshots in Appendix A)

TABLE IVCOOKIE EXPOSURE BY POPULAR BROWSER EXTENSIONS AND APPS

Name Type Browser Cookie leaked

Google Maps app Chrome NA 3Google Search app Chrome NA 3Google News app Chrome 10M 3

Amazon Assistant extension Chrome 11M 3Bing Rewards extension Chrome 74K 3eBay for Chrome extension Chrome 325K 3Google Dictionary extension Chrome 27M 3Google Hangouts extension Chrome 64M 7Google Image Search extension Chrome 10M 7Google Mail Checker extension Chrome 42M 7Google Translate extension Chrome 55M 7Yahoo Mail Notification extension Chrome 12M 7

Amazon default search bar Firefox NA 3Bing default search bar Firefox NA 7Ebay default search bar Firefox NA 3Google default search bar Firefox NA 7Yahoo default search bar Firefox NA 7

Amazon 1Button extension Firefox 157K 3Bing Search extension (unofficial) Firefox 28K 3eBay Sidebar extension Firefox 36K 3Google Image Search extension Firefox 48K 3Google Translator extension (unofficial) Firefox 794K 3Yahoo Toolbar extension Firefox 31K 3

Depending on the time lapsed between the user browsingthe e-commerce site and the attacker browsing with hijackedcookies there is a decrease in the frequency of ads that containthe viewed product However we found that even after severalhours we received ads that continued to promote the exactproduct and womenrsquos clothing ads even after several days

IV COLLATERAL COOKIE EXPOSURE

In this section we explore other means by which a userrsquosHTTP cookies may be exposed

A Browser Components

According to a manifest file analysis of over 30K Chromeextensions [47] a higher number of extensions requestedpermission for connecting to Google over HTTP compared toHTTPS The same was true for wildcarded (http)permission requests This indicates that a considerable numberof extensions may be weakening security by connecting overunencrypted connections to websites that also support en-crypted connections To that end we explore whether browsercomponents expose users to cookie hijacking attacks

We analyze a selection of the most popular browser com-ponents for Chrome and Firefox that have been released bymajor vendors we have audited Our aim is not to conduct anexhaustive evaluation but to obtain an understanding of theimplementation practices for browser components and assertwhether they also suffer from a limited use of encryptionWhile we experiment with a relatively small number ofcomponents we consider any discovered exposure indicativeof general practices as official extensions from major vendorsare likely to adhere to certain quality standards As Googlehas discontinued the development of extensions for Firefoxwe cannot do a direct cross-browser comparison for most ofits components

TABLE VCOOKIE EXPOSURE BY OFFICIAL MOBILE APPS

Application Platform Version Cookie leaked

Amazon iOS 532 NA 7Amazon iOS 521 NA 3Amazon Android 281015 10-50M 7

Bing Search iOS 57 NA 3Bing Search Android 5525151078 1-5M 3Spotlight (Bing) iOS iOS91 NA conditionallySiri (Bing) iOS iOS91 NA 7

Ebay iOS 410 NA conditionallyEbay Android 41022 100-500M conditionally

Google iOS 90 NA 7Google Android 542819 1B+ 7Gmail iOS 41 NA 7Gmail Android 56103338659 1-5B 7Google Search Bar Android 542819 NA 7

Yahoo Mail iOS 400 NA conditionallyYahoo Mail Android 492 100-500M 7Yahoo News iOS 630 NA 3Yahoo News Android 181015 10-50M 7Yahoo Search iOS 402 NA 7Yahoo Search Android 402 1-5M 7Yahoo Sports iOS 574 NA 3Yahoo Sports Android 563 5-10M 7

Table IV lists the web components we have evaluated theirreported number of downloads if available and if they leak thecookies required for our hijacking attacks Our experimentsyield a number of surprising findings The 3 Chrome appsreleased by Google we tested expose the HTTP cookieswhile their extensions present mixed results with 4 out of 9leaking the cookie As one of those is Google Dictionarywith over 27 million downloads a significant number ofChrome users is vulnerable to considerable risk Every Firefoxextension we tested along with two of the default search barsactually expose the required HTTP cookies over unencryptedconnections Interestingly Googlersquos Search by Image exten-sion is secure for Chrome but not for Firefox As there isno official Bing app for Firefox we test the most popularone and we also audit a popular unofficial Google translatorextension with over 794K users both of which turn out to bevulnerable Overall these findings highlight the privacy threatsthat millions of users face due to browser components

B Mobile Devices

Mobile devices have become ubiquitous and account for alarge part of the time users spend online Due to the quotarestrictions in mobile data plans users frequently connectto public WiFi access points According to Cisco [48] anestimated 45 of mobile traffic is ldquooffloadedrdquo to WiFi con-nections While this is not restricted to public WiFi networksit is indicative of user behavior with a recent survey reportingthat 72 of the participants connect to public WiFi [49] Toexplore the feasibility of our HTTP cookie hijacking attacksagainst users on mobile devices we audited the official iOSand Android apps for the most popular services that we foundto expose private information and account functionality

The overview of our results is shown in Table V It isnoteworthy that Bing differentiates mobile cookies and as a

TABLE VIHTTPONLY ATTRIBUTE OF THE COOKIES REQUIRED FOR HIJACKING

ACCOUNTS AND THE FEASIBILITY OF CONDUCTING THE ATTACKS WITHTHE COOKIES THAT ARE OBTAINABLE REMOTELY

Site HttpOnly nonmdashHttpOnlyXSS

Hijacking

Amazon mdash x-main 3

Bing mdash _U WLS 3

Baidu mdash BDUSS 3

CNN mdash CNNid authid 3

Doubleclick mdash id 3

Ebay mdash cid nonsession 3

Google HSID SID 7

Guardian mdash GU_U 3

HuffingtonPost huffpost_shuffpost_user

7huffpost_user_idlast_login_username

MSN MSNRPSAuth mdash 7

New York Times mdash NYT-S 7

Target mdashWC_PERSISTENT

3guestDisplayNameUserLocation

Walmart mdash customer CID 3

Yahoo F T Y partial

Youtube VISITOR_INFO1_LIVE mdash 7

result hijacked mobile cookies expose the search and clickhistory that has been conducted only over the mobile devicethe remaining personal information presented in Section III-Bis still obtainable Spotlight the system-wide search featureof iOS is also powered by Bing When the user issues asearch query Spotlight connects over HTTPS to Apple serversHowever the search results contain a ldquoShow more in Bingrdquobutton and if clicked will open the browser showing thesearch results and leak the userrsquos HTTP Bing cookie For Sirithe voice-guided assistant the Bing results are opened in thebrowser over HTTPS preventing cookie hijacking Once againYahoo follows poor security practices as 3 out of 4 iOS appsleak the userrsquos cookies As expected both versions of Gmailprotect the cookies while iOS Amazon apps prior to version532 expose the cookie Furthermore both Amazon iOS appscontain cookies that reveal information about the userrsquos deviceand mobile carrier (details in Appendix A) For both platformsthe Ebay app will expose the cookies under certain conditionsFirst Ebay sellers are allowed to customize their item pagesand often add links to other items they are selling if theseller has added an HTTP Ebay link to those items the cookiewill be exposed if a link is clicked by the user Empiricallywe found that that these HTTP links are common The otherscenario is if the user clicks on the ldquoCustomer Supportrdquo menu

C Active Attacks

Remote hijacking We analyze the cookies of each servicein depth and identify what information the attacker can obtainremotely eg by stealing the userrsquos cookies through an XSS

attack While the HttpOnly attribute can prevent attackersfrom remotely obtaining cookies through browser scripts ourfindings reveal limited adoption indicating that the situationhas not improved in recent years [19]

As can be seen in Table VI websites with multiple cookiesnever set the attribute for all Most websites set the attributefor some cookies but allow other cookies to be accessed byscripts Furthermore Amazon and Target have the HttpOnlyattribute set to false for all their cookies Surprisingly666 of the websites that are vulnerable to our cookie hi-jacking attacks also expose users to remote cookie hijackingFor Yahoo while we cannot access all the information andaccount functionality described previously several instancesremain possible (eg search history username etc) Eventhough the attack cannot be done for Huffington Post as thehuffpost_s cookie has the flag set the remaining cookiesstill expose the userrsquos username and email address

V DEANONYMIZATION RISK FOR TOR USERS

In this section we investigate if more privacy-conscioususers are protected against our presented cookie hijackingattacks Specifically we explore how users employing theTor bundle (Tor Browser with pre-installed extensions) canbe deanonymized by adversaries In this case we consider avariation of the threat model from the previous sections theadversary monitors Tor exit nodes instead of public wirelessaccess points We do not consider content-injection or activeattacks such as SSL stripping [10] for weakening protection

A Experimental Analysis

We repeat our experiments from Section III on a subset ofthe audited websites To understand the protection that privacy-conscious users can obtain we experiment with three differentclient-side setups In the first case we simulate a user that usesFirefox and connects over the Tor network [50] for increasedprotection The second user is more well-informed and hasinstalled the HTTPS Everywhere browser extension for betterprotection The final case is of a user that has selected thedefault configuration of the Tor bundle which includes the TorBrowser (a modified Firefox) and other extensions (includingHTTPS Everywhere)

HTTPS Everywhere This browser extension [51] is theresult of collaboration between EFF and the Tor Project Theextension contains per domain rule-sets for a large number ofdomains4 which instruct the re-writing of links within pages toforce encrypted connections However websites may containpages or subdomains whose functionality breaks over HTTPSFor those cases each websitersquos rule-set will contain exceptionsfor identifying links pointing to problematic pages which arenot overwritten and are connected to over HTTP The rule-sets are created and maintained by the community whichrequires a significant amount of manual effort and can result inincomplete rules Certain sites (eg doubleclicknet ebaycom)are turned off by default as their functionality breaks if turned

4httpswwwefforghttps-everywhereatlas

(a) Profile and History (b) Location

Fig 3 Private information obtainable from userrsquos Google account through HTTP cookie hijacking

about the userrsquos music interests can be used to infer privateattributes [30]

B Bing

According to a recent report [31] Bing handles approxi-mately 204 of the desktop searches originating from theUS Bing is also the default search engine for Siri iPhonersquosvoice-driven assistant as well as all Microsoft-based productsWhen auditing Bing we found that by default all connectionsare served over HTTP ie all searches are sent in clear-textUsers have to explicitly type https in the browserrsquos addressbar to be protected from eavesdropping

Personal information Bing will expose the userrsquos firstname and profile photo The profile photo can be used toobtain more information of the user through face recognitionand publicly available data in other websites [32]

Location If the victim has saved any locations on BingMaps they are also exposed Apart from the work or homeaddresses this may include other locations the user has visitedin the past (eg bars health clinics)

Interest Manager This recently introduced feature allowsusers to select interests from a variety of topics Based on thecategory this can reveal private information including financialassets and political inclination

Search and browsing history Once the adversary stealsthe cookie she can retrieve the userrsquos search history includingthose in the images and videos categories Apart from a widgetdisplaying the users most recent and most frequent searchqueries the search history page also reveals the page that theuser visited from each search

Pollution attacks The attacker can also issue search queriesfor conducting a pollution attack and subsequently deletethose entries for stealthiness This will remove any trails ofthe attack and prevent the victim from detecting it

C Yahoo

Depending on the type of browser and whether it isbeing run for the first time visiting yahoocom through theaddress bar will either connect to HTTP and then redirect toHTTPS or maintain the unencrypted connection Howeverlinks in the main Yahoo page are all redirected throughhttphsrdyahoocom Even if the user explicitly

Fig 4 Extracting contact list and sending email from the victimrsquos accountin Yahoo

connects to Yahoo over HTTPS if any link in the homepage isclicked it will connect to that subdomain over an unencryptedconnection Therefore regardless of how the victim connectswe have identified three HTTP cookies (Y F T) that areexposed to eavesdroppers We first describe the informationand functionality that attackers can access and then how weperform a cookie forging attack to remove the requirements forthe user to browse specific subdomains while being monitored

Personal information The Y and T cookies set foryahoocom allow the attacker to obtain the userrsquos first nameThe full last name and email address can also be obtained aswe explain below

Yahoo Mail To facilitate sharing posts with friends articlesin Yahoo contain an ldquoEmail to friendsrdquo button which presentsa popup window in which the adversary can add an arbitrarymessage as shown in Figure 4 Furthermore the Sender fieldhas auto-complete functionality which allows us to obtain thevictimrsquos complete contact list These features combined can beleveraged for deploying effective phishing or spam campaignsThe contactsrsquo emails can be used for acquiring informationabout those users from other services and deploying person-alized spam campaigns [33] The widget also contains theuserrsquos full name and email address Extracting the contactsrequires all three cookies set for the main domain while send-ing the email requires them for the newsyahoocom or

the financeyahoocom subdomain depending on whichsection the article is located in

If the user hovers over or clicks on the mail notificationbutton the attacker can also access the incoming mail widgetwhich reveals the Sender and partial Subject (up to 21characters) of the 8 most recent incoming emails This is dueto a cookie being attributed an ldquoauthenticatedrdquo status Thislasts approximately one hour after which it cannot access thewidget If at any point the user accesses the notification buttonagain the hijacked cookie is re-authorized

Yahoo Search Having acquired the main domain andsearch subdomain Y and T cookies the adversary can gainaccess to the victimrsquos complete search history Apart fromviewing the searched terms these cookies allow editing thehistory and removing previous searches However Yahoo ex-plicitly states that even if past searches are deleted user searchdata is still logged This enables stealthy pollution attacksafter issuing search queries for influencing the personalizationprofile of the user the adversary can then delete all issuedsearches and remove traces of the attack

Yahoo Answers One of the many services offered byYahoo is a popular ldquoquestion and answerrdquo site where userscan ask any type of question and other members of thecommunity can provide answers (albeit sometimes with ques-tionable quality [34]) Users posting questions or answers maychoose to remain anonymous for a given question especiallyif the topic is considered sensitive [35] Upon auditing Yahoowe found that the victimrsquos HTTP cookie allows partial controlover the account the adversary is able to ask or answer ques-tions (either eponymously or anonymously) and also to viewand edit previous questions and answers posted by the vic-tim Thus the adversary can effectively ldquodeanonymizerdquo postsand obtain potentially sensitive information about the victimwhich was posted under the assumption of anonymity Theadversary can also post comments as the victim in the com-ment section of news articles This requires the Y T cookiesfor the yahoocom domain and the answersyahoocomsubdomain

Yahoo Finance Another service offered by Yahoo is relatedto financial news and functionality and also offers tools forusers to manage their personal finances This includes creatingportfolios with their stock information etc The Y and Tcookies for the main domain and finance subdomain allow theattacker to view and edit the victimrsquos portfolio If the victimvisits the finance page the corresponding cookies are exposed

Cookie forging Different cookie combinations provideaccess to specific user information or account functionalityand depending on the subdomain on which the information ishosted the respective cookies for those domains are requiredHowever we can use a cookie acquired from one (sub)domainto craft the same cookie for a different subdomain and gainaccess to the specific information or functionality For exam-ple if the user only visits the main Yahoo homepage duringthe monitoring period the attacker will obtain the Y F Tcookies for yahoocom The attacker can then ldquoforgerdquo thosecookies for the searchyahoocom subdomain using the

corresponding value attributes of the hijacked cookies andsubsequently gain access to the userrsquos search history

D Baidu

Baidu is the leading search engine in the Chinese languageand among the top 5 sites according to Alexa To createan account in Baidu the user is required to register eitherwith a Chinese mobile phone number or just provide anemail address The majority of pages in Baidu are servedover an unencrypted connection As with the other searchengines we tested the HTTP cookie can expose significantprivate information to attackers Apart from the profile pictureand username the userrsquos email address is also revealedFurthermore the userrsquos entire search history can be retrievedand pollution attacks are feasible Finally Baidu Maps allowsusers to save locations similar to Bing Maps and all savedlocations can be obtained through the hijacked HTTP cookie

E E-commerce Websites

Amazon The homepage follows the common approach ofredirecting to HTTPS if connected to over HTTP Howeverproduct pages are served over HTTP and as a result usersrsquocookies will be exposed during their browsing sessions

Personal Information The adversary can obtain the infor-mation used by the victim for logging in this includes thevictimrsquos username email address andor cell phone numberFurthermore when proceeding to checkout items in the cartAmazon also reveals the userrsquos full name and city (used forshipping) Viewing and changing the userrsquos profile picture isalso permitted Amazon also allows users to post their reviewsunder a pseudonym which is not connected to the userrsquos nameHowever the adversary can view the userrsquos reviews (whichmay include sensitive items) thus breaking the pseudonymousnature of those reviews Previous work has demonstrated theprivacy risks of recommender systems and experiments inAmazon indicated that sensitive purchases can be inferredfrom the userrsquos review history [36]

Account History The userrsquos HTTP cookie is sufficientfor accessing private information regarding previous actionsSpecifically the adversary can obtain information regardingrecently viewed items and recommendations that are basedon the userrsquos browsing and purchase history The wish-listswhere the user has added items of interest are also accessibleFurthermore the adversary can obtain information regardingpreviously purchased items either through the recommenda-tion page or through product pages (which depict date ofpurchase) In an extensive study on privacy-related aspects ofonline purchasing behavior [37] users rated the creation of adetailed profile from their purchase history and other personalinformation as one of the most troubling scenarios

Shopping Cart The userrsquos cart is also accessible andthe adversary can see the items currently in the userrsquos cartAdditionally the cart can be modified and existing items canbe removed and other items can be added

Vendor-assisted spam We also found that the cookie ex-poses functionality that can be leveraged for deploying spam

campaigns to promote specific items that are presented asldquoendorsedrdquo by the victim The widget has an auto-completefeature that reveals the contacts that the user has emailed inthe past The attacker can either send emails about a specificitem or a wish-list and can add text in the emailrsquos bodyURLs can be included while the email is sent as simpletext email providers such as Gmail render it as a click-able link Since the emails are actually sent by Amazon(no-replyamazoncom) they are most likely to passany spam detection heuristics Furthermore the From fieldcontains the victimrsquos username further strengthening the per-sonalized nature of the spamphishing email

Extortion scams Previous work has revealed how scammersextorted money from users through One Click Fraud scamsby threatening to reveal ldquoembarrassingrdquo details about theusersrsquo online activities [38] In a similar vein the attackercan employ two different scam scenarios In the first case ifthe attacker identifies potentially embarrassing item(s) in theuserrsquos viewing or purchase history she can send an email tothe user disclosing knowledge about the item(s) and otherpersonal information obtained about the user and requestmoney to not share that information with the userrsquos contacts(even if no contact information has been collected) In thesecond scenario the attacker can send an email blackmailingthe user to pay money otherwise she will send an email tothe victimrsquos friends and family with information about his cartthat is full of embarrassing items Subsequently the attackerwill add such items to the userrsquos cart or wishlist and sendthe corresponding email through Amazon to the victimrsquos ownemail address as proof of her capabilities

Walmart Apart from the information exposed in thewebsite the cookiersquos value attribute contains 34 fields ofinformation about the user and his account (see Appendix A)

F News Media

Information acquired from media outlets can reveal charac-teristics and traits of the user (eg political inclination) anddemographic information [39] We audited the websites of sev-eral of the most popular print or broadcast news organizations(see Appendix A)

G Indirect Information Exposure - Ad Networks

We explore the impact of hijacking ad network cookies On-line ads account for a significant portion of website real estateand their ubiquitous nature has been discussed extensively inthe context of user tracking (eg [40] [41]) Here we focuson Doubleclick which is owned by Google as it is the mostprevalent advertising network with a presence on 80 of thewebsites that provide advertisements [42] As opposed to mostof the previous services where the user had to explicitly visitthe website3 the cookies of an ad network can be exposedby visiting any of a large number of websites that display adsfrom the respective network While the symbiotic nature ofservice providers and data aggregators is complicated the ads

3We found a popular e-commerce homepage that issues a Google searchrequest over HTTP exposing the userrsquos cookies

presented while browsing with stolen user cookies from adnetworks can be used to infer sensitive information

An interesting aspect of hijacking ad-network cookies is thatthey result in side-channel information leakage We describetwo scenarios which leak different types of information

Attack scenario 1 Consider a scenario where user U has anaccount on the social networking service X and has disclosedvarious pieces of personal information in the profile Let usalso consider that U is knowledgeable and has correctly setprivacy settings to restrict public visibility of that informa-tion and X has gone to great lengths to protect users frominformation leakage and also enforces ubiquitous encryptionacross the website including connections to third parties (egwhen fetching ads) However website X offers personalizedadvertising and ad network A has obtained personal informa-tion of U by setting different selection criteria over time andidentifying U across websites through an HTTP cookie Nowlets consider that while being monitored by the attacker Ubrowses a completely unrelated website Y which serves adsby ad network A and does not enforce encrypted connectionsEven though U does not have an account on Y the browsersends the HTTP cookie for A which can be used to identify Uand return an ad that is tailored to match information disclosedby U in the original website X The attacker can hijack theexposed HTTP cookie for A and receive ads tailored forU Based on the content of these ads the attacker can inferpersonal information of U

Attack scenario 2 User U is browsing through an e-commerce site E which uses the ad network A to advertise itsproducts in other websites U searches for items that belongto a specific category C and after the site returns a list ofrelevant products U clicks on a link and views the page ofproduct P A short time later the attacker visits an unrelatedwebsite that is known to show various ads and appends Ursquosstolen HTTP cookie for the ad network A The attacker is thenpresented with several ads relevant to Ursquos browsing historySome are more generic and expose information about Ursquosgender while others explicitly refer to category C and evendepict the specific item P

Information leakage We conducted a small number ofmanual experiments for identifying cases of personal informa-tion being leaked by Doubleclick Previous work has shownthat ads presented to users may be personalized based onthe userrsquos profile characteristics [43] associated to sensitivetopics [44] [45] (eg substance abuse health issues sexualinclination) and that advertisers can even obtain private userinformation not explicitly provided by the service [46]

Here we describe one of our experiments for scenario 2 Webrowsed maternity clothes on a popular e-commerce websiteand visited the page of a few returned products We thenbrowsed other sites from a different machine connected to adifferent subnet and appended the Doubleclick HTTP cookiefrom the previous browsing session We were presented withads from the e-commerce website advertising womenrsquos cloth-ing Several ads even advertised a specific maternity productwhose page we had visited (see screenshots in Appendix A)

TABLE IVCOOKIE EXPOSURE BY POPULAR BROWSER EXTENSIONS AND APPS

Name Type Browser Cookie leaked

Google Maps app Chrome NA 3Google Search app Chrome NA 3Google News app Chrome 10M 3

Amazon Assistant extension Chrome 11M 3Bing Rewards extension Chrome 74K 3eBay for Chrome extension Chrome 325K 3Google Dictionary extension Chrome 27M 3Google Hangouts extension Chrome 64M 7Google Image Search extension Chrome 10M 7Google Mail Checker extension Chrome 42M 7Google Translate extension Chrome 55M 7Yahoo Mail Notification extension Chrome 12M 7

Amazon default search bar Firefox NA 3Bing default search bar Firefox NA 7Ebay default search bar Firefox NA 3Google default search bar Firefox NA 7Yahoo default search bar Firefox NA 7

Amazon 1Button extension Firefox 157K 3Bing Search extension (unofficial) Firefox 28K 3eBay Sidebar extension Firefox 36K 3Google Image Search extension Firefox 48K 3Google Translator extension (unofficial) Firefox 794K 3Yahoo Toolbar extension Firefox 31K 3

Depending on the time lapsed between the user browsingthe e-commerce site and the attacker browsing with hijackedcookies there is a decrease in the frequency of ads that containthe viewed product However we found that even after severalhours we received ads that continued to promote the exactproduct and womenrsquos clothing ads even after several days

IV COLLATERAL COOKIE EXPOSURE

In this section we explore other means by which a userrsquosHTTP cookies may be exposed

A Browser Components

According to a manifest file analysis of over 30K Chromeextensions [47] a higher number of extensions requestedpermission for connecting to Google over HTTP compared toHTTPS The same was true for wildcarded (http)permission requests This indicates that a considerable numberof extensions may be weakening security by connecting overunencrypted connections to websites that also support en-crypted connections To that end we explore whether browsercomponents expose users to cookie hijacking attacks

We analyze a selection of the most popular browser com-ponents for Chrome and Firefox that have been released bymajor vendors we have audited Our aim is not to conduct anexhaustive evaluation but to obtain an understanding of theimplementation practices for browser components and assertwhether they also suffer from a limited use of encryptionWhile we experiment with a relatively small number ofcomponents we consider any discovered exposure indicativeof general practices as official extensions from major vendorsare likely to adhere to certain quality standards As Googlehas discontinued the development of extensions for Firefoxwe cannot do a direct cross-browser comparison for most ofits components

TABLE VCOOKIE EXPOSURE BY OFFICIAL MOBILE APPS

Application Platform Version Cookie leaked

Amazon iOS 532 NA 7Amazon iOS 521 NA 3Amazon Android 281015 10-50M 7

Bing Search iOS 57 NA 3Bing Search Android 5525151078 1-5M 3Spotlight (Bing) iOS iOS91 NA conditionallySiri (Bing) iOS iOS91 NA 7

Ebay iOS 410 NA conditionallyEbay Android 41022 100-500M conditionally

Google iOS 90 NA 7Google Android 542819 1B+ 7Gmail iOS 41 NA 7Gmail Android 56103338659 1-5B 7Google Search Bar Android 542819 NA 7

Yahoo Mail iOS 400 NA conditionallyYahoo Mail Android 492 100-500M 7Yahoo News iOS 630 NA 3Yahoo News Android 181015 10-50M 7Yahoo Search iOS 402 NA 7Yahoo Search Android 402 1-5M 7Yahoo Sports iOS 574 NA 3Yahoo Sports Android 563 5-10M 7

Table IV lists the web components we have evaluated theirreported number of downloads if available and if they leak thecookies required for our hijacking attacks Our experimentsyield a number of surprising findings The 3 Chrome appsreleased by Google we tested expose the HTTP cookieswhile their extensions present mixed results with 4 out of 9leaking the cookie As one of those is Google Dictionarywith over 27 million downloads a significant number ofChrome users is vulnerable to considerable risk Every Firefoxextension we tested along with two of the default search barsactually expose the required HTTP cookies over unencryptedconnections Interestingly Googlersquos Search by Image exten-sion is secure for Chrome but not for Firefox As there isno official Bing app for Firefox we test the most popularone and we also audit a popular unofficial Google translatorextension with over 794K users both of which turn out to bevulnerable Overall these findings highlight the privacy threatsthat millions of users face due to browser components

B Mobile Devices

Mobile devices have become ubiquitous and account for alarge part of the time users spend online Due to the quotarestrictions in mobile data plans users frequently connectto public WiFi access points According to Cisco [48] anestimated 45 of mobile traffic is ldquooffloadedrdquo to WiFi con-nections While this is not restricted to public WiFi networksit is indicative of user behavior with a recent survey reportingthat 72 of the participants connect to public WiFi [49] Toexplore the feasibility of our HTTP cookie hijacking attacksagainst users on mobile devices we audited the official iOSand Android apps for the most popular services that we foundto expose private information and account functionality

The overview of our results is shown in Table V It isnoteworthy that Bing differentiates mobile cookies and as a

TABLE VIHTTPONLY ATTRIBUTE OF THE COOKIES REQUIRED FOR HIJACKING

ACCOUNTS AND THE FEASIBILITY OF CONDUCTING THE ATTACKS WITHTHE COOKIES THAT ARE OBTAINABLE REMOTELY

Site HttpOnly nonmdashHttpOnlyXSS

Hijacking

Amazon mdash x-main 3

Bing mdash _U WLS 3

Baidu mdash BDUSS 3

CNN mdash CNNid authid 3

Doubleclick mdash id 3

Ebay mdash cid nonsession 3

Google HSID SID 7

Guardian mdash GU_U 3

HuffingtonPost huffpost_shuffpost_user

7huffpost_user_idlast_login_username

MSN MSNRPSAuth mdash 7

New York Times mdash NYT-S 7

Target mdashWC_PERSISTENT

3guestDisplayNameUserLocation

Walmart mdash customer CID 3

Yahoo F T Y partial

Youtube VISITOR_INFO1_LIVE mdash 7

result hijacked mobile cookies expose the search and clickhistory that has been conducted only over the mobile devicethe remaining personal information presented in Section III-Bis still obtainable Spotlight the system-wide search featureof iOS is also powered by Bing When the user issues asearch query Spotlight connects over HTTPS to Apple serversHowever the search results contain a ldquoShow more in Bingrdquobutton and if clicked will open the browser showing thesearch results and leak the userrsquos HTTP Bing cookie For Sirithe voice-guided assistant the Bing results are opened in thebrowser over HTTPS preventing cookie hijacking Once againYahoo follows poor security practices as 3 out of 4 iOS appsleak the userrsquos cookies As expected both versions of Gmailprotect the cookies while iOS Amazon apps prior to version532 expose the cookie Furthermore both Amazon iOS appscontain cookies that reveal information about the userrsquos deviceand mobile carrier (details in Appendix A) For both platformsthe Ebay app will expose the cookies under certain conditionsFirst Ebay sellers are allowed to customize their item pagesand often add links to other items they are selling if theseller has added an HTTP Ebay link to those items the cookiewill be exposed if a link is clicked by the user Empiricallywe found that that these HTTP links are common The otherscenario is if the user clicks on the ldquoCustomer Supportrdquo menu

C Active Attacks

Remote hijacking We analyze the cookies of each servicein depth and identify what information the attacker can obtainremotely eg by stealing the userrsquos cookies through an XSS

attack While the HttpOnly attribute can prevent attackersfrom remotely obtaining cookies through browser scripts ourfindings reveal limited adoption indicating that the situationhas not improved in recent years [19]

As can be seen in Table VI websites with multiple cookiesnever set the attribute for all Most websites set the attributefor some cookies but allow other cookies to be accessed byscripts Furthermore Amazon and Target have the HttpOnlyattribute set to false for all their cookies Surprisingly666 of the websites that are vulnerable to our cookie hi-jacking attacks also expose users to remote cookie hijackingFor Yahoo while we cannot access all the information andaccount functionality described previously several instancesremain possible (eg search history username etc) Eventhough the attack cannot be done for Huffington Post as thehuffpost_s cookie has the flag set the remaining cookiesstill expose the userrsquos username and email address

V DEANONYMIZATION RISK FOR TOR USERS

In this section we investigate if more privacy-conscioususers are protected against our presented cookie hijackingattacks Specifically we explore how users employing theTor bundle (Tor Browser with pre-installed extensions) canbe deanonymized by adversaries In this case we consider avariation of the threat model from the previous sections theadversary monitors Tor exit nodes instead of public wirelessaccess points We do not consider content-injection or activeattacks such as SSL stripping [10] for weakening protection

A Experimental Analysis

We repeat our experiments from Section III on a subset ofthe audited websites To understand the protection that privacy-conscious users can obtain we experiment with three differentclient-side setups In the first case we simulate a user that usesFirefox and connects over the Tor network [50] for increasedprotection The second user is more well-informed and hasinstalled the HTTPS Everywhere browser extension for betterprotection The final case is of a user that has selected thedefault configuration of the Tor bundle which includes the TorBrowser (a modified Firefox) and other extensions (includingHTTPS Everywhere)

HTTPS Everywhere This browser extension [51] is theresult of collaboration between EFF and the Tor Project Theextension contains per domain rule-sets for a large number ofdomains4 which instruct the re-writing of links within pages toforce encrypted connections However websites may containpages or subdomains whose functionality breaks over HTTPSFor those cases each websitersquos rule-set will contain exceptionsfor identifying links pointing to problematic pages which arenot overwritten and are connected to over HTTP The rule-sets are created and maintained by the community whichrequires a significant amount of manual effort and can result inincomplete rules Certain sites (eg doubleclicknet ebaycom)are turned off by default as their functionality breaks if turned

4httpswwwefforghttps-everywhereatlas

the financeyahoocom subdomain depending on whichsection the article is located in

If the user hovers over or clicks on the mail notificationbutton the attacker can also access the incoming mail widgetwhich reveals the Sender and partial Subject (up to 21characters) of the 8 most recent incoming emails This is dueto a cookie being attributed an ldquoauthenticatedrdquo status Thislasts approximately one hour after which it cannot access thewidget If at any point the user accesses the notification buttonagain the hijacked cookie is re-authorized

Yahoo Search Having acquired the main domain andsearch subdomain Y and T cookies the adversary can gainaccess to the victimrsquos complete search history Apart fromviewing the searched terms these cookies allow editing thehistory and removing previous searches However Yahoo ex-plicitly states that even if past searches are deleted user searchdata is still logged This enables stealthy pollution attacksafter issuing search queries for influencing the personalizationprofile of the user the adversary can then delete all issuedsearches and remove traces of the attack

Yahoo Answers One of the many services offered byYahoo is a popular ldquoquestion and answerrdquo site where userscan ask any type of question and other members of thecommunity can provide answers (albeit sometimes with ques-tionable quality [34]) Users posting questions or answers maychoose to remain anonymous for a given question especiallyif the topic is considered sensitive [35] Upon auditing Yahoowe found that the victimrsquos HTTP cookie allows partial controlover the account the adversary is able to ask or answer ques-tions (either eponymously or anonymously) and also to viewand edit previous questions and answers posted by the vic-tim Thus the adversary can effectively ldquodeanonymizerdquo postsand obtain potentially sensitive information about the victimwhich was posted under the assumption of anonymity Theadversary can also post comments as the victim in the com-ment section of news articles This requires the Y T cookiesfor the yahoocom domain and the answersyahoocomsubdomain

Yahoo Finance Another service offered by Yahoo is relatedto financial news and functionality and also offers tools forusers to manage their personal finances This includes creatingportfolios with their stock information etc The Y and Tcookies for the main domain and finance subdomain allow theattacker to view and edit the victimrsquos portfolio If the victimvisits the finance page the corresponding cookies are exposed

Cookie forging Different cookie combinations provideaccess to specific user information or account functionalityand depending on the subdomain on which the information ishosted the respective cookies for those domains are requiredHowever we can use a cookie acquired from one (sub)domainto craft the same cookie for a different subdomain and gainaccess to the specific information or functionality For exam-ple if the user only visits the main Yahoo homepage duringthe monitoring period the attacker will obtain the Y F Tcookies for yahoocom The attacker can then ldquoforgerdquo thosecookies for the searchyahoocom subdomain using the

corresponding value attributes of the hijacked cookies andsubsequently gain access to the userrsquos search history

D Baidu

Baidu is the leading search engine in the Chinese languageand among the top 5 sites according to Alexa To createan account in Baidu the user is required to register eitherwith a Chinese mobile phone number or just provide anemail address The majority of pages in Baidu are servedover an unencrypted connection As with the other searchengines we tested the HTTP cookie can expose significantprivate information to attackers Apart from the profile pictureand username the userrsquos email address is also revealedFurthermore the userrsquos entire search history can be retrievedand pollution attacks are feasible Finally Baidu Maps allowsusers to save locations similar to Bing Maps and all savedlocations can be obtained through the hijacked HTTP cookie

E E-commerce Websites

Amazon The homepage follows the common approach ofredirecting to HTTPS if connected to over HTTP Howeverproduct pages are served over HTTP and as a result usersrsquocookies will be exposed during their browsing sessions

Personal Information The adversary can obtain the infor-mation used by the victim for logging in this includes thevictimrsquos username email address andor cell phone numberFurthermore when proceeding to checkout items in the cartAmazon also reveals the userrsquos full name and city (used forshipping) Viewing and changing the userrsquos profile picture isalso permitted Amazon also allows users to post their reviewsunder a pseudonym which is not connected to the userrsquos nameHowever the adversary can view the userrsquos reviews (whichmay include sensitive items) thus breaking the pseudonymousnature of those reviews Previous work has demonstrated theprivacy risks of recommender systems and experiments inAmazon indicated that sensitive purchases can be inferredfrom the userrsquos review history [36]

Account History The userrsquos HTTP cookie is sufficientfor accessing private information regarding previous actionsSpecifically the adversary can obtain information regardingrecently viewed items and recommendations that are basedon the userrsquos browsing and purchase history The wish-listswhere the user has added items of interest are also accessibleFurthermore the adversary can obtain information regardingpreviously purchased items either through the recommenda-tion page or through product pages (which depict date ofpurchase) In an extensive study on privacy-related aspects ofonline purchasing behavior [37] users rated the creation of adetailed profile from their purchase history and other personalinformation as one of the most troubling scenarios

Shopping Cart The userrsquos cart is also accessible andthe adversary can see the items currently in the userrsquos cartAdditionally the cart can be modified and existing items canbe removed and other items can be added

Vendor-assisted spam We also found that the cookie ex-poses functionality that can be leveraged for deploying spam

campaigns to promote specific items that are presented asldquoendorsedrdquo by the victim The widget has an auto-completefeature that reveals the contacts that the user has emailed inthe past The attacker can either send emails about a specificitem or a wish-list and can add text in the emailrsquos bodyURLs can be included while the email is sent as simpletext email providers such as Gmail render it as a click-able link Since the emails are actually sent by Amazon(no-replyamazoncom) they are most likely to passany spam detection heuristics Furthermore the From fieldcontains the victimrsquos username further strengthening the per-sonalized nature of the spamphishing email

Extortion scams Previous work has revealed how scammersextorted money from users through One Click Fraud scamsby threatening to reveal ldquoembarrassingrdquo details about theusersrsquo online activities [38] In a similar vein the attackercan employ two different scam scenarios In the first case ifthe attacker identifies potentially embarrassing item(s) in theuserrsquos viewing or purchase history she can send an email tothe user disclosing knowledge about the item(s) and otherpersonal information obtained about the user and requestmoney to not share that information with the userrsquos contacts(even if no contact information has been collected) In thesecond scenario the attacker can send an email blackmailingthe user to pay money otherwise she will send an email tothe victimrsquos friends and family with information about his cartthat is full of embarrassing items Subsequently the attackerwill add such items to the userrsquos cart or wishlist and sendthe corresponding email through Amazon to the victimrsquos ownemail address as proof of her capabilities

Walmart Apart from the information exposed in thewebsite the cookiersquos value attribute contains 34 fields ofinformation about the user and his account (see Appendix A)

F News Media

Information acquired from media outlets can reveal charac-teristics and traits of the user (eg political inclination) anddemographic information [39] We audited the websites of sev-eral of the most popular print or broadcast news organizations(see Appendix A)

G Indirect Information Exposure - Ad Networks

We explore the impact of hijacking ad network cookies On-line ads account for a significant portion of website real estateand their ubiquitous nature has been discussed extensively inthe context of user tracking (eg [40] [41]) Here we focuson Doubleclick which is owned by Google as it is the mostprevalent advertising network with a presence on 80 of thewebsites that provide advertisements [42] As opposed to mostof the previous services where the user had to explicitly visitthe website3 the cookies of an ad network can be exposedby visiting any of a large number of websites that display adsfrom the respective network While the symbiotic nature ofservice providers and data aggregators is complicated the ads

3We found a popular e-commerce homepage that issues a Google searchrequest over HTTP exposing the userrsquos cookies

presented while browsing with stolen user cookies from adnetworks can be used to infer sensitive information

An interesting aspect of hijacking ad-network cookies is thatthey result in side-channel information leakage We describetwo scenarios which leak different types of information

Attack scenario 1 Consider a scenario where user U has anaccount on the social networking service X and has disclosedvarious pieces of personal information in the profile Let usalso consider that U is knowledgeable and has correctly setprivacy settings to restrict public visibility of that informa-tion and X has gone to great lengths to protect users frominformation leakage and also enforces ubiquitous encryptionacross the website including connections to third parties (egwhen fetching ads) However website X offers personalizedadvertising and ad network A has obtained personal informa-tion of U by setting different selection criteria over time andidentifying U across websites through an HTTP cookie Nowlets consider that while being monitored by the attacker Ubrowses a completely unrelated website Y which serves adsby ad network A and does not enforce encrypted connectionsEven though U does not have an account on Y the browsersends the HTTP cookie for A which can be used to identify Uand return an ad that is tailored to match information disclosedby U in the original website X The attacker can hijack theexposed HTTP cookie for A and receive ads tailored forU Based on the content of these ads the attacker can inferpersonal information of U

Attack scenario 2 User U is browsing through an e-commerce site E which uses the ad network A to advertise itsproducts in other websites U searches for items that belongto a specific category C and after the site returns a list ofrelevant products U clicks on a link and views the page ofproduct P A short time later the attacker visits an unrelatedwebsite that is known to show various ads and appends Ursquosstolen HTTP cookie for the ad network A The attacker is thenpresented with several ads relevant to Ursquos browsing historySome are more generic and expose information about Ursquosgender while others explicitly refer to category C and evendepict the specific item P

Information leakage We conducted a small number ofmanual experiments for identifying cases of personal informa-tion being leaked by Doubleclick Previous work has shownthat ads presented to users may be personalized based onthe userrsquos profile characteristics [43] associated to sensitivetopics [44] [45] (eg substance abuse health issues sexualinclination) and that advertisers can even obtain private userinformation not explicitly provided by the service [46]

Here we describe one of our experiments for scenario 2 Webrowsed maternity clothes on a popular e-commerce websiteand visited the page of a few returned products We thenbrowsed other sites from a different machine connected to adifferent subnet and appended the Doubleclick HTTP cookiefrom the previous browsing session We were presented withads from the e-commerce website advertising womenrsquos cloth-ing Several ads even advertised a specific maternity productwhose page we had visited (see screenshots in Appendix A)

TABLE IVCOOKIE EXPOSURE BY POPULAR BROWSER EXTENSIONS AND APPS

Name Type Browser Cookie leaked

Google Maps app Chrome NA 3Google Search app Chrome NA 3Google News app Chrome 10M 3

Amazon Assistant extension Chrome 11M 3Bing Rewards extension Chrome 74K 3eBay for Chrome extension Chrome 325K 3Google Dictionary extension Chrome 27M 3Google Hangouts extension Chrome 64M 7Google Image Search extension Chrome 10M 7Google Mail Checker extension Chrome 42M 7Google Translate extension Chrome 55M 7Yahoo Mail Notification extension Chrome 12M 7

Amazon default search bar Firefox NA 3Bing default search bar Firefox NA 7Ebay default search bar Firefox NA 3Google default search bar Firefox NA 7Yahoo default search bar Firefox NA 7

Amazon 1Button extension Firefox 157K 3Bing Search extension (unofficial) Firefox 28K 3eBay Sidebar extension Firefox 36K 3Google Image Search extension Firefox 48K 3Google Translator extension (unofficial) Firefox 794K 3Yahoo Toolbar extension Firefox 31K 3

Depending on the time lapsed between the user browsingthe e-commerce site and the attacker browsing with hijackedcookies there is a decrease in the frequency of ads that containthe viewed product However we found that even after severalhours we received ads that continued to promote the exactproduct and womenrsquos clothing ads even after several days

IV COLLATERAL COOKIE EXPOSURE

In this section we explore other means by which a userrsquosHTTP cookies may be exposed

A Browser Components

According to a manifest file analysis of over 30K Chromeextensions [47] a higher number of extensions requestedpermission for connecting to Google over HTTP compared toHTTPS The same was true for wildcarded (http)permission requests This indicates that a considerable numberof extensions may be weakening security by connecting overunencrypted connections to websites that also support en-crypted connections To that end we explore whether browsercomponents expose users to cookie hijacking attacks

We analyze a selection of the most popular browser com-ponents for Chrome and Firefox that have been released bymajor vendors we have audited Our aim is not to conduct anexhaustive evaluation but to obtain an understanding of theimplementation practices for browser components and assertwhether they also suffer from a limited use of encryptionWhile we experiment with a relatively small number ofcomponents we consider any discovered exposure indicativeof general practices as official extensions from major vendorsare likely to adhere to certain quality standards As Googlehas discontinued the development of extensions for Firefoxwe cannot do a direct cross-browser comparison for most ofits components

TABLE VCOOKIE EXPOSURE BY OFFICIAL MOBILE APPS

Application Platform Version Cookie leaked

Amazon iOS 532 NA 7Amazon iOS 521 NA 3Amazon Android 281015 10-50M 7

Bing Search iOS 57 NA 3Bing Search Android 5525151078 1-5M 3Spotlight (Bing) iOS iOS91 NA conditionallySiri (Bing) iOS iOS91 NA 7

Ebay iOS 410 NA conditionallyEbay Android 41022 100-500M conditionally

Google iOS 90 NA 7Google Android 542819 1B+ 7Gmail iOS 41 NA 7Gmail Android 56103338659 1-5B 7Google Search Bar Android 542819 NA 7

Yahoo Mail iOS 400 NA conditionallyYahoo Mail Android 492 100-500M 7Yahoo News iOS 630 NA 3Yahoo News Android 181015 10-50M 7Yahoo Search iOS 402 NA 7Yahoo Search Android 402 1-5M 7Yahoo Sports iOS 574 NA 3Yahoo Sports Android 563 5-10M 7

Table IV lists the web components we have evaluated theirreported number of downloads if available and if they leak thecookies required for our hijacking attacks Our experimentsyield a number of surprising findings The 3 Chrome appsreleased by Google we tested expose the HTTP cookieswhile their extensions present mixed results with 4 out of 9leaking the cookie As one of those is Google Dictionarywith over 27 million downloads a significant number ofChrome users is vulnerable to considerable risk Every Firefoxextension we tested along with two of the default search barsactually expose the required HTTP cookies over unencryptedconnections Interestingly Googlersquos Search by Image exten-sion is secure for Chrome but not for Firefox As there isno official Bing app for Firefox we test the most popularone and we also audit a popular unofficial Google translatorextension with over 794K users both of which turn out to bevulnerable Overall these findings highlight the privacy threatsthat millions of users face due to browser components

B Mobile Devices

Mobile devices have become ubiquitous and account for alarge part of the time users spend online Due to the quotarestrictions in mobile data plans users frequently connectto public WiFi access points According to Cisco [48] anestimated 45 of mobile traffic is ldquooffloadedrdquo to WiFi con-nections While this is not restricted to public WiFi networksit is indicative of user behavior with a recent survey reportingthat 72 of the participants connect to public WiFi [49] Toexplore the feasibility of our HTTP cookie hijacking attacksagainst users on mobile devices we audited the official iOSand Android apps for the most popular services that we foundto expose private information and account functionality

The overview of our results is shown in Table V It isnoteworthy that Bing differentiates mobile cookies and as a

TABLE VIHTTPONLY ATTRIBUTE OF THE COOKIES REQUIRED FOR HIJACKING

ACCOUNTS AND THE FEASIBILITY OF CONDUCTING THE ATTACKS WITHTHE COOKIES THAT ARE OBTAINABLE REMOTELY

Site HttpOnly nonmdashHttpOnlyXSS

Hijacking

Amazon mdash x-main 3

Bing mdash _U WLS 3

Baidu mdash BDUSS 3

CNN mdash CNNid authid 3

Doubleclick mdash id 3

Ebay mdash cid nonsession 3

Google HSID SID 7

Guardian mdash GU_U 3

HuffingtonPost huffpost_shuffpost_user

7huffpost_user_idlast_login_username

MSN MSNRPSAuth mdash 7

New York Times mdash NYT-S 7

Target mdashWC_PERSISTENT

3guestDisplayNameUserLocation

Walmart mdash customer CID 3

Yahoo F T Y partial

Youtube VISITOR_INFO1_LIVE mdash 7

result hijacked mobile cookies expose the search and clickhistory that has been conducted only over the mobile devicethe remaining personal information presented in Section III-Bis still obtainable Spotlight the system-wide search featureof iOS is also powered by Bing When the user issues asearch query Spotlight connects over HTTPS to Apple serversHowever the search results contain a ldquoShow more in Bingrdquobutton and if clicked will open the browser showing thesearch results and leak the userrsquos HTTP Bing cookie For Sirithe voice-guided assistant the Bing results are opened in thebrowser over HTTPS preventing cookie hijacking Once againYahoo follows poor security practices as 3 out of 4 iOS appsleak the userrsquos cookies As expected both versions of Gmailprotect the cookies while iOS Amazon apps prior to version532 expose the cookie Furthermore both Amazon iOS appscontain cookies that reveal information about the userrsquos deviceand mobile carrier (details in Appendix A) For both platformsthe Ebay app will expose the cookies under certain conditionsFirst Ebay sellers are allowed to customize their item pagesand often add links to other items they are selling if theseller has added an HTTP Ebay link to those items the cookiewill be exposed if a link is clicked by the user Empiricallywe found that that these HTTP links are common The otherscenario is if the user clicks on the ldquoCustomer Supportrdquo menu

C Active Attacks

Remote hijacking We analyze the cookies of each servicein depth and identify what information the attacker can obtainremotely eg by stealing the userrsquos cookies through an XSS

attack While the HttpOnly attribute can prevent attackersfrom remotely obtaining cookies through browser scripts ourfindings reveal limited adoption indicating that the situationhas not improved in recent years [19]

As can be seen in Table VI websites with multiple cookiesnever set the attribute for all Most websites set the attributefor some cookies but allow other cookies to be accessed byscripts Furthermore Amazon and Target have the HttpOnlyattribute set to false for all their cookies Surprisingly666 of the websites that are vulnerable to our cookie hi-jacking attacks also expose users to remote cookie hijackingFor Yahoo while we cannot access all the information andaccount functionality described previously several instancesremain possible (eg search history username etc) Eventhough the attack cannot be done for Huffington Post as thehuffpost_s cookie has the flag set the remaining cookiesstill expose the userrsquos username and email address

V DEANONYMIZATION RISK FOR TOR USERS

In this section we investigate if more privacy-conscioususers are protected against our presented cookie hijackingattacks Specifically we explore how users employing theTor bundle (Tor Browser with pre-installed extensions) canbe deanonymized by adversaries In this case we consider avariation of the threat model from the previous sections theadversary monitors Tor exit nodes instead of public wirelessaccess points We do not consider content-injection or activeattacks such as SSL stripping [10] for weakening protection

A Experimental Analysis

We repeat our experiments from Section III on a subset ofthe audited websites To understand the protection that privacy-conscious users can obtain we experiment with three differentclient-side setups In the first case we simulate a user that usesFirefox and connects over the Tor network [50] for increasedprotection The second user is more well-informed and hasinstalled the HTTPS Everywhere browser extension for betterprotection The final case is of a user that has selected thedefault configuration of the Tor bundle which includes the TorBrowser (a modified Firefox) and other extensions (includingHTTPS Everywhere)

HTTPS Everywhere This browser extension [51] is theresult of collaboration between EFF and the Tor Project Theextension contains per domain rule-sets for a large number ofdomains4 which instruct the re-writing of links within pages toforce encrypted connections However websites may containpages or subdomains whose functionality breaks over HTTPSFor those cases each websitersquos rule-set will contain exceptionsfor identifying links pointing to problematic pages which arenot overwritten and are connected to over HTTP The rule-sets are created and maintained by the community whichrequires a significant amount of manual effort and can result inincomplete rules Certain sites (eg doubleclicknet ebaycom)are turned off by default as their functionality breaks if turned

4httpswwwefforghttps-everywhereatlas

campaigns to promote specific items that are presented asldquoendorsedrdquo by the victim The widget has an auto-completefeature that reveals the contacts that the user has emailed inthe past The attacker can either send emails about a specificitem or a wish-list and can add text in the emailrsquos bodyURLs can be included while the email is sent as simpletext email providers such as Gmail render it as a click-able link Since the emails are actually sent by Amazon(no-replyamazoncom) they are most likely to passany spam detection heuristics Furthermore the From fieldcontains the victimrsquos username further strengthening the per-sonalized nature of the spamphishing email

Extortion scams Previous work has revealed how scammersextorted money from users through One Click Fraud scamsby threatening to reveal ldquoembarrassingrdquo details about theusersrsquo online activities [38] In a similar vein the attackercan employ two different scam scenarios In the first case ifthe attacker identifies potentially embarrassing item(s) in theuserrsquos viewing or purchase history she can send an email tothe user disclosing knowledge about the item(s) and otherpersonal information obtained about the user and requestmoney to not share that information with the userrsquos contacts(even if no contact information has been collected) In thesecond scenario the attacker can send an email blackmailingthe user to pay money otherwise she will send an email tothe victimrsquos friends and family with information about his cartthat is full of embarrassing items Subsequently the attackerwill add such items to the userrsquos cart or wishlist and sendthe corresponding email through Amazon to the victimrsquos ownemail address as proof of her capabilities

Walmart Apart from the information exposed in thewebsite the cookiersquos value attribute contains 34 fields ofinformation about the user and his account (see Appendix A)

F News Media

Information acquired from media outlets can reveal charac-teristics and traits of the user (eg political inclination) anddemographic information [39] We audited the websites of sev-eral of the most popular print or broadcast news organizations(see Appendix A)

G Indirect Information Exposure - Ad Networks

We explore the impact of hijacking ad network cookies On-line ads account for a significant portion of website real estateand their ubiquitous nature has been discussed extensively inthe context of user tracking (eg [40] [41]) Here we focuson Doubleclick which is owned by Google as it is the mostprevalent advertising network with a presence on 80 of thewebsites that provide advertisements [42] As opposed to mostof the previous services where the user had to explicitly visitthe website3 the cookies of an ad network can be exposedby visiting any of a large number of websites that display adsfrom the respective network While the symbiotic nature ofservice providers and data aggregators is complicated the ads

3We found a popular e-commerce homepage that issues a Google searchrequest over HTTP exposing the userrsquos cookies

presented while browsing with stolen user cookies from adnetworks can be used to infer sensitive information

An interesting aspect of hijacking ad-network cookies is thatthey result in side-channel information leakage We describetwo scenarios which leak different types of information

Attack scenario 1 Consider a scenario where user U has anaccount on the social networking service X and has disclosedvarious pieces of personal information in the profile Let usalso consider that U is knowledgeable and has correctly setprivacy settings to restrict public visibility of that informa-tion and X has gone to great lengths to protect users frominformation leakage and also enforces ubiquitous encryptionacross the website including connections to third parties (egwhen fetching ads) However website X offers personalizedadvertising and ad network A has obtained personal informa-tion of U by setting different selection criteria over time andidentifying U across websites through an HTTP cookie Nowlets consider that while being monitored by the attacker Ubrowses a completely unrelated website Y which serves adsby ad network A and does not enforce encrypted connectionsEven though U does not have an account on Y the browsersends the HTTP cookie for A which can be used to identify Uand return an ad that is tailored to match information disclosedby U in the original website X The attacker can hijack theexposed HTTP cookie for A and receive ads tailored forU Based on the content of these ads the attacker can inferpersonal information of U

Attack scenario 2 User U is browsing through an e-commerce site E which uses the ad network A to advertise itsproducts in other websites U searches for items that belongto a specific category C and after the site returns a list ofrelevant products U clicks on a link and views the page ofproduct P A short time later the attacker visits an unrelatedwebsite that is known to show various ads and appends Ursquosstolen HTTP cookie for the ad network A The attacker is thenpresented with several ads relevant to Ursquos browsing historySome are more generic and expose information about Ursquosgender while others explicitly refer to category C and evendepict the specific item P

Information leakage We conducted a small number ofmanual experiments for identifying cases of personal informa-tion being leaked by Doubleclick Previous work has shownthat ads presented to users may be personalized based onthe userrsquos profile characteristics [43] associated to sensitivetopics [44] [45] (eg substance abuse health issues sexualinclination) and that advertisers can even obtain private userinformation not explicitly provided by the service [46]

Here we describe one of our experiments for scenario 2 Webrowsed maternity clothes on a popular e-commerce websiteand visited the page of a few returned products We thenbrowsed other sites from a different machine connected to adifferent subnet and appended the Doubleclick HTTP cookiefrom the previous browsing session We were presented withads from the e-commerce website advertising womenrsquos cloth-ing Several ads even advertised a specific maternity productwhose page we had visited (see screenshots in Appendix A)

TABLE IVCOOKIE EXPOSURE BY POPULAR BROWSER EXTENSIONS AND APPS

Name Type Browser Cookie leaked

Google Maps app Chrome NA 3Google Search app Chrome NA 3Google News app Chrome 10M 3

Amazon Assistant extension Chrome 11M 3Bing Rewards extension Chrome 74K 3eBay for Chrome extension Chrome 325K 3Google Dictionary extension Chrome 27M 3Google Hangouts extension Chrome 64M 7Google Image Search extension Chrome 10M 7Google Mail Checker extension Chrome 42M 7Google Translate extension Chrome 55M 7Yahoo Mail Notification extension Chrome 12M 7

Amazon default search bar Firefox NA 3Bing default search bar Firefox NA 7Ebay default search bar Firefox NA 3Google default search bar Firefox NA 7Yahoo default search bar Firefox NA 7

Amazon 1Button extension Firefox 157K 3Bing Search extension (unofficial) Firefox 28K 3eBay Sidebar extension Firefox 36K 3Google Image Search extension Firefox 48K 3Google Translator extension (unofficial) Firefox 794K 3Yahoo Toolbar extension Firefox 31K 3

Depending on the time lapsed between the user browsingthe e-commerce site and the attacker browsing with hijackedcookies there is a decrease in the frequency of ads that containthe viewed product However we found that even after severalhours we received ads that continued to promote the exactproduct and womenrsquos clothing ads even after several days

IV COLLATERAL COOKIE EXPOSURE

In this section we explore other means by which a userrsquosHTTP cookies may be exposed

A Browser Components

According to a manifest file analysis of over 30K Chromeextensions [47] a higher number of extensions requestedpermission for connecting to Google over HTTP compared toHTTPS The same was true for wildcarded (http)permission requests This indicates that a considerable numberof extensions may be weakening security by connecting overunencrypted connections to websites that also support en-crypted connections To that end we explore whether browsercomponents expose users to cookie hijacking attacks

We analyze a selection of the most popular browser com-ponents for Chrome and Firefox that have been released bymajor vendors we have audited Our aim is not to conduct anexhaustive evaluation but to obtain an understanding of theimplementation practices for browser components and assertwhether they also suffer from a limited use of encryptionWhile we experiment with a relatively small number ofcomponents we consider any discovered exposure indicativeof general practices as official extensions from major vendorsare likely to adhere to certain quality standards As Googlehas discontinued the development of extensions for Firefoxwe cannot do a direct cross-browser comparison for most ofits components

TABLE VCOOKIE EXPOSURE BY OFFICIAL MOBILE APPS

Application Platform Version Cookie leaked

Amazon iOS 532 NA 7Amazon iOS 521 NA 3Amazon Android 281015 10-50M 7

Bing Search iOS 57 NA 3Bing Search Android 5525151078 1-5M 3Spotlight (Bing) iOS iOS91 NA conditionallySiri (Bing) iOS iOS91 NA 7

Ebay iOS 410 NA conditionallyEbay Android 41022 100-500M conditionally

Google iOS 90 NA 7Google Android 542819 1B+ 7Gmail iOS 41 NA 7Gmail Android 56103338659 1-5B 7Google Search Bar Android 542819 NA 7

Yahoo Mail iOS 400 NA conditionallyYahoo Mail Android 492 100-500M 7Yahoo News iOS 630 NA 3Yahoo News Android 181015 10-50M 7Yahoo Search iOS 402 NA 7Yahoo Search Android 402 1-5M 7Yahoo Sports iOS 574 NA 3Yahoo Sports Android 563 5-10M 7

Table IV lists the web components we have evaluated theirreported number of downloads if available and if they leak thecookies required for our hijacking attacks Our experimentsyield a number of surprising findings The 3 Chrome appsreleased by Google we tested expose the HTTP cookieswhile their extensions present mixed results with 4 out of 9leaking the cookie As one of those is Google Dictionarywith over 27 million downloads a significant number ofChrome users is vulnerable to considerable risk Every Firefoxextension we tested along with two of the default search barsactually expose the required HTTP cookies over unencryptedconnections Interestingly Googlersquos Search by Image exten-sion is secure for Chrome but not for Firefox As there isno official Bing app for Firefox we test the most popularone and we also audit a popular unofficial Google translatorextension with over 794K users both of which turn out to bevulnerable Overall these findings highlight the privacy threatsthat millions of users face due to browser components

B Mobile Devices

Mobile devices have become ubiquitous and account for alarge part of the time users spend online Due to the quotarestrictions in mobile data plans users frequently connectto public WiFi access points According to Cisco [48] anestimated 45 of mobile traffic is ldquooffloadedrdquo to WiFi con-nections While this is not restricted to public WiFi networksit is indicative of user behavior with a recent survey reportingthat 72 of the participants connect to public WiFi [49] Toexplore the feasibility of our HTTP cookie hijacking attacksagainst users on mobile devices we audited the official iOSand Android apps for the most popular services that we foundto expose private information and account functionality

The overview of our results is shown in Table V It isnoteworthy that Bing differentiates mobile cookies and as a

TABLE VIHTTPONLY ATTRIBUTE OF THE COOKIES REQUIRED FOR HIJACKING

ACCOUNTS AND THE FEASIBILITY OF CONDUCTING THE ATTACKS WITHTHE COOKIES THAT ARE OBTAINABLE REMOTELY

Site HttpOnly nonmdashHttpOnlyXSS

Hijacking

Amazon mdash x-main 3

Bing mdash _U WLS 3

Baidu mdash BDUSS 3

CNN mdash CNNid authid 3

Doubleclick mdash id 3

Ebay mdash cid nonsession 3

Google HSID SID 7

Guardian mdash GU_U 3

HuffingtonPost huffpost_shuffpost_user

7huffpost_user_idlast_login_username

MSN MSNRPSAuth mdash 7

New York Times mdash NYT-S 7

Target mdashWC_PERSISTENT

3guestDisplayNameUserLocation

Walmart mdash customer CID 3

Yahoo F T Y partial

Youtube VISITOR_INFO1_LIVE mdash 7

result hijacked mobile cookies expose the search and clickhistory that has been conducted only over the mobile devicethe remaining personal information presented in Section III-Bis still obtainable Spotlight the system-wide search featureof iOS is also powered by Bing When the user issues asearch query Spotlight connects over HTTPS to Apple serversHowever the search results contain a ldquoShow more in Bingrdquobutton and if clicked will open the browser showing thesearch results and leak the userrsquos HTTP Bing cookie For Sirithe voice-guided assistant the Bing results are opened in thebrowser over HTTPS preventing cookie hijacking Once againYahoo follows poor security practices as 3 out of 4 iOS appsleak the userrsquos cookies As expected both versions of Gmailprotect the cookies while iOS Amazon apps prior to version532 expose the cookie Furthermore both Amazon iOS appscontain cookies that reveal information about the userrsquos deviceand mobile carrier (details in Appendix A) For both platformsthe Ebay app will expose the cookies under certain conditionsFirst Ebay sellers are allowed to customize their item pagesand often add links to other items they are selling if theseller has added an HTTP Ebay link to those items the cookiewill be exposed if a link is clicked by the user Empiricallywe found that that these HTTP links are common The otherscenario is if the user clicks on the ldquoCustomer Supportrdquo menu

C Active Attacks

Remote hijacking We analyze the cookies of each servicein depth and identify what information the attacker can obtainremotely eg by stealing the userrsquos cookies through an XSS

attack While the HttpOnly attribute can prevent attackersfrom remotely obtaining cookies through browser scripts ourfindings reveal limited adoption indicating that the situationhas not improved in recent years [19]

As can be seen in Table VI websites with multiple cookiesnever set the attribute for all Most websites set the attributefor some cookies but allow other cookies to be accessed byscripts Furthermore Amazon and Target have the HttpOnlyattribute set to false for all their cookies Surprisingly666 of the websites that are vulnerable to our cookie hi-jacking attacks also expose users to remote cookie hijackingFor Yahoo while we cannot access all the information andaccount functionality described previously several instancesremain possible (eg search history username etc) Eventhough the attack cannot be done for Huffington Post as thehuffpost_s cookie has the flag set the remaining cookiesstill expose the userrsquos username and email address

V DEANONYMIZATION RISK FOR TOR USERS

In this section we investigate if more privacy-conscioususers are protected against our presented cookie hijackingattacks Specifically we explore how users employing theTor bundle (Tor Browser with pre-installed extensions) canbe deanonymized by adversaries In this case we consider avariation of the threat model from the previous sections theadversary monitors Tor exit nodes instead of public wirelessaccess points We do not consider content-injection or activeattacks such as SSL stripping [10] for weakening protection

A Experimental Analysis

We repeat our experiments from Section III on a subset ofthe audited websites To understand the protection that privacy-conscious users can obtain we experiment with three differentclient-side setups In the first case we simulate a user that usesFirefox and connects over the Tor network [50] for increasedprotection The second user is more well-informed and hasinstalled the HTTPS Everywhere browser extension for betterprotection The final case is of a user that has selected thedefault configuration of the Tor bundle which includes the TorBrowser (a modified Firefox) and other extensions (includingHTTPS Everywhere)

HTTPS Everywhere This browser extension [51] is theresult of collaboration between EFF and the Tor Project Theextension contains per domain rule-sets for a large number ofdomains4 which instruct the re-writing of links within pages toforce encrypted connections However websites may containpages or subdomains whose functionality breaks over HTTPSFor those cases each websitersquos rule-set will contain exceptionsfor identifying links pointing to problematic pages which arenot overwritten and are connected to over HTTP The rule-sets are created and maintained by the community whichrequires a significant amount of manual effort and can result inincomplete rules Certain sites (eg doubleclicknet ebaycom)are turned off by default as their functionality breaks if turned

4httpswwwefforghttps-everywhereatlas

TABLE IVCOOKIE EXPOSURE BY POPULAR BROWSER EXTENSIONS AND APPS

Name Type Browser Cookie leaked

Google Maps app Chrome NA 3Google Search app Chrome NA 3Google News app Chrome 10M 3

Amazon Assistant extension Chrome 11M 3Bing Rewards extension Chrome 74K 3eBay for Chrome extension Chrome 325K 3Google Dictionary extension Chrome 27M 3Google Hangouts extension Chrome 64M 7Google Image Search extension Chrome 10M 7Google Mail Checker extension Chrome 42M 7Google Translate extension Chrome 55M 7Yahoo Mail Notification extension Chrome 12M 7

Amazon default search bar Firefox NA 3Bing default search bar Firefox NA 7Ebay default search bar Firefox NA 3Google default search bar Firefox NA 7Yahoo default search bar Firefox NA 7

Amazon 1Button extension Firefox 157K 3Bing Search extension (unofficial) Firefox 28K 3eBay Sidebar extension Firefox 36K 3Google Image Search extension Firefox 48K 3Google Translator extension (unofficial) Firefox 794K 3Yahoo Toolbar extension Firefox 31K 3

Depending on the time lapsed between the user browsingthe e-commerce site and the attacker browsing with hijackedcookies there is a decrease in the frequency of ads that containthe viewed product However we found that even after severalhours we received ads that continued to promote the exactproduct and womenrsquos clothing ads even after several days

IV COLLATERAL COOKIE EXPOSURE

In this section we explore other means by which a userrsquosHTTP cookies may be exposed

A Browser Components

According to a manifest file analysis of over 30K Chromeextensions [47] a higher number of extensions requestedpermission for connecting to Google over HTTP compared toHTTPS The same was true for wildcarded (http)permission requests This indicates that a considerable numberof extensions may be weakening security by connecting overunencrypted connections to websites that also support en-crypted connections To that end we explore whether browsercomponents expose users to cookie hijacking attacks

We analyze a selection of the most popular browser com-ponents for Chrome and Firefox that have been released bymajor vendors we have audited Our aim is not to conduct anexhaustive evaluation but to obtain an understanding of theimplementation practices for browser components and assertwhether they also suffer from a limited use of encryptionWhile we experiment with a relatively small number ofcomponents we consider any discovered exposure indicativeof general practices as official extensions from major vendorsare likely to adhere to certain quality standards As Googlehas discontinued the development of extensions for Firefoxwe cannot do a direct cross-browser comparison for most ofits components

TABLE VCOOKIE EXPOSURE BY OFFICIAL MOBILE APPS

Application Platform Version Cookie leaked

Amazon iOS 532 NA 7Amazon iOS 521 NA 3Amazon Android 281015 10-50M 7

Bing Search iOS 57 NA 3Bing Search Android 5525151078 1-5M 3Spotlight (Bing) iOS iOS91 NA conditionallySiri (Bing) iOS iOS91 NA 7

Ebay iOS 410 NA conditionallyEbay Android 41022 100-500M conditionally

Google iOS 90 NA 7Google Android 542819 1B+ 7Gmail iOS 41 NA 7Gmail Android 56103338659 1-5B 7Google Search Bar Android 542819 NA 7

Yahoo Mail iOS 400 NA conditionallyYahoo Mail Android 492 100-500M 7Yahoo News iOS 630 NA 3Yahoo News Android 181015 10-50M 7Yahoo Search iOS 402 NA 7Yahoo Search Android 402 1-5M 7Yahoo Sports iOS 574 NA 3Yahoo Sports Android 563 5-10M 7

Table IV lists the web components we have evaluated theirreported number of downloads if available and if they leak thecookies required for our hijacking attacks Our experimentsyield a number of surprising findings The 3 Chrome appsreleased by Google we tested expose the HTTP cookieswhile their extensions present mixed results with 4 out of 9leaking the cookie As one of those is Google Dictionarywith over 27 million downloads a significant number ofChrome users is vulnerable to considerable risk Every Firefoxextension we tested along with two of the default search barsactually expose the required HTTP cookies over unencryptedconnections Interestingly Googlersquos Search by Image exten-sion is secure for Chrome but not for Firefox As there isno official Bing app for Firefox we test the most popularone and we also audit a popular unofficial Google translatorextension with over 794K users both of which turn out to bevulnerable Overall these findings highlight the privacy threatsthat millions of users face due to browser components

B Mobile Devices

Mobile devices have become ubiquitous and account for alarge part of the time users spend online Due to the quotarestrictions in mobile data plans users frequently connectto public WiFi access points According to Cisco [48] anestimated 45 of mobile traffic is ldquooffloadedrdquo to WiFi con-nections While this is not restricted to public WiFi networksit is indicative of user behavior with a recent survey reportingthat 72 of the participants connect to public WiFi [49] Toexplore the feasibility of our HTTP cookie hijacking attacksagainst users on mobile devices we audited the official iOSand Android apps for the most popular services that we foundto expose private information and account functionality

The overview of our results is shown in Table V It isnoteworthy that Bing differentiates mobile cookies and as a

TABLE VIHTTPONLY ATTRIBUTE OF THE COOKIES REQUIRED FOR HIJACKING

ACCOUNTS AND THE FEASIBILITY OF CONDUCTING THE ATTACKS WITHTHE COOKIES THAT ARE OBTAINABLE REMOTELY

Site HttpOnly nonmdashHttpOnlyXSS

Hijacking

Amazon mdash x-main 3

Bing mdash _U WLS 3

Baidu mdash BDUSS 3

CNN mdash CNNid authid 3

Doubleclick mdash id 3

Ebay mdash cid nonsession 3

Google HSID SID 7

Guardian mdash GU_U 3

HuffingtonPost huffpost_shuffpost_user

7huffpost_user_idlast_login_username

MSN MSNRPSAuth mdash 7

New York Times mdash NYT-S 7

Target mdashWC_PERSISTENT

3guestDisplayNameUserLocation

Walmart mdash customer CID 3

Yahoo F T Y partial

Youtube VISITOR_INFO1_LIVE mdash 7

result hijacked mobile cookies expose the search and clickhistory that has been conducted only over the mobile devicethe remaining personal information presented in Section III-Bis still obtainable Spotlight the system-wide search featureof iOS is also powered by Bing When the user issues asearch query Spotlight connects over HTTPS to Apple serversHowever the search results contain a ldquoShow more in Bingrdquobutton and if clicked will open the browser showing thesearch results and leak the userrsquos HTTP Bing cookie For Sirithe voice-guided assistant the Bing results are opened in thebrowser over HTTPS preventing cookie hijacking Once againYahoo follows poor security practices as 3 out of 4 iOS appsleak the userrsquos cookies As expected both versions of Gmailprotect the cookies while iOS Amazon apps prior to version532 expose the cookie Furthermore both Amazon iOS appscontain cookies that reveal information about the userrsquos deviceand mobile carrier (details in Appendix A) For both platformsthe Ebay app will expose the cookies under certain conditionsFirst Ebay sellers are allowed to customize their item pagesand often add links to other items they are selling if theseller has added an HTTP Ebay link to those items the cookiewill be exposed if a link is clicked by the user Empiricallywe found that that these HTTP links are common The otherscenario is if the user clicks on the ldquoCustomer Supportrdquo menu

C Active Attacks

Remote hijacking We analyze the cookies of each servicein depth and identify what information the attacker can obtainremotely eg by stealing the userrsquos cookies through an XSS

attack While the HttpOnly attribute can prevent attackersfrom remotely obtaining cookies through browser scripts ourfindings reveal limited adoption indicating that the situationhas not improved in recent years [19]

As can be seen in Table VI websites with multiple cookiesnever set the attribute for all Most websites set the attributefor some cookies but allow other cookies to be accessed byscripts Furthermore Amazon and Target have the HttpOnlyattribute set to false for all their cookies Surprisingly666 of the websites that are vulnerable to our cookie hi-jacking attacks also expose users to remote cookie hijackingFor Yahoo while we cannot access all the information andaccount functionality described previously several instancesremain possible (eg search history username etc) Eventhough the attack cannot be done for Huffington Post as thehuffpost_s cookie has the flag set the remaining cookiesstill expose the userrsquos username and email address

V DEANONYMIZATION RISK FOR TOR USERS

In this section we investigate if more privacy-conscioususers are protected against our presented cookie hijackingattacks Specifically we explore how users employing theTor bundle (Tor Browser with pre-installed extensions) canbe deanonymized by adversaries In this case we consider avariation of the threat model from the previous sections theadversary monitors Tor exit nodes instead of public wirelessaccess points We do not consider content-injection or activeattacks such as SSL stripping [10] for weakening protection

A Experimental Analysis

We repeat our experiments from Section III on a subset ofthe audited websites To understand the protection that privacy-conscious users can obtain we experiment with three differentclient-side setups In the first case we simulate a user that usesFirefox and connects over the Tor network [50] for increasedprotection The second user is more well-informed and hasinstalled the HTTPS Everywhere browser extension for betterprotection The final case is of a user that has selected thedefault configuration of the Tor bundle which includes the TorBrowser (a modified Firefox) and other extensions (includingHTTPS Everywhere)

HTTPS Everywhere This browser extension [51] is theresult of collaboration between EFF and the Tor Project Theextension contains per domain rule-sets for a large number ofdomains4 which instruct the re-writing of links within pages toforce encrypted connections However websites may containpages or subdomains whose functionality breaks over HTTPSFor those cases each websitersquos rule-set will contain exceptionsfor identifying links pointing to problematic pages which arenot overwritten and are connected to over HTTP The rule-sets are created and maintained by the community whichrequires a significant amount of manual effort and can result inincomplete rules Certain sites (eg doubleclicknet ebaycom)are turned off by default as their functionality breaks if turned

4httpswwwefforghttps-everywhereatlas

TABLE VIHTTPONLY ATTRIBUTE OF THE COOKIES REQUIRED FOR HIJACKING

ACCOUNTS AND THE FEASIBILITY OF CONDUCTING THE ATTACKS WITHTHE COOKIES THAT ARE OBTAINABLE REMOTELY

Site HttpOnly nonmdashHttpOnlyXSS

Hijacking

Amazon mdash x-main 3

Bing mdash _U WLS 3

Baidu mdash BDUSS 3

CNN mdash CNNid authid 3

Doubleclick mdash id 3

Ebay mdash cid nonsession 3

Google HSID SID 7

Guardian mdash GU_U 3

HuffingtonPost huffpost_shuffpost_user

7huffpost_user_idlast_login_username

MSN MSNRPSAuth mdash 7

New York Times mdash NYT-S 7

Target mdashWC_PERSISTENT

3guestDisplayNameUserLocation

Walmart mdash customer CID 3

Yahoo F T Y partial

Youtube VISITOR_INFO1_LIVE mdash 7

result hijacked mobile cookies expose the search and clickhistory that has been conducted only over the mobile devicethe remaining personal information presented in Section III-Bis still obtainable Spotlight the system-wide search featureof iOS is also powered by Bing When the user issues asearch query Spotlight connects over HTTPS to Apple serversHowever the search results contain a ldquoShow more in Bingrdquobutton and if clicked will open the browser showing thesearch results and leak the userrsquos HTTP Bing cookie For Sirithe voice-guided assistant the Bing results are opened in thebrowser over HTTPS preventing cookie hijacking Once againYahoo follows poor security practices as 3 out of 4 iOS appsleak the userrsquos cookies As expected both versions of Gmailprotect the cookies while iOS Amazon apps prior to version532 expose the cookie Furthermore both Amazon iOS appscontain cookies that reveal information about the userrsquos deviceand mobile carrier (details in Appendix A) For both platformsthe Ebay app will expose the cookies under certain conditionsFirst Ebay sellers are allowed to customize their item pagesand often add links to other items they are selling if theseller has added an HTTP Ebay link to those items the cookiewill be exposed if a link is clicked by the user Empiricallywe found that that these HTTP links are common The otherscenario is if the user clicks on the ldquoCustomer Supportrdquo menu

C Active Attacks

Remote hijacking We analyze the cookies of each servicein depth and identify what information the attacker can obtainremotely eg by stealing the userrsquos cookies through an XSS

attack While the HttpOnly attribute can prevent attackersfrom remotely obtaining cookies through browser scripts ourfindings reveal limited adoption indicating that the situationhas not improved in recent years [19]

As can be seen in Table VI websites with multiple cookiesnever set the attribute for all Most websites set the attributefor some cookies but allow other cookies to be accessed byscripts Furthermore Amazon and Target have the HttpOnlyattribute set to false for all their cookies Surprisingly666 of the websites that are vulnerable to our cookie hi-jacking attacks also expose users to remote cookie hijackingFor Yahoo while we cannot access all the information andaccount functionality described previously several instancesremain possible (eg search history username etc) Eventhough the attack cannot be done for Huffington Post as thehuffpost_s cookie has the flag set the remaining cookiesstill expose the userrsquos username and email address

V DEANONYMIZATION RISK FOR TOR USERS

In this section we investigate if more privacy-conscioususers are protected against our presented cookie hijackingattacks Specifically we explore how users employing theTor bundle (Tor Browser with pre-installed extensions) canbe deanonymized by adversaries In this case we consider avariation of the threat model from the previous sections theadversary monitors Tor exit nodes instead of public wirelessaccess points We do not consider content-injection or activeattacks such as SSL stripping [10] for weakening protection

A Experimental Analysis

We repeat our experiments from Section III on a subset ofthe audited websites To understand the protection that privacy-conscious users can obtain we experiment with three differentclient-side setups In the first case we simulate a user that usesFirefox and connects over the Tor network [50] for increasedprotection The second user is more well-informed and hasinstalled the HTTPS Everywhere browser extension for betterprotection The final case is of a user that has selected thedefault configuration of the Tor bundle which includes the TorBrowser (a modified Firefox) and other extensions (includingHTTPS Everywhere)

HTTPS Everywhere This browser extension [51] is theresult of collaboration between EFF and the Tor Project Theextension contains per domain rule-sets for a large number ofdomains4 which instruct the re-writing of links within pages toforce encrypted connections However websites may containpages or subdomains whose functionality breaks over HTTPSFor those cases each websitersquos rule-set will contain exceptionsfor identifying links pointing to problematic pages which arenot overwritten and are connected to over HTTP The rule-sets are created and maintained by the community whichrequires a significant amount of manual effort and can result inincomplete rules Certain sites (eg doubleclicknet ebaycom)are turned off by default as their functionality breaks if turned

4httpswwwefforghttps-everywhereatlas

TABLE VIIEXAMPLES OF URLS AND SUBDOMAINS OF POPULAR SERVICES THAT EXPOSE TOR USERSrsquo COOKIES FOR DIFFERENT BROWSER CONFIGURATIONS

Browser Configuration Google Bing Yahoo Amazon Ebaydomain subdomains domain subdomains domain subdomains domain domain

Firefox 3 3 3 3 3 3 3 3

Firefox + HTTPS Everywhere error404 page translategooglecom7

m2cnbingcom7 3 3 3

googlecomservice picasagooglecom blogsbingcom

Tor Bundle error404 page translategooglecom7

m2cnbingcom7 3 3 mdash

googlecomservice picasagooglecom blogsbingcom

service mail maps drive docs talk

TABLE VIIIACCOUNTS FROM OUR PUBLIC WIRELESS TRACE (SECTION II-C) THAT

REMAIN EXPOSED EVEN WITH HTTPS EVERYWHERE INSTALLED

Services Exposed ReductionAccounts

Google 31729 5312Yahoo 5320 4355Baidu 4858 463Bing 378 3803Amazon 22040 568Ebay 1685 0Target 46 0Walmart 97 2362NYTimes 15190 0Guardian 343 029Huffington 42 0MSN 927 3925Doubleclick 124352 0Youtube 264 9921

Total 207271 2662

on Therefore user accounts are likely to be exposed even withthis extension in place since a single HTTP request is enough

Table VII contains the results of our experiments In thefirst case where the user browses through Firefox and onlyemploys Tor the user remains vulnerable to the full extent ofthe attacks described in Section III (denoted by 3) This isexpected as Tor is not designed to prevent this class of attacksIn the second and third cases where HTTPS Everywhere is alsoinstalled we discover a varying degree of effectiveness

For Google the attack surface is significantly reducedas users visiting the main domain through the address barare protected As this is a common usage scenario (if notthe most common) a significant number of users may beprotected in practice However the extensionrsquos rule-set doesnot cover several cases such as when the user visits one ofGooglersquos services through the address bar (eg by typinggooglecommaps) or when receiving Googlersquos Error404 page For Bing the attack surface is also significantlyreduced but users can still be exposed eg by a subdomainthat hosts the search engine but does not work over HTTPSFor cases such as Amazon and Yahoo the protection offeredby the extension is ineffective against our attacks as browsingthe website will expose the required cookies In Amazonany product page will reveal the required cookie while inYahoo we always receive the cookies required from the linkson the homepage redirecting through hsrdyahoocom

While for Ebay our attacks remain effective when we useFirefox we could not complete the experiment with the Torbrowser as any login attempts simply redirect to the login pagewithout any error message (probably due to incompatibilitywith an extension) For the cases where the attack is stillfeasible Table VII does not present an exhaustive list ofvulnerable points but an indicative selection of those we haveexperimented with In practice any URL that is handled bythe exceptions in each websitersquos rule-set can potentially exposethe HTTP cookies

Quantifying impact To simulate the potential impact ofHTTPS Everywhere we use the network trace collected fromour campusrsquo public WiFi and calculate the number of accountsthat would remain exposed due to URLs not handled byHTTPS Everywhere rule-sets (version 510) We found thatover 7757 of all the collected HTTP traffic would remainover HTTP even if HTTPS Everywhere was installed in everyusersrsquo browser Due to those connections 207271 accountsremain exposed to our cookie hijacking attacks Table VIIIbreaks down the numbers per targeted service The largest im-pact is seen in Youtube where less than 1 of the users remainexposed while Ebay Doubleclick and numerous news sites arenot impacted at all Surprisingly even though Googlersquos mainpage is protected over 46 of the users remain exposed whenvisiting a Google service For the remaining search enginesthe impact has a varying degree with over 95 of the Baiduusers remaining susceptible to cookie hijacking

While the Tor bundle offers significant protection againsta variety of attacks its effectiveness in mitigating cookiehijacking attacks varies greatly depending on each websitersquosimplementation Even with all protection mechanisms enabledusers still face the risk of deanonymization when visitingpopular sites Therefore the threat they face greatly dependson their browsing behavior which we try to evaluate next

B Evaluating Potential Risk

We want to explore whether privacy-conscious users actu-ally visit these major websites over the Tor network or if theyavoid them due to the lack of ubiquitous encryption

Ethics Again we obtained IRB approval for our ex-periments However due to our ethical considerations forthe Tor users (as they are not members of our universitynor connecting to our public wireless network) we do notreplicate the data collection we followed in our experiment

10000

100000

1x106

01 08 15 22 29

comC

onnections (

log)

Day

HTTPHTTPS

1000

10000

100000

01 08 15 22 29

googlecom

Day

HTTPHTTPS

10

100

1000

10000

100000

01 08 15 22 29

amazoncom

Day

HTTPHTTPS

10

100

1000

10000

100000

01 08 15 22 29

bingcom

Day

HTTPHTTPS

100

1000

10000

01 08 15 22 29

yahoocom

Day

HTTPHTTPS

1

10

100

1000

10000

01 08 15 22 29

baiducom

Connections (

log)

Day

HTTPHTTPS

1

10

100

1000

01 08 15 22 29

ebaycom

Day

HTTPHTTPS

1

10

100

1000

01 08 15 22 29

walmartcom

Day

HTTPHTTPS

Fig 5 Number of encrypted and unencrypted connections per day as seen from a freshly-deployed Tor exit node

from Section II-C We opt for a coarse-grained non-invasivemeasurement and only count the total connections towards thewebsites we audited in Section III using the port number todifferentiate between HTTP and HTTPS We do not log otherinformation inspect any part of the content or attempt todeanonymize any users Furthermore all data was deletedafter calculating the number of connections Since we donot look at the name of the cookies sent in the HTTPconnections we cannot accurately estimate the number ofusers that are susceptible to cookie hijacking attacks Ourgoal is to obtain a rough approximation of the number andrespective ratio of encrypted and unencrypted connections tothese popular websites Based on the measurements from ouruniversityrsquos wireless trace we can deduce the potential extentof the deanonymization risk that Tor users face We considerthis an acceptable risk-benefit tradeoff as the bulk statisticswe collect do not endanger users in any way and we caninform the Tor community of a potentially significant threatthey might already be facing This will allow them to seekcountermeasures for protecting their users

Tor exit node The number of outgoing connections weremeasured over 1 month on a fresh exit node with a defaultreduced exit policy5 and bandwidth limited to 300 KBs

Measurements Figure 5 presents the number of totalconnections and broken down for some services The numberof connections over HTTP account for 754 of all theconnections we saw with an average of 10152 HTTP and3300 HTTPS connections per hour While non-HTTP trafficmay be contained within the total connections we do not dis-tinguish it as that would require a more invasive approach Formost of the services the unencrypted connections completelydominate the outgoing traffic to the respective domains On theother hand for Google we observe an average of 508 HTTPconnections per hour as opposed to 705 HTTPS connectionsSimilarly we logged 23 unencrypted connections to Yahoo perhour and 36 encrypted connections We do not consider the

5httpstractorprojectorgprojectstorwikidocReducedExitPolicy

Doubleclick side channel leakage attack for Tor as the doublekey session cookies employed by the Tor browser affect thirdparty cookies and their ability to track users across domains

Susceptible population We see that there is a significantamount of HTTP traffic exiting Tor and connecting to popularwebsites that expose a vast collection of private user infor-mation While the ratio of unencrypted connections is evenhigher than that of our universityrsquos network possibly fewerusers will be logged in when using Tor More experiencedusers may be aware of the shortcomings of this mechanism andavoid the pages and subdomains that are not protected whenconnecting over untrusted connections Nonetheless we expectthat many users will exhibit normal browsing patterns thusexposing their cookies to attackers Furthermore even thoughwe can not know how many of the users are indeed loggedin and susceptible to cookie hijacking (that would requirelooking at the cookie names) for some websites observingencrypted connections is an almost definitive sign that weare also observing HTTP traffic of logged in users due tofunctionality breaking and the corresponding exceptions in theHTTPS Everywhere rule-sets HTTPS traffic for Amazon andBaidu signifies account-related functionality that requires usersto be logged in (eg Amazon checkout) and is accompaniedby HTTP traffic (Amazon products pages) Thus we believethat a considerable number of Tor users may be facing the riskof deanonymization through hijacked cookies

User bias As this is a newly deployed exit node thepopulation of users connecting to it may be biased towards in-experienced users as more privacy-conscious ones may avoidexiting from such nodes Thus our observed ratio of encryptedconnections or the websites users connect to may presentdifferences to other exit nodes Nonetheless adversaries couldalready own exit nodes with long uptimes or be able tomonitor the outgoing traffic from legitimate exit nodes whichis a common adversarial model for Tor-related research [50]Thus we believe this to be a credible and severe threat to Torusers that want to maintain their anonymity while browsing(popular) websites

10000

100000

1x106

01 08 15 22 29

comC

onnections (

log)

Day

HTTPHTTPS

1000

10000

100000

01 08 15 22 29

googlecom

Day

HTTPHTTPS

10

100

1000

10000

100000

01 08 15 22 29

amazoncom

Day

HTTPHTTPS

10

100

1000

10000

100000

01 08 15 22 29

bingcom

Day

HTTPHTTPS

100

1000

10000

01 08 15 22 29

yahoocom

Day

HTTPHTTPS

1

10

100

1000

10000

01 08 15 22 29

baiducom

Connections (

log)

Day

HTTPHTTPS

1

10

100

1000

01 08 15 22 29

ebaycom

Day

HTTPHTTPS

1

10

100

1000

01 08 15 22 29

walmartcom

Day

HTTPHTTPS

Fig 5 Number of encrypted and unencrypted connections per day as seen from a freshly-deployed Tor exit node

from Section II-C We opt for a coarse-grained non-invasivemeasurement and only count the total connections towards thewebsites we audited in Section III using the port number todifferentiate between HTTP and HTTPS We do not log otherinformation inspect any part of the content or attempt todeanonymize any users Furthermore all data was deletedafter calculating the number of connections Since we donot look at the name of the cookies sent in the HTTPconnections we cannot accurately estimate the number ofusers that are susceptible to cookie hijacking attacks Ourgoal is to obtain a rough approximation of the number andrespective ratio of encrypted and unencrypted connections tothese popular websites Based on the measurements from ouruniversityrsquos wireless trace we can deduce the potential extentof the deanonymization risk that Tor users face We considerthis an acceptable risk-benefit tradeoff as the bulk statisticswe collect do not endanger users in any way and we caninform the Tor community of a potentially significant threatthey might already be facing This will allow them to seekcountermeasures for protecting their users

Tor exit node The number of outgoing connections weremeasured over 1 month on a fresh exit node with a defaultreduced exit policy5 and bandwidth limited to 300 KBs

Measurements Figure 5 presents the number of totalconnections and broken down for some services The numberof connections over HTTP account for 754 of all theconnections we saw with an average of 10152 HTTP and3300 HTTPS connections per hour While non-HTTP trafficmay be contained within the total connections we do not dis-tinguish it as that would require a more invasive approach Formost of the services the unencrypted connections completelydominate the outgoing traffic to the respective domains On theother hand for Google we observe an average of 508 HTTPconnections per hour as opposed to 705 HTTPS connectionsSimilarly we logged 23 unencrypted connections to Yahoo perhour and 36 encrypted connections We do not consider the

5httpstractorprojectorgprojectstorwikidocReducedExitPolicy

Doubleclick side channel leakage attack for Tor as the doublekey session cookies employed by the Tor browser affect thirdparty cookies and their ability to track users across domains

Susceptible population We see that there is a significantamount of HTTP traffic exiting Tor and connecting to popularwebsites that expose a vast collection of private user infor-mation While the ratio of unencrypted connections is evenhigher than that of our universityrsquos network possibly fewerusers will be logged in when using Tor More experiencedusers may be aware of the shortcomings of this mechanism andavoid the pages and subdomains that are not protected whenconnecting over untrusted connections Nonetheless we expectthat many users will exhibit normal browsing patterns thusexposing their cookies to attackers Furthermore even thoughwe can not know how many of the users are indeed loggedin and susceptible to cookie hijacking (that would requirelooking at the cookie names) for some websites observingencrypted connections is an almost definitive sign that weare also observing HTTP traffic of logged in users due tofunctionality breaking and the corresponding exceptions in theHTTPS Everywhere rule-sets HTTPS traffic for Amazon andBaidu signifies account-related functionality that requires usersto be logged in (eg Amazon checkout) and is accompaniedby HTTP traffic (Amazon products pages) Thus we believethat a considerable number of Tor users may be facing the riskof deanonymization through hijacked cookies

User bias As this is a newly deployed exit node thepopulation of users connecting to it may be biased towards in-experienced users as more privacy-conscious ones may avoidexiting from such nodes Thus our observed ratio of encryptedconnections or the websites users connect to may presentdifferences to other exit nodes Nonetheless adversaries couldalready own exit nodes with long uptimes or be able tomonitor the outgoing traffic from legitimate exit nodes whichis a common adversarial model for Tor-related research [50]Thus we believe this to be a credible and severe threat to Torusers that want to maintain their anonymity while browsing(popular) websites

VI COUNTERMEASURES AND DISCUSSION

Our work focuses on highlighting the privacy ramificationsof HTTP cookie hijacking attacks and we have demonstratedthe gravity and pervasiveness of sensitive information beingexposed by high-profile services We discuss potential causesfor the current vulnerable state of major websites and howexisting security mechanisms fare in practice While the de-fenses for preventing these attacks are known and seeminglystraightforward our experiments demonstrate that even themost popular and resourceful websites succumb to design andimplementation flaws

Partial encryption and personalization Due to thecomplexity in implementing large-scale web services andalso defining precise access privileges for multiple (inter-dependent) cookies for different subdomains web developersare prone to errors such as the incomplete separation ofaccess control for unauthenticated cookies In turn this allowspassive eavesdroppers that hijack HTTP cookies to obtainsensitive information While we tested certain websites wherepartial encryption did not result in privacy leakage none ofthose services offered a personalized version of the service toHTTP cookies This indicates the conflicting nature of offeringpersonalization while aiming to maintain ease-of-use by notrequiring re-authentication As such we argue that any servicethat supports user accounts and personalizes the experienceshould enforce ubiquitous encryption which would mitigatethe privacy threats we have explored

Cookie Flags By setting the Secure cookie flag toTrue websites can ensure the confidentiality of a cookie byinstructing the browser to only send over encrypted connec-tions However while this can prevent passive eavesdroppersfrom acquiring the cookies it is known that active attackerscan overwrite secure cookies from an insecure channel [52]Therefore the Secure flag as a stand-alone measure cannotfully protect users It should be used in combination withfully deployed HSTS and support for ubiquitous encryptionFurthermore the HttpOnly flag should be set to preventremote cookie hijacking

Security mechanisms We have evaluated the impact ofbrowser-supported security mechanisms on the feasibility ofour attacks Here we discuss our findings about the protectionthese mechanisms offer and their shortcomings

HSTS Recent work presented an extensive study on HSTSand discussed the pitfalls of deploying it in practice reportingthat many developers fail to implement it correctly [11] Inour work we focus on the fact that even if implementedcorrectly partial deployment nullifies the protection it offersand users remain exposed This is particularly apparent whenthe main landing page of a website does not enforce HSTSEven if users are subsequently redirected to HTTPS (as isthe case with Google) the HTTP cookies are exposed duringthe initial connection As it is common for users to directlyvisit popular websites by typing their name in the addressbar which is facilitated by auto-completion functionality thispractice can expose a large number of users to cookie hijacking

attacks Taking into consideration our findings regarding theamount of personal information and account functionality thatunauthenticated cookies can access this is a significant privacyrisk that users face The need for full HSTS deployment hasalso been argued for by others [11] [52]

HTTPS Everywhere Through our experimentation wefound that this browser extension improves user security byminimizing the attack surface and can prevent risks due topartial (or non-existent) deployment of HSTS However it iscrucial to note that even with this extension in place usersare not entirely protected As site functionality can break ifthe server does not support HTTPS for a specific subdomainor page HTTPS Everywhere relies on rule-sets that containexceptions for these cases As such while certain websitesmight be significantly covered other cases still contain aconsiderable number of unprotected pages If users click onthe extensionrsquos notification icon a menu shows informationregarding the current page and if content has been fetched overnon-encrypted connections However users are notoriouslygood at ignoring warnings and their design can significantlyaffect user actions [53] The menu contains an option toblock such connections While this can break the browsingexperience it may be a prudent choice for users that considertheir privacy of paramount importance This could applyto users that rely on systems such as Tor for maintainingtheir anonymity who can be deanonymized as we discuss inSection V Nonetheless this is not the default option and ifthe user visits such a website before enabling the option theHTTP cookies will be exposed Thus enabling this option bydefault and allowing users to opt-out is a safer approach

VPN End users should also consider the use of VPN tech-nology when connecting to untrusted public wireless networksas it reduces the threat of the userrsquos traffic being sniffed [54]

VII ETHICS AND DISCLOSURE

To ensure the ethical nature of our research we provided adetailed description of our data collection and analysis processto Columbia Universityrsquos IRB and obtained approval for bothour experiments with the public wireless network and the Tornetwork Furthermore all captured data was destroyed afterthe end of our evaluation measurements

Disclosing attacks against popular services raises ethicalissues as one might argue adversaries may have previouslylacked the know-how to conduct these attacks However thepracticality of cookie hijacking suggests that such attackscould soon happen in the wild (if not happening already) Tothat end we have already contacted all the audited websitesto disclose our findings in detail We have also contacted Tordevelopers to inform them of the deanonymization threat usersface We believe that by shedding light on this significant pri-vacy threat we can incentivize services to streamline supportfor ubiquitous encryption Furthermore we must alert users ofthe privacy risks they face when connecting to public wirelessnetworks or browsing through Tor and educate them on theextent of protection offered by existing mechanisms

VIII RELATED WORK

Hijacking and other cookie-related issues Zheng etal [52] recently presented an empirical study on the feasibilityof cookie injection attacks While cookies have the Secureflag that can prevent browsers from sending them over un-encrypted connections there is no provision to ensure thatsuch cookies are also set only over HTTPS connections Asa result during an HTTP connection to a domain a man-in-the-middle attacker can inject cookies that will be appendedin future HTTPS connections to that specific domain In theirreal-world assessment of this attack the authors explored howcookie injection could enable attacks such as account and(sub-)session hijacking and cart manipulation in e-commercesites They also identify how browser-specific handling ofcookies can enable attacks Bortz et al [55] had previouslydescribed cookie injection attacks and proposed origin cookiesfor achieving session integrity in web applications

Wang et al [56] identified flaws in popular ID providersof single-sign-on services that allowed attackers to log intoservices as the users Karlof et al [57] introduced pharmingattacks that relied on DNS hijacking and allowed attackers tohijack user sessions Lekies et al [58] leveraged the exemptionof remote scripts included through the HTML script tagfrom the Same-Origin policy for leaking personal informationand in some cases hijacking sessions Barth et al [59]introduced the login CSRF attack where the user is loggedinto a legitimate service as the attacker which can result inthe exposure of sensitive user information

Numerous approaches have been proposed for prevent-ing session hijacking [60]ndash[62] Jackson and Barth pre-sented ForceHTTPS [63] a browser extension for enforcingHTTPS connections This was reformed and standardized asHSTS [12] Kranch and Bonneau [11] performed an extensivestudy on the adoption of HSTS and certificate pinning in thewild They reported a lack of understanding by web developerson the proper use of these mechanisms as they often use themin illogical or invalid ways Selvi [64] demonstrated scenarioswhere an attacker could bypass HSTS protection Bhargavan etal [65] also showed how the HSTS header could be partiallytruncated resulting in the expiration of the HSTS entry withinseconds Singh et al [3] studied the incoherencies of webaccess control and showed that user actions and resourcescould be improperly exposed to web applications

Mayer and Mitchel [40] discussed the policy and technologyissues of third-party web tracking Roesner et al [41] studiedthe behavior of web trackers and found an extensive set oftrackers They also explored the impact of browser mecha-nisms such as cookie blocking and DoNotTrack and foundthat preventing web-tracking from popular social networkwidgets also broke their functionality Sivakorn et al [66]demonstrated how HTTP cookies could be used for influenc-ing Googlersquos advanced risk analysis system and bypassingreCAPTCHA challenges Attackers could use hijacked cookiesin a similar fashion which can bypass even more stringentsafeguards that require extensive browsing history

Privacy leakage Krishnamurthy and Willis explored onlinesocial networks and the leakage of usersrsquo personally identifi-able information (PII) in HTTP headers and described howthird-party servers can exploit the PII leakage to link it withuser actions across different domains [5] In follow-up workthe authors focused on the privacy leakage in social networksthat leveraged the GPS capabilities of mobile devices to offerlocation-based functionality [6] and explored how pieces ofinformation collected from different social networks could becombined for further compromising user privacy Englehardt etal [7] explored the feasibility of conducting mass surveillanceby monitoring unencrypted traffic and inspecting third-partytracking cookies They also identified cases of PII beingexposed in unencrypted traffic which can be leveraged forimproving the clustering of user traffic and linking differentrequests to the same user While their work focuses ona different attack scenario their results also highlight thethreat of unencrypted connections Liu et al [8] developeda novel method for detecting PII being transmitted in networktraffic without prior knowledge of the fields and form of theinformation transmitted by each service Due to the very smallfraction of fields that actually contain PII the authors arguethat looking for fields with values that are unique to a userresults in very high false positives and false negatives Thusmass surveillance attacks will have to employ more advancedtechniques The evaluation of the proposed approach on alarge-scale trace presented a false positive rate of 136

These approaches however have a limited viewpoint andcan only detect information sent in clear text during themonitoring period There exist multiple common scenarioswhere exposed personal information will not be detected (i)websites are highly dynamic and content may be fetched in anobfuscated form and constructed at runtime on the client side(ii) sensitive content may always be fetched over encryptedconnections even though HTTP cookies may (erroneously)have sufficient access privileges (iii) certain pieces of infor-mation are only exposed after specific user actions whichmay not occur during the monitoring period Furthermorecookie hijacking attacks can also access protected accountfunctionality in certain cases due to imprecise access controlOverall our goal is to explore the prevalence and criticality ofprivate information and account functionality being accessibleto HTTP cookies and understanding how varying componentsof the complicated ecosystem (from browser security mecha-nisms to mobile apps) affect the attack surface and feasibilityof hijacking Furthermore as the authors state [7] using theTor bundle likely defeats their attack scenario On the otherhand we demonstrate that while the Tor bundle reduces theattack surface cookie hijacking remains feasible

Risks of personalization The personal information leakagewe identify in our attacks is a direct result of websites offeringa personalized experience to users Castelluccia et al [4] high-lighted the problem of privacy leakage that can occur whenpersonalized functionality is accessible to HTTP cookies Theauthors demonstrated how adversaries could reconstruct auserrsquos Google search history by exploiting the personalized

suggestions Korolova presented novel attacks that use tar-geted ads for obtaining private user information [46] Toch etal [67] analyzed the privacy risks that emerge from popularapproaches to personalizing services

Encrypted connections The privacy threats we study arealso the result of websites not enforcing encryption across allpages and subdomains Previous work has shown the risksof supporting mixed-content websites where pages accessedover HTTPS also include content fetched over HTTP [68]While security mechanisms or browser extensions reduce theattack surface they do not entirely mitigate these attacks Asignificant step towards improving user privacy is the deploy-ment of ubiquitous encryption Naylor et al [2] discussedthe ldquocostrdquo of a wide deployment of HTTPS and analyzedaspects such as infrastructure costs latency data usage andenergy consumption However even when the connection isencrypted previous work has demonstrated the feasibility ofa wide range of attacks at both application and cryptographiclevel that can subvert the protection [10] [69]ndash[72] Fahl etal [73] [74] explored such attacks in the mobile domain

Deanonymizing Tor users Huber et al [75] discussedhow Tor users could be deanonymized by PII being leakedin HTTP traffic Chakravarty et al [76] proposed the use ofdecoy traffic with fake credentials for detecting adversariesmonitoring traffic from Tor exit nodes While their prototypefocused on IMAP and SMTP servers their technique could beextended to also leverage decoy accounts in major websitesIf the attacker doesnrsquot change the account in a visible waythis technique will only detect attacks if the service offersinformation about previous logins (eg as Gmail does) Winteret al [77] deployed their tool HoneyConnector for a periodof 4 months and identified 27 Tor exit nodes that monitoredoutgoing traffic and used stolen decoy credentials

IX CONCLUSION

In this paper we presented our extensive in-depth study onthe privacy threats that users face when attackers steal theirHTTP cookies We audited a wide range of major servicesand found that cookie hijacking attacks are not limited toa specific type of websites but pose a widespread threat toany website that does not enforce ubiquitous encryption Ourstudy revealed numerous instances of major services exposingprivate information and protected account functionality tonon-authenticated cookies This threat is not restricted towebsites as usersrsquo cookies are also exposed by official browserextensions search bars and mobile apps To obtain a betterunderstanding of the risk posed by passive eavesdroppers inpractice we conducted an IRB-approved measurement studyand detected that a large portion of the outgoing traffic inpublic wireless networks remains unencrypted thus exposinga significant amount of users to cookie hijacking attacksWe also evaluated the protection offered by popular browser-supported security mechanisms and found that they can reducethe attack surface but can not protect users if websites do notsupport ubiquitous encryption The practicality and pervasive-ness of these attacks also renders them a significant threat

to Tor users as they can be deanonymized by adversariesmonitoring the outgoing traffic of exit nodes

X ACKNOWLEDGEMENTS

We would like to thank the anonymous reviewers for theirfeedback We would also like to thank the CUIT team of JoelRosenblatt and the CRF team of Bach-Thuoc (Daisy) Nguyenat Columbia University for their technical support throughoutthis project Finally we would like to thank Georgios KontaxisVasileios P Kemerlis and Steven Bellovin for informativediscussions and feedback This work was supported by theNSF under grant CNS-13-18415 Author Suphannee Sivakornis also partially supported by the Ministry of Science andTechnology of the Royal Thai Government Any opinionsfindings conclusions or recommendations expressed hereinare those of the authors and do not necessarily reflect thoseof the US Government or the NSF

REFERENCES

[1] E Butler ldquoFiresheeprdquo 2010 httpcodebutlercomfiresheep[2] D Naylor A Finamore I Leontiadis Y Grunenberger M Mellia

M Munafo K Papagiannaki and P Steenkiste ldquoThe Cost of the rdquoSrdquo inHTTPSrdquo in Proceedings of the 10th ACM International on Conferenceon Emerging Networking Experiments and Technologies ser CoNEXTrsquo14 ACM 2014 pp 133ndash140

[3] K Singh A Moshchuk H J Wang and W Lee ldquoOn the Incoherenciesin Web Browser Access Control Policiesrdquo in Proceedings of the 2010IEEE Symposium on Security and Privacy 2010

[4] C Castelluccia E De Cristofaro and D Perito ldquoPrivate InformationDisclosure from Web Searchesrdquo in Privacy Enhancing Technologiesser PETS rsquo10 2010

[5] B Krishnamurthy and C E Wills ldquoOn the leakage of personallyidentifiable information via online social networksrdquo in Proceedings ofthe 2nd ACM workshop on Online social networks ser WOSN rsquo092009

[6] B Krishnamurthy and C Wills ldquoPrivacy Leakage in Mobile OnlineSocial Networksrdquo in Proceedings of the 3rd Workshop on Online SocialNetworks ser WOSN rsquo10 2010

[7] S Englehardt D Reisman C Eubank P Zimmerman J MayerA Narayanan and E W Felten ldquoCookies That Give You Away TheSurveillance Implications of Web Trackingrdquo in Proceedings of the 24thInternational Conference on World Wide Web ser WWW rsquo15 2015

[8] Y Liu H H Song I Bermudez A Mislove M Baldi and A Ton-gaonkar ldquoIdentifying Personal Information in Internet Trafficrdquo in Pro-ceedings of the 3rd ACM Conference on Online Social Networks serCOSN rsquo15 2015

[9] B Moller T Duong and K Kotowicz (2014 Oct) This POODLE bitesexploiting the SSL 30 fallback httpsgoogleonlinesecurityblogspotcom201410this-poodle-bites-exploiting-ssl-30html

[10] M Marlinspike ldquoNew Tricks For Defeating SSL In Practicerdquo BlackHatDC Feb 2009

[11] M Kranch and J Bonneau ldquoUpgrading HTTPS in Mid-Air An Empiri-cal Study of Strict Transport Security and Key Pinningrdquo in Proceedingsof the Network and Distributed System Security Symposium ser NDSSrsquo15 2015

[12] J Hodges C Jackson and A Barth ldquoHTTP Strict Transport SecurityrdquoRFC 6797 2012

[13] Can I use HSTS Browser Support httpcaniusecomfeat=stricttransportsecurity

[14] L Garron HSTS Preload httpshstspreloadappspotcom[15] M Stevens A Sotirov J Appelbaum A Lenstra D Molnar D A

Osvik and B De Weger ldquoShort chosen-prefix collisions for MD5 andthe creation of a rogue CA certificaterdquo in Advances in Cryptology-CRYPTO 2009 2009 pp 55ndash69

[16] C Palmer and C Evans ldquoCertificate Pinning Extension for HSTSrdquo RFCDRAFT 2011

[17] C Palmer C Evans and R Sleevi ldquoCertificate Pinning Extension forHSTSrdquo RFC 7469 2015

VIII RELATED WORK

Hijacking and other cookie-related issues Zheng etal [52] recently presented an empirical study on the feasibilityof cookie injection attacks While cookies have the Secureflag that can prevent browsers from sending them over un-encrypted connections there is no provision to ensure thatsuch cookies are also set only over HTTPS connections Asa result during an HTTP connection to a domain a man-in-the-middle attacker can inject cookies that will be appendedin future HTTPS connections to that specific domain In theirreal-world assessment of this attack the authors explored howcookie injection could enable attacks such as account and(sub-)session hijacking and cart manipulation in e-commercesites They also identify how browser-specific handling ofcookies can enable attacks Bortz et al [55] had previouslydescribed cookie injection attacks and proposed origin cookiesfor achieving session integrity in web applications

Wang et al [56] identified flaws in popular ID providersof single-sign-on services that allowed attackers to log intoservices as the users Karlof et al [57] introduced pharmingattacks that relied on DNS hijacking and allowed attackers tohijack user sessions Lekies et al [58] leveraged the exemptionof remote scripts included through the HTML script tagfrom the Same-Origin policy for leaking personal informationand in some cases hijacking sessions Barth et al [59]introduced the login CSRF attack where the user is loggedinto a legitimate service as the attacker which can result inthe exposure of sensitive user information

Numerous approaches have been proposed for prevent-ing session hijacking [60]ndash[62] Jackson and Barth pre-sented ForceHTTPS [63] a browser extension for enforcingHTTPS connections This was reformed and standardized asHSTS [12] Kranch and Bonneau [11] performed an extensivestudy on the adoption of HSTS and certificate pinning in thewild They reported a lack of understanding by web developerson the proper use of these mechanisms as they often use themin illogical or invalid ways Selvi [64] demonstrated scenarioswhere an attacker could bypass HSTS protection Bhargavan etal [65] also showed how the HSTS header could be partiallytruncated resulting in the expiration of the HSTS entry withinseconds Singh et al [3] studied the incoherencies of webaccess control and showed that user actions and resourcescould be improperly exposed to web applications

Mayer and Mitchel [40] discussed the policy and technologyissues of third-party web tracking Roesner et al [41] studiedthe behavior of web trackers and found an extensive set oftrackers They also explored the impact of browser mecha-nisms such as cookie blocking and DoNotTrack and foundthat preventing web-tracking from popular social networkwidgets also broke their functionality Sivakorn et al [66]demonstrated how HTTP cookies could be used for influenc-ing Googlersquos advanced risk analysis system and bypassingreCAPTCHA challenges Attackers could use hijacked cookiesin a similar fashion which can bypass even more stringentsafeguards that require extensive browsing history

Privacy leakage Krishnamurthy and Willis explored onlinesocial networks and the leakage of usersrsquo personally identifi-able information (PII) in HTTP headers and described howthird-party servers can exploit the PII leakage to link it withuser actions across different domains [5] In follow-up workthe authors focused on the privacy leakage in social networksthat leveraged the GPS capabilities of mobile devices to offerlocation-based functionality [6] and explored how pieces ofinformation collected from different social networks could becombined for further compromising user privacy Englehardt etal [7] explored the feasibility of conducting mass surveillanceby monitoring unencrypted traffic and inspecting third-partytracking cookies They also identified cases of PII beingexposed in unencrypted traffic which can be leveraged forimproving the clustering of user traffic and linking differentrequests to the same user While their work focuses ona different attack scenario their results also highlight thethreat of unencrypted connections Liu et al [8] developeda novel method for detecting PII being transmitted in networktraffic without prior knowledge of the fields and form of theinformation transmitted by each service Due to the very smallfraction of fields that actually contain PII the authors arguethat looking for fields with values that are unique to a userresults in very high false positives and false negatives Thusmass surveillance attacks will have to employ more advancedtechniques The evaluation of the proposed approach on alarge-scale trace presented a false positive rate of 136

These approaches however have a limited viewpoint andcan only detect information sent in clear text during themonitoring period There exist multiple common scenarioswhere exposed personal information will not be detected (i)websites are highly dynamic and content may be fetched in anobfuscated form and constructed at runtime on the client side(ii) sensitive content may always be fetched over encryptedconnections even though HTTP cookies may (erroneously)have sufficient access privileges (iii) certain pieces of infor-mation are only exposed after specific user actions whichmay not occur during the monitoring period Furthermorecookie hijacking attacks can also access protected accountfunctionality in certain cases due to imprecise access controlOverall our goal is to explore the prevalence and criticality ofprivate information and account functionality being accessibleto HTTP cookies and understanding how varying componentsof the complicated ecosystem (from browser security mecha-nisms to mobile apps) affect the attack surface and feasibilityof hijacking Furthermore as the authors state [7] using theTor bundle likely defeats their attack scenario On the otherhand we demonstrate that while the Tor bundle reduces theattack surface cookie hijacking remains feasible

Risks of personalization The personal information leakagewe identify in our attacks is a direct result of websites offeringa personalized experience to users Castelluccia et al [4] high-lighted the problem of privacy leakage that can occur whenpersonalized functionality is accessible to HTTP cookies Theauthors demonstrated how adversaries could reconstruct auserrsquos Google search history by exploiting the personalized

suggestions Korolova presented novel attacks that use tar-geted ads for obtaining private user information [46] Toch etal [67] analyzed the privacy risks that emerge from popularapproaches to personalizing services

Encrypted connections The privacy threats we study arealso the result of websites not enforcing encryption across allpages and subdomains Previous work has shown the risksof supporting mixed-content websites where pages accessedover HTTPS also include content fetched over HTTP [68]While security mechanisms or browser extensions reduce theattack surface they do not entirely mitigate these attacks Asignificant step towards improving user privacy is the deploy-ment of ubiquitous encryption Naylor et al [2] discussedthe ldquocostrdquo of a wide deployment of HTTPS and analyzedaspects such as infrastructure costs latency data usage andenergy consumption However even when the connection isencrypted previous work has demonstrated the feasibility ofa wide range of attacks at both application and cryptographiclevel that can subvert the protection [10] [69]ndash[72] Fahl etal [73] [74] explored such attacks in the mobile domain

Deanonymizing Tor users Huber et al [75] discussedhow Tor users could be deanonymized by PII being leakedin HTTP traffic Chakravarty et al [76] proposed the use ofdecoy traffic with fake credentials for detecting adversariesmonitoring traffic from Tor exit nodes While their prototypefocused on IMAP and SMTP servers their technique could beextended to also leverage decoy accounts in major websitesIf the attacker doesnrsquot change the account in a visible waythis technique will only detect attacks if the service offersinformation about previous logins (eg as Gmail does) Winteret al [77] deployed their tool HoneyConnector for a periodof 4 months and identified 27 Tor exit nodes that monitoredoutgoing traffic and used stolen decoy credentials

IX CONCLUSION

In this paper we presented our extensive in-depth study onthe privacy threats that users face when attackers steal theirHTTP cookies We audited a wide range of major servicesand found that cookie hijacking attacks are not limited toa specific type of websites but pose a widespread threat toany website that does not enforce ubiquitous encryption Ourstudy revealed numerous instances of major services exposingprivate information and protected account functionality tonon-authenticated cookies This threat is not restricted towebsites as usersrsquo cookies are also exposed by official browserextensions search bars and mobile apps To obtain a betterunderstanding of the risk posed by passive eavesdroppers inpractice we conducted an IRB-approved measurement studyand detected that a large portion of the outgoing traffic inpublic wireless networks remains unencrypted thus exposinga significant amount of users to cookie hijacking attacksWe also evaluated the protection offered by popular browser-supported security mechanisms and found that they can reducethe attack surface but can not protect users if websites do notsupport ubiquitous encryption The practicality and pervasive-ness of these attacks also renders them a significant threat

to Tor users as they can be deanonymized by adversariesmonitoring the outgoing traffic of exit nodes

X ACKNOWLEDGEMENTS

We would like to thank the anonymous reviewers for theirfeedback We would also like to thank the CUIT team of JoelRosenblatt and the CRF team of Bach-Thuoc (Daisy) Nguyenat Columbia University for their technical support throughoutthis project Finally we would like to thank Georgios KontaxisVasileios P Kemerlis and Steven Bellovin for informativediscussions and feedback This work was supported by theNSF under grant CNS-13-18415 Author Suphannee Sivakornis also partially supported by the Ministry of Science andTechnology of the Royal Thai Government Any opinionsfindings conclusions or recommendations expressed hereinare those of the authors and do not necessarily reflect thoseof the US Government or the NSF

REFERENCES

[1] E Butler ldquoFiresheeprdquo 2010 httpcodebutlercomfiresheep[2] D Naylor A Finamore I Leontiadis Y Grunenberger M Mellia

M Munafo K Papagiannaki and P Steenkiste ldquoThe Cost of the rdquoSrdquo inHTTPSrdquo in Proceedings of the 10th ACM International on Conferenceon Emerging Networking Experiments and Technologies ser CoNEXTrsquo14 ACM 2014 pp 133ndash140

[3] K Singh A Moshchuk H J Wang and W Lee ldquoOn the Incoherenciesin Web Browser Access Control Policiesrdquo in Proceedings of the 2010IEEE Symposium on Security and Privacy 2010

[4] C Castelluccia E De Cristofaro and D Perito ldquoPrivate InformationDisclosure from Web Searchesrdquo in Privacy Enhancing Technologiesser PETS rsquo10 2010

[5] B Krishnamurthy and C E Wills ldquoOn the leakage of personallyidentifiable information via online social networksrdquo in Proceedings ofthe 2nd ACM workshop on Online social networks ser WOSN rsquo092009

[6] B Krishnamurthy and C Wills ldquoPrivacy Leakage in Mobile OnlineSocial Networksrdquo in Proceedings of the 3rd Workshop on Online SocialNetworks ser WOSN rsquo10 2010

[7] S Englehardt D Reisman C Eubank P Zimmerman J MayerA Narayanan and E W Felten ldquoCookies That Give You Away TheSurveillance Implications of Web Trackingrdquo in Proceedings of the 24thInternational Conference on World Wide Web ser WWW rsquo15 2015

[8] Y Liu H H Song I Bermudez A Mislove M Baldi and A Ton-gaonkar ldquoIdentifying Personal Information in Internet Trafficrdquo in Pro-ceedings of the 3rd ACM Conference on Online Social Networks serCOSN rsquo15 2015

[9] B Moller T Duong and K Kotowicz (2014 Oct) This POODLE bitesexploiting the SSL 30 fallback httpsgoogleonlinesecurityblogspotcom201410this-poodle-bites-exploiting-ssl-30html

[10] M Marlinspike ldquoNew Tricks For Defeating SSL In Practicerdquo BlackHatDC Feb 2009

[11] M Kranch and J Bonneau ldquoUpgrading HTTPS in Mid-Air An Empiri-cal Study of Strict Transport Security and Key Pinningrdquo in Proceedingsof the Network and Distributed System Security Symposium ser NDSSrsquo15 2015

[12] J Hodges C Jackson and A Barth ldquoHTTP Strict Transport SecurityrdquoRFC 6797 2012

[13] Can I use HSTS Browser Support httpcaniusecomfeat=stricttransportsecurity

[14] L Garron HSTS Preload httpshstspreloadappspotcom[15] M Stevens A Sotirov J Appelbaum A Lenstra D Molnar D A

Osvik and B De Weger ldquoShort chosen-prefix collisions for MD5 andthe creation of a rogue CA certificaterdquo in Advances in Cryptology-CRYPTO 2009 2009 pp 55ndash69

[16] C Palmer and C Evans ldquoCertificate Pinning Extension for HSTSrdquo RFCDRAFT 2011

[17] C Palmer C Evans and R Sleevi ldquoCertificate Pinning Extension forHSTSrdquo RFC 7469 2015

suggestions Korolova presented novel attacks that use tar-geted ads for obtaining private user information [46] Toch etal [67] analyzed the privacy risks that emerge from popularapproaches to personalizing services

Encrypted connections The privacy threats we study arealso the result of websites not enforcing encryption across allpages and subdomains Previous work has shown the risksof supporting mixed-content websites where pages accessedover HTTPS also include content fetched over HTTP [68]While security mechanisms or browser extensions reduce theattack surface they do not entirely mitigate these attacks Asignificant step towards improving user privacy is the deploy-ment of ubiquitous encryption Naylor et al [2] discussedthe ldquocostrdquo of a wide deployment of HTTPS and analyzedaspects such as infrastructure costs latency data usage andenergy consumption However even when the connection isencrypted previous work has demonstrated the feasibility ofa wide range of attacks at both application and cryptographiclevel that can subvert the protection [10] [69]ndash[72] Fahl etal [73] [74] explored such attacks in the mobile domain

Deanonymizing Tor users Huber et al [75] discussedhow Tor users could be deanonymized by PII being leakedin HTTP traffic Chakravarty et al [76] proposed the use ofdecoy traffic with fake credentials for detecting adversariesmonitoring traffic from Tor exit nodes While their prototypefocused on IMAP and SMTP servers their technique could beextended to also leverage decoy accounts in major websitesIf the attacker doesnrsquot change the account in a visible waythis technique will only detect attacks if the service offersinformation about previous logins (eg as Gmail does) Winteret al [77] deployed their tool HoneyConnector for a periodof 4 months and identified 27 Tor exit nodes that monitoredoutgoing traffic and used stolen decoy credentials

IX CONCLUSION

In this paper we presented our extensive in-depth study onthe privacy threats that users face when attackers steal theirHTTP cookies We audited a wide range of major servicesand found that cookie hijacking attacks are not limited toa specific type of websites but pose a widespread threat toany website that does not enforce ubiquitous encryption Ourstudy revealed numerous instances of major services exposingprivate information and protected account functionality tonon-authenticated cookies This threat is not restricted towebsites as usersrsquo cookies are also exposed by official browserextensions search bars and mobile apps To obtain a betterunderstanding of the risk posed by passive eavesdroppers inpractice we conducted an IRB-approved measurement studyand detected that a large portion of the outgoing traffic inpublic wireless networks remains unencrypted thus exposinga significant amount of users to cookie hijacking attacksWe also evaluated the protection offered by popular browser-supported security mechanisms and found that they can reducethe attack surface but can not protect users if websites do notsupport ubiquitous encryption The practicality and pervasive-ness of these attacks also renders them a significant threat

to Tor users as they can be deanonymized by adversariesmonitoring the outgoing traffic of exit nodes

X ACKNOWLEDGEMENTS

We would like to thank the anonymous reviewers for theirfeedback We would also like to thank the CUIT team of JoelRosenblatt and the CRF team of Bach-Thuoc (Daisy) Nguyenat Columbia University for their technical support throughoutthis project Finally we would like to thank Georgios KontaxisVasileios P Kemerlis and Steven Bellovin for informativediscussions and feedback This work was supported by theNSF under grant CNS-13-18415 Author Suphannee Sivakornis also partially supported by the Ministry of Science andTechnology of the Royal Thai Government Any opinionsfindings conclusions or recommendations expressed hereinare those of the authors and do not necessarily reflect thoseof the US Government or the NSF

REFERENCES

[1] E Butler ldquoFiresheeprdquo 2010 httpcodebutlercomfiresheep[2] D Naylor A Finamore I Leontiadis Y Grunenberger M Mellia

M Munafo K Papagiannaki and P Steenkiste ldquoThe Cost of the rdquoSrdquo inHTTPSrdquo in Proceedings of the 10th ACM International on Conferenceon Emerging Networking Experiments and Technologies ser CoNEXTrsquo14 ACM 2014 pp 133ndash140

[3] K Singh A Moshchuk H J Wang and W Lee ldquoOn the Incoherenciesin Web Browser Access Control Policiesrdquo in Proceedings of the 2010IEEE Symposium on Security and Privacy 2010

[4] C Castelluccia E De Cristofaro and D Perito ldquoPrivate InformationDisclosure from Web Searchesrdquo in Privacy Enhancing Technologiesser PETS rsquo10 2010

[5] B Krishnamurthy and C E Wills ldquoOn the leakage of personallyidentifiable information via online social networksrdquo in Proceedings ofthe 2nd ACM workshop on Online social networks ser WOSN rsquo092009

[6] B Krishnamurthy and C Wills ldquoPrivacy Leakage in Mobile OnlineSocial Networksrdquo in Proceedings of the 3rd Workshop on Online SocialNetworks ser WOSN rsquo10 2010

[7] S Englehardt D Reisman C Eubank P Zimmerman J MayerA Narayanan and E W Felten ldquoCookies That Give You Away TheSurveillance Implications of Web Trackingrdquo in Proceedings of the 24thInternational Conference on World Wide Web ser WWW rsquo15 2015

[8] Y Liu H H Song I Bermudez A Mislove M Baldi and A Ton-gaonkar ldquoIdentifying Personal Information in Internet Trafficrdquo in Pro-ceedings of the 3rd ACM Conference on Online Social Networks serCOSN rsquo15 2015

[9] B Moller T Duong and K Kotowicz (2014 Oct) This POODLE bitesexploiting the SSL 30 fallback httpsgoogleonlinesecurityblogspotcom201410this-poodle-bites-exploiting-ssl-30html

[10] M Marlinspike ldquoNew Tricks For Defeating SSL In Practicerdquo BlackHatDC Feb 2009

[11] M Kranch and J Bonneau ldquoUpgrading HTTPS in Mid-Air An Empiri-cal Study of Strict Transport Security and Key Pinningrdquo in Proceedingsof the Network and Distributed System Security Symposium ser NDSSrsquo15 2015

[12] J Hodges C Jackson and A Barth ldquoHTTP Strict Transport SecurityrdquoRFC 6797 2012

[13] Can I use HSTS Browser Support httpcaniusecomfeat=stricttransportsecurity

[14] L Garron HSTS Preload httpshstspreloadappspotcom[15] M Stevens A Sotirov J Appelbaum A Lenstra D Molnar D A

Osvik and B De Weger ldquoShort chosen-prefix collisions for MD5 andthe creation of a rogue CA certificaterdquo in Advances in Cryptology-CRYPTO 2009 2009 pp 55ndash69

[16] C Palmer and C Evans ldquoCertificate Pinning Extension for HSTSrdquo RFCDRAFT 2011

[17] C Palmer C Evans and R Sleevi ldquoCertificate Pinning Extension forHSTSrdquo RFC 7469 2015

[18] N Heninger Z Durumeric E Wustrow and J A Halderman ldquoMiningYour Ps and Qs Detection of Widespread Weak Keys in NetworkDevicesrdquo in Proceedings of the 21st USENIX Security Symposium Aug2012

[19] Y Zhou and D Evans ldquoWhy Arent HTTP-only Cookies More WidelyDeployedrdquo in Proceedings of the Web 20 Security and Privacy 2010workshop ser W2SP rsquo10 2010

[20] S Fogie J Grossman R Hansen A Rager and P D Petkov XSSAttacks Cross Site Scripting Exploits and Defense Syngress 2011

[21] Randy Westergren (2016) Widespread XSS Vulnerabilities in Ad Net-work Code Affecting Top Tier Publishers httprandywestergrencomwidespread-xss-vulnerabilities-ad-network-code-affecting-top-tier-publishers-retailers

[22] N Perlroth J Larson and S Shane (2013 Sep) The New York Times- NSA Able to Foil Basic Safeguards of Privacy on Web httpwwwnytimescom20130906usnsa-foils-much-internet-encryptionhtml

[23] R Gallagher (2015 Sep) The Intercept - From Radio to Porn BritishSpies Track Web Users Online Identities httpstheinterceptcom20150925gchq-radio-porn-spies-track-web-users-online-identities

[24] A Soltani A Peterson and B Gellman (2013 Dec) The Wash-ington Post - NSA uses Google cookies to pinpoint targets forhacking httpswwwwashingtonpostcomnewsthe-switchwp20131210nsa-uses-google-cookies-to-pinpoint-targets-for-hacking

[25] BBC News (2014 Jul) NSA rsquotargetsrsquo Tor web servers and users httpwwwbbccomnewstechnology-28162273

[26] R Gross and A Acquisti ldquoInformation Revelation and Privacy in OnlineSocial Networksrdquo in Proceedings of the 2005 ACM Workshop on Privacyin the Electronic Society ser WPES rsquo05 2005

[27] I Polakis G Argyros T Petsios S Sivakorn and A D KeromytisldquoWherersquos wally precise user discovery attacks in location proximityservicesrdquo in CCS rsquo15 2015 pp 817ndash828

[28] A Hannak P Sapiezynski A Molavi Kakhki B KrishnamurthyD Lazer A Mislove and C Wilson ldquoMeasuring Personalization ofWeb Searchrdquo in Proceedings of the 22nd International Conference onWorld Wide Web ser WWW rsquo13 2013

[29] X Xing W Meng D Doozan A C Snoeren N Feamster and W LeeldquoTake This Personally Pollution Attacks on Personalized Servicesrdquo inProceedings of the 22nd USENIX Security Symposium 2013

[30] A Chaabane G Acs and M A Kaafar ldquoYou Are What You LikeInformation Leakage Through Users Interestsrdquo in Proceedings of theNetwork and Distributed System Security Symposium ser NDSS rsquo122012

[31] comScore (2015 Aug) July 2015 US DesktopSearch Engine Rankings httpwwwcomscorecomInsightsMarket-RankingscomScore-Releases-July-2015-US-Desktop-Search-Engine-Rankings

[32] A Acquisti R Gross and F Stutzman ldquoFaces of facebook Privacy inthe age of augmented realityrdquo BlackHat 2011

[33] I Polakis G Kontaxis S Antonatos E Gessiou T Petsas and E PMarkatos ldquoUsing Social Networks to Harvest Email Addressesrdquo inProceedings of the 9th Annual ACM Workshop on Privacy in theElectronic Society ser WPES rsquo10 2010

[34] F M Harper D Raban S Rafaeli and J A Konstan ldquoPredictorsof Answer Quality in Online QampAmpA Sitesrdquo in Proceedings of theSIGCHI Conference on Human Factors in Computing Systems ser CHIrsquo08 2008

[35] D Pelleg E Yom-Tov and Y Maarek ldquoCan You Believe an AnonymousContributor On Truthfulness in Yahoo Answersrdquo in SOCIALCOM-PASSAT rsquo12 2012

[36] J A Calandrino A Kilzer A Narayanan E W Felten andV Shmatikov ldquoYou Might Also LIke Privacy Risks of CollaborativeFilteringrdquo in Proceedings of the 2011 IEEE Symposium on Security andPrivacy 2011

[37] J Y Tsai S Egelman L Cranor and A Acquisti ldquoThe Effect of OnlinePrivacy Information on Purchasing Behavior An Experimental StudyrdquoInfo Sys Research vol 22 no 2 2011

[38] N Christin S S Yanagihara and K Kamataki ldquoDissecting One ClickFraudsrdquo in Proceedings of the 17th ACM Conference on Computer andCommunications Security 2010

[39] U Chareca ldquoInferring user demographics from reading habitsrdquo Masterrsquosthesis Linkoping University 2014

[40] J R Mayer and J C Mitchell ldquoThird-Party Web Tracking Policy andTechnologyrdquo in Proceedings of the 2012 IEEE Symposium on Securityand Privacy 2012

[41] F Roesner T Kohno and D Wetherall ldquoDetecting and DefendingAgainst Third-party Tracking on the Webrdquo in Proceedings of the 9thUSENIX Conference on Networked Systems Design and Implementationser NSDI rsquo12 2012

[42] P Gill V Erramilli A Chaintreau B Krishnamurthy K Papagiannakiand P Rodriguez ldquoFollow the Money Understanding Economics ofOnline Aggregation and Advertisingrdquo in Proceedings of the 2013Conference on Internet Measurement Conference ser IMC rsquo13 2013

[43] P Barford I Canadi D Krushevskaja Q Ma and S MuthukrishnanldquoAdscape Harvesting and Analyzing Online Display Adsrdquo in Proceed-ings of the 23rd International Conference on World Wide Web serWWW rsquo14 2014

[44] A Datta M C Tschantz and A Datta ldquoAutomated Experiments onAd Privacy Settings ATale of Opacity Choice and DiscriminationrdquoProceedings on Privacy Enhancing Technologies vol 2015 no 1 2015

[45] M Lecuyer G Ducoffe F Lan A Papancea T Petsios R SpahnA Chaintreau and R Geambasu ldquoXRay Enhancing the Webrsquos Trans-parency with Differential Correlationrdquo in Proceedings of the 23rdUSENIX Security Symposium 2014

[46] A Korolova ldquoPrivacy violations using microtargeted ads A case studyrdquoin Proceedings of the 2010 IEEE International Conference on DataMining Workshops ser ICDMW rsquo10 2010

[47] A Kapravelos C Grier N Chachra C Kruegel G Vigna andV Paxson ldquoHulk Eliciting Malicious Behavior in Browser Extensionsrdquoin Proceedings of the 23rd USENIX Security Symposium 2014

[48] Cisco (2015 May) Visual Networking Index Global Traffic Forecasthttpswwwciscocomcenussolutionscollateralservice-providerip-ngn-ip-next-generation-networkwhite paper c11-481360html

[49] PurpleWiFi (2014 Jun) Our latest survey how do peopleuse WiFi in public places httpwwwpurplewifinetlatest-survey-people-use-wifi-public-places

[50] R Dingledine N Mathewson and P Syverson ldquoTor The Second-generation Onion Routerrdquo in Proceedings of the 13th USENIX SecuritySymposium ser SSYM rsquo04 2004

[51] EFF HTTPS Everywhere httpswwwefforghttps-Everywhere[52] X Zheng J Jiang J Liang H Duan S Chen T Wan and N Weaver

ldquoCookies Lack Integrity Real-World Implicationsrdquo in Proceedings ofthe 24th USENIX Security Symposium 2015

[53] A P Felt A Ainslie R W Reeder S Consolvo S ThyagarajaA Bettes H Harris and J Grimes ldquoImproving SSL Warnings Compre-hension and Adherencerdquo in Proceedings of the Conference on HumanFactors and Computing Systems 2015

[54] B Potter ldquoWireless Hotspots Petri Dish of Wireless Securityrdquo CommunACM vol 49 no 6 Jun 2006

[55] A Bortz A Barth and A Czeskis ldquoOrigin cookies Session integrity forweb applicationsrdquo in Proceedings of the Web 20 Security and Privacy2011 workshop ser W2SP rsquo11 2011

[56] R Wang S Chen and X Wang ldquoSigning Me onto Your Accountsthrough Facebook and Google a Traffic-Guided Security Study ofCommercially Deployed Single-Sign-On Web Servicesrdquo in Proceedingsof the 2012 IEEE Symposium on Security and Privacy 2012

[57] C Karlof U Shankar J D Tygar and D Wagner ldquoDynamic Pharm-ing Attacks and Locked Same-origin Policies for Web Browsersrdquo inProceedings of the 14th ACM Conference on Computer and Communi-cations Security 2007

[58] S Lekies B Stock M Wentzel and M Johns ldquoThe UnexpectedDangers of Dynamic JavaScriptrdquo in Proceedings of the 24th USENIXSecurity Symposium 2015

[59] A Barth C Jackson and J C Mitchell ldquoRobust Defenses for Cross-Site Request Forgeryrdquo in Proceedings of the 15th ACM Conference onComputer and Communications Security 2008

[60] N Nikiforakis W Meert Y Younan M Johns and W JoosenldquoSessionShield Lightweight Protection against Session Hijackingrdquo inEngineering Secure Software and Systems ser ESSoS rsquo11 2011

[61] P De Ryck L Desmet F Piessens and W Joosen ldquoSecSess KeepingYour Session Tucked Away in Your Browserrdquo in Proceedings of the 30thAnnual ACM Symposium on Applied Computing ser SAC rsquo15 2015

[62] M Johns ldquoSessionSafe Implementing XSS Immune Session Handlingrdquoin Proceedings of the 11th European conference on Research in Com-puter Security ser ESORICSrsquo 06 2006

[63] C Jackson and A Barth ldquoForceHTTPS Protecting high-security websites from network attacksrdquo in Proceedings of the 17th InternationalWorld Wide Web Conference ser WWW rsquo08 2008

[64] J Selvi ldquoBypassing HTTP Strict Transport Securityrdquo BlackHat-EU2014

[65] K Bhargavan A Delignat-Lavaud C Fournet A Pironti and P-YStrub ldquoTriple Handshakes and Cookie Cutters Breaking and FixingAuthentication over TLSrdquo in Proceedings of the 2014 IEEE Symposiumon Security and Privacy 2014

[66] S Sivakorn I Polakis and A D Keromytis ldquoI am robot (deep) learningto break semantic image captchasrdquo in IEEE European Symposium onSecurity and Privacy (EuroSampP) 2016

[67] E Toch Y Wang and L Cranor ldquoPersonalization and privacy a surveyof privacy risks and remedies in personalization-based systemsrdquo UserModeling and User-Adapted Interaction vol 22 no 1-2 2012

[68] P Chen N Nikiforakis C Huygens and L Desmet ldquoA dangerous mixLarge-scale analysis of mixed-content websitesrdquo in Proceedings of the16th Information Security Conference 2013

[69] J Clark and P C van Oorschot ldquoSoK SSL and HTTPS RevisitingPast Challenges and Evaluating Certificate Trust Model Enhancementsrdquoin Proceedings of the 2013 IEEE Symposium on Security and Privacy

[70] S Chen Z Mao Y-M Wang and M Zhang ldquoPretty-bad-proxy Anoverlooked adversary in browsersrsquo https deploymentsrdquo in Proceedingsof the 2009 IEEE Symposium on Security and Privacy 2009

[71] Z Durumeric J Kasten D Adrian J A Halderman M Bailey F LiN Weaver J Amann J Beekman M Payer and V Paxson ldquoThe Matterof Heartbleedrdquo in Proceedings of the 2014 Conference on InternetMeasurement Conference ser IMC rsquo14 2014 pp 475ndash488

[72] D Adrian K Bhargavan Z Durumeric P Gaudry M Green J AHalderman N Heninger D Springall E Thome L Valenta B Vander-Sloot E Wustrow S Zanella-Beguelin and P Zimmermann ldquoImperfectForward Secrecy How Diffie-Hellman Fails in Practicerdquo in Proceedingsof the 22nd ACM Conference on Computer and Communications Secu-rity 2015

[73] S Fahl M Harbach T Muders L Baumgartner B Freisleben andM Smith ldquoWhy Eve and Mallory Love Android An Analysis ofAndroid SSL (in)Securityrdquo in Proceedings of the 2012 ACM Conferenceon Computer and Communications Security 2012

[74] S Fahl M Harbach H Perl M Koetter and M Smith ldquoRethinkingSSL Development in an Appified Worldrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer and Communications Security2013

[75] M Huber M Mulazzani and E Weippl ldquoTor http usage and informa-tion leakagerdquo in Communications and Multimedia Security 2010

[76] S Chakravarty G Portokalidis M Polychronakis and A D KeromytisldquoDetecting Traffic Snooping in Tor Using Decoysrdquo in Recent Advancesin Intrusion Detection 2011

[77] P Winter R Kower M Mulazzani M Huber S Schrittwieser S Lind-skog and E Weippl ldquoSpoiled Onions Exposing Malicious Tor ExitRelaysrdquo in Privacy Enhancing Technologies Symposium 2014

APPENDIX

A Information Leakage

Here we provide some details or information on certainservices that were omitted from Section III

Doubleclick Figure 6 contains screenshots of our experi-ment that demonstrates how ad networks can reveal parts of auserrsquos browsing history

CNN Almost the entire website runs over HTTP includingthe login page which can be exploited by active adversariesto modify or inject content The credentials however aresent over HTTPS preventing eavesdroppers from hijackingthe userrsquos session Nonetheless the HTTP cookie allows theattacker to view and edit the userrsquos profile which includes firstand last name postal address email and phone number profilepicture and link to the userrsquos Facebook account Furthermorethe attacker can write or delete article comments and alsoobtain the recently viewed or created reports on iReportCNNrsquos citizen journalism portal6

6httpireportcnncom

(a) Browsed page (b) Attacker receives ads exposingbrowsed page

Fig 6 Side-channel leak of userrsquos browsing history by the Doubleclick adnetwork

New York Times The HTTP cookie allows the adversaryto obtain or change the userrsquos profile photo name and lastname a link pointing to a personal homepage and a shortpersonal description (bio) The adversary can also obtain andedit the list of articles that the user has saved

The Guardian Stolen HTTP cookies provide access to theuserrsquos public profile sections which includes a profile pictureand username a short bio the userrsquos interests and previouscomments on articles The adversary can also post commentsas the user

Huffington Post Similar to CNN almost the entire websiteruns overs unencrypted connections and the HTTP cookieallows read and edit access to the userrsquos profile articlesubscriptions comments fans and followings The profileincludes the userrsquos login name profile photo email addressbiography postal code city and state The attacker can alsochange the userrsquos password or delete the account

User-Agent Mozilla50 (iPhone CPU iPhone OS9_0_2 like Mac OS X) AppleWebKit601146(KHTML like Gecko) Mobile13A452

cookie_name amzn-app-ctxtcookie_value 1420osiOSov902anAmazonav530dmw640 h960 ld2000000uiv5 nal1cp8xxxxxxv111dicaATampT

ctWifimfApplepriPhonemdiPhonev4SdtiA287xxxxxxxxxx

Listing 2 User information disclosed in the value attribute of WalmartrsquosHTTP customer cookie (values have been changed for privacy)

Amazon the adversary can obtain information regardingpreviously purchased items either through the recommendationpage (Figure 7(a)) or through product pages (Figure 7(b)) TheiOS versions of the Amazon app also exposes informationabout the userrsquos mobile device as shown in Listing 2

Ebay Apart from the login and checkout pages the re-maining Ebay website runs over HTTP As a result the stolen

(a) Recommendations Page (b) Product Page

Fig 7 Obtaining information about previously purchased items from userrsquosAmazon account

HTTP cookie gives the adversary access to both personalinformation and account functionality

Personal information The site always reveals the userrsquos firstname Also depending on what the victim uses for loggingin (username or email address) is also exposed By forging acookie with the same value but a different scope (domain andpath) we are also able to obtain the userrsquos delivery addressThe HTTP cookies can also access the userrsquos messages whichare normally served over HTTPS

History The cookie provides access to the functionality thatexposes the victimrsquos purchase history and also allows us toview and edit the items in the victimrsquos watch and wish-listsWe can also see which items have been bought or bid uponin the past and all the items being sold by the victim

Cart Similarly to the other e-commerce websites we testedthe HTTP cookie enables access to the cart for viewing itemsalready in it or addingremoving items

Walmart If the adversary appends the stolen cookies whenconnecting the website will reveal the userrsquos first namepostcode and also allow editing of the cart However uponinspection we found that the customer HTTP cookie ac-tually contains 34 fields of information about the user withinits value attribute Apart from the subset that can be seenin Listing 3 which includes the userrsquos first and last name andemail address the cookie also contains ID information thatpoints to the userrsquos reviews and comments and a tracking IDfor third parties

Target As with most e-commerce sites the stolen cookiereveals the userrsquos first name email address and the ability toview and edit the cart and the userrsquos wish-list Furthermoreit also reveals items recently viewed by the user

Vendor-assisted attacks The cookie exposes function-ality that can be leveraged for deploying spam simi-larly to Amazon The attacker can either add items inthe cart and send an email about those items (sent byordersservicetargetcom) or create and send awish-list (sent by noreplyservicetargetcom) Inboth cases the emails explicitly contain the userrsquos full name(thus making the last name obtainable to the attacker) Whilethe attacker cannot include any text which would facilitatedeploying spam or phishing campaigns one could promote

arbitrary items The attacker can also deploy the two afore-mentioned extortion scamsdomain walmartcomname customerpath secure falsehttpOnly falsevalue 7B22firstName223A22JANE222C22

lastName223A22DOE222C22emailAddress223A22janedoe40examplecom222C22isMigrated223Atrue2C22omsCustomerId223A22xxxxxxx9222C22ReviewUser223A7B22isValid223Atrue2C22AdditionalFieldsOrder22xxxxxxxx2C22Avatar223A7B7D2C22UserNickname223A22xxxxxxxxx222C22Photos223A5B5D2C22ContextDataValues22xxxxxxxx2C22Videos223A5B5D2C22ContextDataValuesOrder223AxxxxxxxxxC22SubmissionId223Axxxxx2C22ContributorRank223A22xxxx222C22StoryIds22xxxxxxxxC22AnswerIds22xxxxxx2C22QuestionIds22xxxxxxD2C22BadgesOrder22xxxxxx2C22Badges22xxxxxxxxx2C22Location223Axxxxx2C22SecondaryRatingsOrder22xxxxxx2C22ProductRecommendationIds223Axxxxxxxxx2C22AdditionalFields223A7B7D2C22SubmissionTime223A2220xx-xx-xxxxxxxxxxxxx222C22ModerationStatus223A22APPROVED222C22ReviewIds223xxxxxxx2C22ThirdPartyIds22xxxxxxxxxxC22Id223A22ff79xxxxxxxxxxxxxx509dc5222C22CommentIds223A5B5D2C22SecondaryRatings223Axxxxx2C22LastModeratedTime223A2220xxxxxxxxxxxxxxxx222C22reviewStatus223A7B22hasReview223Axxxxx7D7D7D

Listing 3 User information disclosed in the value attribute of WalmartrsquosHTTP customer cookie (values have been changed for privacy)