FortiGuard Labs Threat Research
Over the past several months we have learned that users cannot always trust a platform to honor their promises regarding safeguarding user data. Even in cases where consent is provided by one user, insufficient privacy controls can still allow a malicious app to collect and funnel private information from others connected to that user—and who did not give consent—to a collection point.
Alarmingly, even if no personally identifiable information (PII) is explicitly provided, thanks to advancements in tracking technologies a party collecting that data can still uniquely identify a person. Security researchers (yours truly included) have sounded the alarm about this problem for many years ([1], [2], [3], [4]), and new attacks exploiting this reality show up on a fairly regular basis([5]). Even more alarming, for the purpose of social manipulation (in the form of distributing tailored fake news, propaganda, and conspiracy theories), a psychology profile is enough. There is no need to really know actual ID information such as real names, etc. in order to accomplish their objectives.
The hard truth is that personal data is not only used for highly targeted advertising, but can lead to serious consequences like identity theft and social manipulation. Naturally, there is a need for consumers to take matter into their own hands. And in this research report from FortiGuard Labs, we will show you how.
General Strategy for Protecting Yourself
Security is not foolproof, which means that users cannot only count on organizations to protect their data. Instead, they need to proactively protect themselves using a number of techniques, such as not using the same password for multiple accounts, which is one good strategy among the many detailed for you below.
On a side note, this research is not meant to be comprehensive but rather, a generic framework to help individuals maximize privacy while minimizing the cost of time and resources. Privacy-minded consumers can combine general strategies with cost effective privacy-oriented tools to achieve the goal of protecting their privacy and identity.
The best general strategy is to combine common sense with enhancing your general security posture by utilizing security best practices, such as:
· Keeping software up to date
· Applying patches and fixes as soon as they are released
· Securing your password management (e.g. avoid reusing the same password)
· Installing anti-virus and anti-malware protection
· Implementing effective firewalls technologies as needed – edge firewalls, web filtering, network segmentation, etc.
Once a baseline security foundation is in place, you can then focus on protecting privacy, which is the main focus of this research:
· Using VPN to hide the real IP address (e.g. ZenMate VPN)
· Or better yet, using The Onion Router (TOR)
Not All Browsers Are Built the Same
In order for you to counter the tracking technologies used in web sites, only in-browser logics can help. All of the major browsers offer some support for protecting your privacy. Firefox, for example, offers especially effective privacy options because of the broad set of extensions it provides to support privacy.
After completing our research we found that the following Firefox browser extensions are the most useful:
Name |
Size |
Code hash |
Ghostery |
4,698,487 bytes |
8C2A915F408DED4DE03F5B17D30E1C2526AC8D8522FC9E516542F6F4BB57957E |
NoScript Security Suite |
375,278 bytes |
69424AFDE4420C64344DF74871454BB8969B2F984C134503A310C37A5E2E7013 |
Decentraleyes |
5,912,700 bytes |
AE29F5684B433773C78B1E31092B389955DBF36DB19A0CA47137596F4A44F7AE |
AdBlock for Firefox |
1,084,644 bytes |
01E303F25E1D464CDC8E00DAA28B7802EFD82AB148E450EBC4F03E246CE4F1DB |
Facebook Container |
10,611 bytes |
7E5AFF72DD301A1A3F762ABF408625CF464DE9879F5732DF95E40E5F88BB95C6 |
Firefox Multi-Account Containers |
132,689 bytes |
4D0148504C80097F075F7BC1AB8848B949A1A8FF098090FBB9671F869BBD8098 |
Primer on Firefox Extensions
Given what we have learned about security claims, we decided to dig deeper. We reviewed technical designs and then, to confirm the soundness of the implementation, we performed a security analysis.
But before diving in to the implementation of extensions, it’s worthwhile to understand the overall context. Extensions for Firefox are built using the WebExtensions API. To a large extent, WebExtensions API is also compatible with the extension API supported by Opera, Chrome, and the W3C Draft Community Group. Extensions written for these browsers will run in Firefox in most cases, with just a few modifications.
Extensions come with a manifest file used to describe itself (e.g. permissions). The code is in JavaScript so it can be statically analyzed (even though it may have been minified or obfuscated.)
Firefox has a debug capability built in, which enables dynamic analysis to be enabled, as shown above. Further details on this capability can be obtained from MDN Web Docs (previously, Mozilla Developer Network - MDN) and this blog post is not going to repeat that.
Facebook Container Extension
This extension is interesting because it can automatically contain Facebook and thereby prevent it from tracking you across web sites.
As of this writing, only Firefox 57 fully supports this feature. We have analyzed Facebook Container and found that the key feature that enables this “magic” is contextualIdentities, as seen below:
Mozilla says it best, so we’ll let it speak for itself: “Contextual identities, also known as "containers", are a browser feature which addresses the idea that users assume multiple identities when browsing the web and wish to maintain some separation between these identities. For example, a user might consider their "work identity" separate from their "personal identity", and not want to share cookies between these two contexts.”
First, the extension uses the feature to setup a Container to contain Facebook:
It then adds a request listener (containFacebook) to listen to requests to all URL:
The Listener will receive notifications and then basically apply a “filter” based on URLs and put them into corresponding containers.
Multi-Account Containers (MAC) extension
Multi-Account Containers (MAC) can be thought of as a generic version of Facebook Container. The Facebook Container extension only isolates Facebook, but it works automatically. On the other hand, MAC allows users to create containers for other sites and put them into separate containers, but that has to be done manually.
Under the hood, it separates website storage (e.g. cookies) into tab-specific Containers. Cookies created by one Container are not accessible by other Containers. As a result, a user’s social identity (in one Container) is separated from tracking scripts on other websites connected to a work identity.
Next, we will briefly dive into the technical implementation of the extension. The key component here is the global object browser.storage.local (“area”).
siteStoreKey is the unique key used to index the storage area when there is a need to get or set the data for a site.
A similar mechanism is also used to separate cookies (Figure 10)
NoScript Security Suite Extensions
As the name implies, NoScript is used to block executable content (e.g. JavaScript, Flash, Java) on untrusted domains.
It follows a blanket approach, so untrusted domains literally mean anything else besides explicitly trusted domains (the initial list is shown below.)
By blocking JavaScript, this extension protects users from being exploited by JavaScript attacks such as XSS, Clickjacking, CSRF attacks, cross-zone DNS rebinding, and Cryptocurrency mining malware. It also protects users against tracking scripts which intrude on privacy.
AdBlock Extension
AdBlock blocks all advertisements on web pages. This is important because advertisements typically employ behavioral targeting. This works by collecting information about users’ browsing behaviors, which obviously violate privacy. Note that not only cookies are used for tracking. Many new technologies allow mechanisms to be used for tracking as a well, like Flash cookies and HTML5 local storage.
The main blocking logic of AdBlock is shown below:
Decentraleyes Extension
Briefly speaking, when a web site downloads content (e.g. jQuery) from a CDN (Content Delivery Network—e.g. Google Hosted Libraries), the CDN can set a cookie belonging to the CDN’s domain. Then, when the user visits another website, such as www.bar.com, which also contains CDN content, these cookies will also be sent to the CDN when loading (e.g. HTTP requests) their CDN content. Hence, the CDN can then use these cookies to build up a browsing history of the user across all the websites that have content from this CDN.
Blocking requests for ads or trackers is usually ok, however blocking actual content almost certainly, breaks pages. And this is where Decentraleyes comes into the picture. In a nutshell, Decentraleyes “hooks“ those HTTP requests that fetch from CDN and instead serves local files (in other words: caches) to keep sites from breaking. This solution naturally complements regular ad blockers.
The logic for mapping is below:
As can be seen, the default mapping contains major libraries so it “just works”:
Ghostery Extension
In a sense, Ghostery is like AdBlock, but focuses more on trackers, so we’ll skip the lengthy introduction and focus more on the technical side. Essentially, Ghostery can detect and block trackers and hence speed up page loads while protecting your privacy.
Hooking scripts are set to run on all URI (both http and https):
Thanks to its clever design, it is rather straightforward to see that Ghostery can indeed block trackers early on.
We can now dive deeper in to the default blocklist (bugs.json). Here we can see that Ghostery has an extensive blacklist that can match trackers using both literal strings and regular expressions.
Final Thoughts
Certainly, there is no such thing as a free lunch. The privacy vs functionality trade-off means that some or all of the extensions listed above may break some websites in subtle ways that are hard to debug. And some websites that depend on tracking revenue to support their service can detect blocking and may prevent someone using them to access their content. It is also an open research question as to whether one can completely prevent tracking and profiling because fundamentally speaking, each HTTP request leaks some information in one form or another.
Nevertheless, all is not lost, because together with the defenses detailed above, the FortiGuard Web Filtering Service can automatically block all malicious websites and script out of the box, and custom signatures can always be added later on as new threats are identified. And at the same time, other vendors have also begun stepping up their efforts to protect privacy, which is an encouraging trend.
As always, FortiGuard Labs will keep monitoring the threat landscape and share interesting insights from our research.
Check out our latest Quarterly Threat Landscape Report for more details about recent threats.
Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.