An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications

By Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham.

In Proceedings of CCS 2010, pages 270–83. ACM Press, Oct. 2010.

Abstract

The dynamic nature of JavaScript web applications has given rise to the possibility of privacy violating information flows. We present an empirical study of the prevalence of such flows on a large number of popular websites. We have (1) designed an expressive, fine-grained information flow policy language that allows us to specify and detect different kinds of privacy-violating flows in JavaScript code, (2) implemented a new rewriting-based JavaScript information flow engine within the Chrome browser, and (3) used the enhanced browser to conduct a large-scale empirical study over the Alexa global top 50,000 websites of four privacy-violating flows: cookie stealing, location hijacking, history sniffing, and behavior tracking. Our survey shows that several popular sites, including Alexa global top-100 sites, use privacy-violating flows to exfiltrate information about users' browsing behavior. Our findings show that steps must be taken to mitigate the privacy threat from covert flows in browsers.

Material

published paper, (PDF), © ACM.

local copy (PDF).

Reference

@InProceedings{JJLS10, author = {Dongseok Jang and Ranjit Jhala and Sorin Lerner and Hovav Shacham}, title = {An Empirical Study of Privacy-Violating Information Flows in {JavaScript} {Web} Applications}, booktitle = {Proceedings of CCS 2010}, year = 2010, editor = {Angelos Keromytis and Vitaly Shmatikov}, month = oct, publisher = {ACM Press}, pages = {270-83} }