Security and user privacy protections included in browsers, ad blockers, and anti-tracking extensions are not as secure as everyone believes, a team of three academics from the Catholic University in Leuven, Belgium (KU Leuven) have revealed yesterday.

Their work consisted of analyzing anti-tracking settings that are built into modern browsers, but also the ones provided by some popular extensions (add-ons).

Researchers analyzed seven browsers and 46 extensions

Researchers looked at how browsers prevent third-party services —such as advertising companies— from tracking users via cross-site requests and persistent cookies. Several browsers have received built-in support for such features in the past two years —such as Firefox's new Tracking Protection feature, or Opera's built-in ad blocker.

In addition, the research trio also looked at two types of browser extensions —ad blockers and tracking protection add-ons— both of which advertise themselves as tools to prevent advertisers from tracking users via persistent cookies.

The KU Leuven team developed a custom framework that allowed them to test these cookie-based anti-tracking features in seven browsers, 31 ad blocker extensions, and 15 anti-tracking extensions.

Each browser or extension susceptible to at least one bypass

The research team says that for each tested browser or extension they found at least one technique that can bypass their defenses.

For their research, the KU Leuven team tested if browsers or extensions blocked cross-site requests for user cookie files initiated via:

- the AppCache API (AppCache in the tables below)

- the use of lesser-known HTML tags (HTML in the tables below),

- the "Location" response header (Headers in the tables below),

- various type of < meta > tag redirects (Redirects in the tables below),

- JavaScript code embedded within PDF files (PDF JS in the tables below),

- the JavaScript "location.href" property (JS in the tables below),

- or through service workers (SW in the tables below).

The results of their tests are as follows:

Bypasses are new, not used in the wild yet

Furthermore, the academics also scanned the Alexa Top 10,000 most popular sites, visiting 160,059 web pages, in search for evidence that advertisers or other user tracking services were using one of the techniques they discovered.

Results of this scan showed that no website is currently using any of these techniques to circumvent browser or ad blocker tracking protections.

This means that the techniques presented in their whitepaper are novel and might prove to be a goldmine for some user tracking services, which may use them to bypass the anti-tracking features of some browsers and popular ad blockers.

Bypass techniques reported to browser makers

To help keep users safe, researchers not only reported bugs to browser vendors but also proposed solutions for rectifying browser APIs and tools to counteract the newly discovered bypasses.

These bug reports are documented on a website located at: wholeftopenthecookiejar.eu.

The portal also includes a breakdown of each test researchers carried out against each browser, extensions, and what version. The framework used for these tests is also available on GitHub.

The KU Leuven academics also warned that the new "same-site cookies" security feature that's been recently added to Firefox, and will most likely spread to other browsers, will not prevent the bypasses they discovered.

Award-winning research

The research team presented their work yesterday at the 27th Usenix Security Symposium that was held in Baltimore, USA.

Their paper —entitled "Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies" won the conference's Distinguished Paper Award. The paper is available for download for free from here or here.