Digital Duality: Exploring the Privacy and Security Threats of Modern Web Browsers

In today’s interconnected world, the Web has become an integral part of our daily lives, with web browsers serving as the central hub of our digital existence. While the continuous enhancement of modern browser functionalities and APIs improves the user experience, it also opens the door to new and potential security vulnerabilities and privacy breaches. Our objective is to investigate the security and privacy threats posed by modern web technologies, explore the corresponding countermeasures, and emphasize the importance of comprehensive security assessments before deploying new web features. This dissertation focuses on autofill functionality and browser fingerprinting. The former is a browser feature, and the latter is a series of techniques that leverage browser features. While both lead to privacy violations, they present distinct challenges and implications. The autofill functionality, designed for user convenience, allows a novel side-channel attack for stealthy data extraction. In contrast, browser fingerprinting, despite their privacy concerns, is leveraged for augmenting authentication, which inadvertently results in account compromises.

First, the dissertation explores the privacy threats of browser autofill functionality. We develop a series of new techniques for concealing the presence of form elements that allow us to obtain sensitive user information while bypassing existing browser defenses. Subsequently, our in-depth investigation reveals a series of flaws and idiosyncrasies, which we exploit through a series of novel attack vectors that target specific aspects of browsers’ behavior. By chaining these together we are able to demonstrate a novel invasive side-channel attack that exploits autofill preview functionality for inferring sensitive information even when users choose not to utilize autofill. This attack affects all major Chromium-based browsers and allows attackers to probe users’ autofill profiles for over a hundred thousand candidate values (e.g., credit card and phone numbers). 

Browser fingerprinting is a more complex aggregation of features that is widely used for online tracking at the price of user privacy. While browser fingerprinting is traditionally dependent on JavaScript, we explore a new dimension of the tracking techniques, demonstrating how it can be achieved without using any JavaScript APIs. We develop a novel fingerprinting system that relies exclusively on CSS features and implicitly infers system characteristics, through carefully constructed and arranged HTML elements. We empirically demonstrate our system’s effectiveness against privacy-focused browsers (e.g., Safari, Firefox, Brave, Tor) and popular privacy-preserving extensions. We also conduct a pilot study within the IBM Research Intranet network and find that our system is comparable to a state-of-the-art JavaScript-based fingerprinting library at distinguishing devices, while outperforming it against browsers with anti-fingerprinting defenses. Our work highlights an additional dimension of the significant challenge posed by browser fingerprinting, and reaffirms the need for more robust detection systems and countermeasures.

While browser fingerprinting is often associated with privacy concerns, it has been incorporated into the authentication workflow of major services as part of their decision-making process for triggering additional security mechanisms. However, the inherent characteristics of browser fingerprints that render them an attractive authentication-augmenting factor also lend them to being used against the authentication process itself. We present a comprehensive and in-depth exploration of the security implications of real-world systems relying on browser fingerprints for authentication. Subsequently, we demonstrate how phishing attackers can replicate users’ fingerprints on different devices to deceive the risk-based authentication systems of high-value web services (e.g., cryptocurrency trading) to completely bypass two-factor authentication. Our analysis of phishing websites reveals a worrying trend: an increasing number of phishing sites targeting certain financial institutions are collecting all the necessary fingerprinting attributes to perform our attacks.