research-article

Open Access

The Double Edged Sword: Identifying Authentication Pages and their Fingerprinting Behavior

Authors:
Asuman Senol

COSIC, KU Leuven, Leuven, Belgium

COSIC, KU Leuven, Leuven, Belgium

0000-0002-6788-7887
View Profile

,
Alisha Ukani

UC San Diego, San Diego, CA, USA

UC San Diego, San Diego, CA, USA

0000-0002-5128-6200
View Profile

,
Dylan Cutler

Google, Cambridge, MA, USA

Google, Cambridge, MA, USA

0009-0005-3928-8640
View Profile

,
Igor Bilogrevic

Google, Zurich, Switzerland

Google, Zurich, Switzerland

0000-0002-9301-3091
View Profile

Authors Info & Claims

WWW '24: Proceedings of the ACM on Web Conference 2024May 2024Pages 1690–1701https://doi.org/10.1145/3589334.3645493

Published:13 May 2024Publication History

WWW '24: Proceedings of the ACM on Web Conference 2024

Pages 1690–1701

ABSTRACT

Browser fingerprinting is often associated with cross-site user tracking, a practice that many browsers (e.g., Safari, Brave, Edge, Firefox, and Chrome) want to block. However, less is publicly known about its uses to enhance online safety, where it can provide an additional security layer against service abuses (e.g., in combination with CAPTCHAs) or during user authentication. To the best of our knowledge, no fingerprinting defenses deployed thus far consider this important distinction when blocking fingerprinting attempts, so they might negatively affect website functionality and security.

To address this issue we make three main contributions. First, we introduce a novel machine learning-based method to automatically identify authentication pages (i.e. login and sign-up pages). Our supervised algorithm achieves 96-98% precision and recall on a manually-labelled dataset of almost 1,000 popular sites. Second, we compare our algorithm with methods from prior works on the same dataset, showing that it significantly outperforms all of them. Third, we quantify the prevalence of fingerprinting scripts across login and sign-up pages (10.2%) versus those executed on other pages (9.2%); while the rates of fingerprinting are similar, home pages and authentication pages differ in the third-party scripts they include and how often these scripts are labeled as tracking. We also highlight the substantial differences in fingerprinting on login and sign-up pages. Our work sheds light on the complicated reality that fingerprinting is used to both protect user security and invade user privacy; this dual nature must be considered by fingerprinting mitigations.

Supplemental Material

rfp1107.mov

Supplemental video

mov

87.6 MB

Download

References

Browse Privately. Explore Freely. (Online; accessed 18. Sept. 2023). URL: https: //www.torproject.org/.Google Scholar
Chrome User Experience Report. (Online; accessed 05. Sept. 2023). URL: https: //developers.google.com/web/tools/chrome-user-experience-report.Google Scholar
Disconnect entity list. URL: https://github.com/mozilla-services/shavar-prodlists/ blob/master/disconnect-entitylist.json.Google Scholar
Freedom from tracking. (Online; accessed 18. Sept. 2023). URL: https://disconnect. me/.Google Scholar
General Data Protection Regulation (GDPR). (Online; accessed 05. Sept. 2023). URL: https://gdpr-info.eu/.Google Scholar
intent.ly. URL: https://intent.ly/en/.Google Scholar
JShelter. (Online; accessed 18. Sept. 2023). URL: https://jshelter.org/.Google Scholar
Privacy Badger is a browser extension that automatically learns to block invisible trackers. . (Online; accessed 18. Sept. 2023). URL: https://privacybadger.org/.Google Scholar
server.proto. https://source.chromium.org/chromium/chromium/ src//main:components/autofill/core/browser/proto/server.proto;drc= cefcacc55347e318a439f3112d96a1c73cfba56c.Google Scholar
The best privacy online. (Online; accessed 18. Sept. 2023). URL: https://brave.com/.Google Scholar
ublock. https://github.com/gorhill/uBlock.Google Scholar
TensorFlow, 2015. (Online; accessed 21. Aug. 2023). URL: https://www.tensorflow. org/.Google Scholar
Early browser API accesses and function calls are missed, 2023. [Online; accessed 29. Jul. 2023]. URL: https://github.com/duckduckgo/tracker-radar-collector/ issues/77.Google Scholar
Login Forms Ruleset, 2023. (Online; accessed 21. Aug. 2023). URL: https://mozilla. github.io/fathom/zoo/login.html.Google Scholar
Optimize.Personalize.Monetize., 2023. (Online; accessed 30. Aug. 2023). URL: https://www.hexagondata.com/en/services-marketer/.Google Scholar
SignUpFormRuleset.sys.mjs, 2023. (Online; accessed 21. Aug. 2023). URL: https://searchfox.org/mozilla-central/source/toolkit/components/ passwordmgr/SignUpFormRuleset.sys.mjs.Google Scholar
Take control of payment fraud., 2023. (Online; accessed 30. Aug. 2023). URL: https://sift.com/.Google Scholar
Ayush Agarwal, Sioli O'Connell, Jason Kim, Shaked Yehezkel, Daniel Genkin, Eyal Ronen, and Yuval Yarom. Spook. js: Attacking Chrome Strict Site Isolation via Speculative Execution. In 2022 IEEE Symposium on Security and Privacy (SP), pages 699--715. IEEE, 2022.Google ScholarCross Ref
Suood Al Roomi and Frank Li. A Large-Scale Measurement of Website Login Policies. In 32nd USENIX Security Symposium (USENIX Security 23), pages 2061-- 2078, Anaheim, CA, August 2023. USENIX Association.Google Scholar
Furkan Alaca and Paul C. van Oorschot. Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods. In Proceedings of the 32nd Annual Conference on Computer Security Applications, pages 289--301, 2016.Google Scholar
Nampoina Andriamilanto, Tristan Allard, Gaëtan Le Guelvouit, and Alexandre Garel. A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication. ACM Transactions on the Web (TWEB), 16(1):1--62, 2021.Google Scholar
Konrad Dzwinel et al. Brad Slayter, Sam Macbeth. DuckDuckGo Tracker Radar Collector, 2021. (Online; accessed 01. Jan. 2023). URL: https://github.com/ duckduckgo/tracker-radar-collector.Google Scholar
Mathias Bynens and Peter Kvitek. Chrome's Headless mode gets an upgrade: introducing headless=new, 2023. (Online; accessed 21. Aug. 2023). URL: https: //developer.chrome.com/articles/new-headless/.Google Scholar
Joe DeBlasio, Stefan Savage, Geoffrey M Voelker, and Alex C. Snoeren. Tripwire: Inferring Internet Site Compromise. In Proceedings of the 2017 Internet Measurement Conference, pages 341--354, 2017.Google ScholarDigital Library
Yana Dimova, Tom Van Goethem, and Wouter Joosen. Everybody's Looking for SSOmething: A large-scale evaluation on the privacy of OAuth authentication on the web. Proceedings on Privacy Enhancing Technologies, 4:452--467, 2023.Google ScholarCross Ref
Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis. The Cookie Hunter: Automated Black-Box Auditing forWeb Authentication and Authorization Flaws. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS '20, page 1953--1970. Association for Computing Machinery, 2020.Google ScholarDigital Library
Antonin Durey, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. FPRedemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security. In Detection of Intrusions and Malware, and Vulnerability Assessment: 18th International Conference, pages 237--257. Springer, July 2021.Google ScholarDigital Library
Steven Englehardt and Arvind Narayanan. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1388--1401, 2016.Google ScholarDigital Library
Daniel Hertenstein Erik Rose. Fathom, 2017. (Online; accessed 21. Aug. 2023). URL: https://github.com/mozilla/fathom.Google Scholar
Daniel Hertenstein Erik Rose. Ruleset Zoo, 2017. (Online; accessed 21. Aug. 2023). URL: https://mozilla.github.io/fathom/zoo.html.Google Scholar
Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis. O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web. In 27th USENIX Security Symposium (USENIX Security 18), pages 1475--1492, 2018.Google Scholar
Tom Van Goethem, Wout Scheepers, Davy Preuveneers, and Wouter Joosen. Accelerometer-Based Device Fingerprinting for Multi-factor Mobile Authentication. In International Symposium on Engineering Secure Software and Systems, pages 106--121. Springer, 2016.Google Scholar
Umar Iqbal, Steven Englehardt, and Zubair Shafiq. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. In 2021 IEEE Symposium on Security and Privacy, pages 1143--1161. IEEE, 2021.Google ScholarCross Ref
Nikhil Jha, Martino Trevisan, Luca Vassio, and Marco Mellia. The Internet with Privacy Policies: Measuring The Web Upon Consent. ACM Transactions on the Web (TWEB), 16(3):1--24, 2022.Google Scholar
Hugo Jonker, Stefan Karsch, Benjamin Krumnow, and Marc Sleegers. Shepherd: a Generic Approach to Automating Website Login. In Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb). Reston: Internet Society, 2020.Google ScholarCross Ref
Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. FPRandom: Randomizing Core Browser Objects to Break Advanced Device Fingerprinting Techniques. In Engineering Secure Software and Systems: 9th International Symposium, pages 97--114. Springer, 2017.Google ScholarCross Ref
Xu Lin, Panagiotis Ilia, and Jason Polakis. Fill in the Blanks: Empirical Analysis of the Privacy Threats of Browser Form Autofill. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS '20, page 507--519. Association for Computing Machinery, 2020.Google Scholar
Xu Lin, Panagiotis Ilia, Saumya Solanki, and Jason Polakis. Phish in Sheep's Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting. In 31st USENIX Security Symposium (USENIX Security 22), pages 1651--1668, Boston, MA, August 2022. USENIX Association.Google Scholar
Luka Lodrant. Designing a generic web forms crawler to enable legal compliance analysis of authentication sections. Master's thesis, ETH Zurich, 2022.Google Scholar
nikhiljha95 Martino Trevisan, Antonino Musmeci. Priv-Accept, 2020. (Online; accessed 13. Jul. 2023). URL: https://github.com/marty90/priv-accept.Google Scholar
Ariana Mirian, Nikunj Bhagat, Caitlin Sadowski, Adrienne Porter Felt, Stefan Savage, and Geoffrey M. Voelker. Web Feature Deprecation: A Case Study for Chrome. In 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), pages 302--311, 2019.Google Scholar
Mozilla. Firefox rolls out Total Cookie Protection by default to all usersworldwide. Mozilla Blog, 2022. URL: https://blog.mozilla.org/en/mozilla/firefox-rolls-outtotal- cookie-protection-by-default-to-all-users-worldwide/.Google Scholar
Nick Nikiforakis, Wouter Joosen, and Benjamin Livshits. PriVaricator: Deceiving Fingerprinters with Little White Lies. In Proceedings of the 24th International Conference on World Wide Web, pages 820--830, 2015.Google Scholar
Sean Oesch and Scott Ruoti. ThatWas Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers. In Proceedings of the 29th USENIX Conference on Security Symposium, pages 2165-- 2182, 2020.Google Scholar
Davy Preuveneers and Wouter Joosen. SmartAuth: Dynamic Context Fingerprinting for Continuous User Authentication. In Proceedings of the 30th Annual ACM Symposium on Applied Computing, pages 2185--2191, 2015.Google Scholar
Jannis Rautenstrauch, Giancarlo Pellegrino, and Ben Stock. The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web. In 2023 IEEE Symposium on Security and Privacy, 2023.Google Scholar
Walter Rudametkin. Improving the Security and Privacy of the Web through Browser Fingerprinting. PhD thesis, Université de Lille, 2021.Google Scholar
Kimberly Ruth, Aurore Fass, Jonathan Azose, Mark Pearson, Emma Thomas, Caitlin Sadowski, and Zakir Durumeric. A World Wide View of Browsing the World WideWeb. In Proceedings of the 22nd ACMInternet Measurement Conference, pages 317--336, 2022.Google Scholar
Kimberly Ruth, Deepak Kumar, Brandon Wang, Luke Valenta, and Zakir Durumeric. Toppling Top Lists: Evaluating the Accuracy of Popular Website Lists. In Proceedings of the 22nd ACM Internet Measurement Conference, pages 374--387, 2022.Google Scholar
Justin Schuh. Building a more private web: A path towards making third party cookies obsolete. Chromium Blog, 2020. URL: https://blog.chromium.org/2020/ 01/building-more-private-web-path-towards.html.Google Scholar
Thomas Unger, Martin Mulazzani, Dominik Frühwirt, Markus Huber, Sebastian Schrittwieser, and Edgar Weippl. SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting. In 2013 International Conference on Availability, Reliability and Security, pages 255--261. IEEE, 2013.Google ScholarDigital Library
Steven Van Acker, Daniel Hausknecht, and Andrei Sabelfeld. Measuring Login Webpage Security. In Proceedings of the Symposium on Applied Computing, pages 1753--1760, 2017.Google ScholarDigital Library
Maximilian Westers, Tobias Wich, Louis Jannett, Vladislav Mladenov, Christian Mainka, and Andreas Mayer. SSO-Monitor: Fully-Automatic Large-Scale Landscape, Security, and Privacy Analyses of Single Sign-On in the Wild. arXiv preprint arXiv:2302.01024, 2023.Google Scholar
John Wilander. Full third-party cookie blocking and more. WebKit, 2020. URL: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/.Google Scholar
Shujiang Wu, Pengfei Sun, Yao Zhao, and Yinzhi Cao. Him of Many Faces: Characterizing Billion-scale Adversarial and Benign Browser Fingerprints on Commercial Websites. In 30th Annual Network and Distributed System Security Symposium, NDSS, 2023.Google Scholar
David Zeber, Sarah Bird, Camila Oliveira,Walter Rudametkin, Ilana Segall, Fredrik Wollsén, and Martin Lopatka. The Representativeness of AutomatedWeb Crawls as a Surrogate for Human Browsing. In Proceedings of The Web Conference 2020, pages 167--178, 2020.Google ScholarDigital Library
Yuchen Zhou and David Evans. SSOScan: Automated Testing ofWeb Applications for Single Sign-on Vulnerabilities. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, page 495--510, USA, 2014. USENIX Association.Google Scholar

Index Terms

The Double Edged Sword: Identifying Authentication Pages and their Fingerprinting Behavior

Recommendations

Web-based Fingerprinting Techniques
ICETE 2016: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications

The concept of device fingerprinting is based in the assumption that each electronic device holds a unique set

of physical and/or logical features that others can capture and use to differentiate it from the whole. Web-based

fingerprinting, a particular ...
Read More
Toward the flow-centric detection of browser fingerprinting
Abstract
Browser fingerprinting has become a prevalent technique employed by websites for advertising and analytics. It utilizes JavaScript objects and APIs to gather traditional and non-traditional browser attributes and creates unique identifiers for ...
Read More
FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security
Detection of Intrusions and Malware, and Vulnerability Assessment
Abstract
Browser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WWW '24: Proceedings of the ACM on Web Conference 2024
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
General Chairs:
Tat-Seng Chua
National University of Singapore
,
Chong-Wah Ngo
Singapore Management University
,
Proceedings Chair:
Roy Ka-Wei Lee
Singapore University of Technology and Design
,
Program Chairs:
Ravi Kumar
Google
,
Hady W. Lauw
Singapore Management University
Copyright © 2024 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 May 2024
Check for updates
Badges
- Artifacts Available / v1.1
Author Tags
browser fingerprinting
online authentication
privacy, machine learning
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,899of8,196submissions,23%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 28
  Total Downloads
- Downloads (Last 12 months)28
- Downloads (Last 6 weeks)28
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

The Double Edged Sword: Identifying Authentication Pages and their Fingerprinting Behavior

WWW '24: Proceedings of the ACM on Web Conference 2024

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Web-based Fingerprinting Techniques

Toward the flow-centric detection of browser fingerprinting

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security