research-article

Accept All Exploits: Exploring the Security Impact of Cookie Banners

Authors:

Moritz Kopmann,

Martin JohnsAuthors Info & Claims

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

Pages 911 - 922

https://doi.org/10.1145/3564625.3564647

Published: 05 December 2022 Publication History

Abstract

The General Data Protection Regulation (GDPR) and related regulations have had a profound impact on most aspects related to privacy on the Internet. By requiring the user’s consent for e.g., tracking, an affirmative action has to take place before such data collection is lawful, leading to spread of so-called cookie banners across the Web. While the privacy impact and how well companies adhere to those regulations have been studied in detail, an open question is what effect these banners have on the security of netizens.

In this work, we systematically investigate the security impact of consenting to a cookie banner. For this, we design an approach to automatically give maximum consent to these banners, enabling us to conduct a large-scale crawl. Thereby, we find that a user who consents to tracking executes 45% more third-party scripts and is exposed to 63% more security sensitive data flows on average. This significantly increased attack surface is not a mere theoretical danger, as our examination of Client-Side Cross-Site Scripting (XSS) vulnerabilities shows: By consenting, the number of websites vulnerable to our verified XSS exploits increases by 55%. In other words, more than one third of all affected websites are only vulnerable to XSS due to code that requires user consent. This means that users who consent to cookies are browsing a much more insecure and dangerous version of the Web.

Beyond this immediate impact, our results also raise the question about the actual state of client-side web security as a whole. As few studies state the vantage point of their measurements, and even fewer take cookie notices into account, they most likely underreport the prevalence of vulnerabilities on the Web at large.

References

[1]

Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H Phung, Lieven Desmet, and Frank Piessens. 2012. JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In ACSAC.

[2]

Belgian Data Protection Authority. 2022. Concerning: Complaint relating to Transparency & Consent Framework. https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-english.pdf. Accessed 27.06.2022.

[3]

Souphiane Bensalim, David Klein, Thomas Barber, and Martin Johns. 2021. Talking About My Generation: Targeted DOM-based XSS Exploit Generation using Dynamic Data Flow Analysis. In Proceedings of the 14th European Workshop on Systems Security. ACM.

Digital Library

[4]

Bianca Ferrari. 2021. ’It’s Bad Design On Purpose’ – Why Website Cookie Banners Look Like That. Online https://www.vice.com/en/article/m7epda/its-bad-design-on-purpose-why-website-cookie-banners-look-like-that. Accessed 27.06.2022.

[5]

Dino Bollinger, Karel Kubicek, Carlos Cotrini, and David Basin. 2022. Automating cookie consent and GDPR violation detection. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association.

[6]

Cert/CC. 2000. CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests.https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186. Accessed 09.04.2021.

[7]

Council and Parliament of European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02016R0679-20160504.

[8]

Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2019. We Value Your Privacy... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy. In Proc. of the Network and Distributed System Security Symposium (NDSS). https://doi.org/ndss-paper/we-value-your-privacy-now-take-some-cookies-measuring-the-gdprs-impact-on-web-privacy/

[9]

Nurullah Demir, Matteo Große-Kampmann, Tobias Urban, Christian Wressnegger, Thorsten Holz, and Norbert Pohlmann. 2022. Reproducibility and Replicability of Web Measurement Studies. In Proc. of the International World Wide Web Conference (WWW). 533–544. https://doi.org/10.1145/3485447.3512214

Digital Library

[10]

Benjamin Eriksson, Giancarlo Pellegrino, and Andrei Sabelfeld. 2021. Black widow: Blackbox data-driven web scanning. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1125–1142.

[11]

IAB Europe. 2021. What Is The Transparency & Consent Framework (TCF)?https://iabeurope.eu/transparency-consent-framework/.

[12]

Maximilian Hils, Daniel W Woods, and Rainer Böhme. 2020. Measuring the emergence of consent management on the web. In Proceedings of the ACM Internet Measurement Conference. 317–332.

Digital Library

[13]

Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kaafar, Noha Loizon, and Roya Ensafi. 2019. The chain of implicit trust: An analysis of the web third-party resources loading. In The World Wide Web Conference.

Digital Library

[14]

Lon Ingram and Michael Walfish. 2012. Treehouse: Javascript Sandboxes to Help Web Developers Help Themselves. In USENIX ATC.

Digital Library

[15]

Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In WWW.

[16]

Bobbie Johnson. 2012. What you need to know about the EU Cookie Law. https://gigaom.com/2012/05/25/cookie-law-explainer/.

[17]

Hugo Jonker, Stefan Karsch, Benjamin Krumnow, and Marc Sleegers. 2020. Shepherd: a generic approach toautomating website login?

[18]

Zifeng Kang, Song Li, and Yinzhi Cao. 2022. Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites. (2022).

[19]

Daniel Kladnik. 2020. I DON’T CARE ABOUT COOKIES 3.2.4. https://www.i-dont-care-about-cookies.eu/.

[20]

Amit Klein. 2005. DOM Based Cross Site Scripting or XSS of the Third Kind. Web Application Security Consortium, Articles (2005).

[21]

David Klein, Thomas Barber, Souphiane Bensalim, Ben Stock, and Martin Johns. 2022. Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions. In 2022 IEEE European Symposium on Security and Privacy (EuroS&P). 236–250.

[22]

Rolf Bagge Janus Bager Kristensen. 2019. Consent-O-Matic. Online https://github.com/cavi-au/Consent-O-Matic. Accessed 27.06.2022.

[23]

Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In Proc. of the Network and Distributed System Security Symposium (NDSS). https://doi.org/ndss2017/ndss-2017-programme/thou-shalt-not-depend-me-analysing-use-outdated-javascript-libraries-web/

[24]

Victor Le Pochat, Tom van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczynski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In NDSS.

[25]

Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 Million Flows Later: Large-scale Detection of DOM-based XSS. In ACM CCS.

[26]

Sam Macbeth. 2020. Cliqz Autoconsent. Online https://github.com/ghostery/autoconsent. Accessed 27.06.2022.

[27]

Matt Burgess. 2021. How to bypass and block infuriating cookie popups. Online https://www.wired.co.uk/article/cookie-popup-blocker-gdpr. Accessed 27.06.2022.

[28]

Célestin Matte, Nataliia Bielova, and Cristiana Santos. 2020. Do Cookie Banners Respect my Choice?: Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 791–809.

[29]

William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, and Limin Jia. 2018. Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting. In NDSS.

[30]

Leo A Meyerovich and Benjamin Livshits. 2010. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In Oakland.

[31]

Mark S Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. 2008. Safe active content in sanitized JavaScript. Google, Inc., Tech. Rep(2008).

[32]

Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, and Martin Johns. 2019. Scriptprotect: mitigating unsafe third-party javascript practices. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security.

Digital Library

[33]

Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM conference on Computer and communications security.

Digital Library

[34]

Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. 2020. Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence. Association for Computing Machinery, New York, NY, USA, 1–13. https://doi.org/10.1145/3313831.3376321

Digital Library

[35]

OWASP Foundation Inc. 2013. OWASP Top 10 – 2013 – The Ten Most Critical Web Application Security Risks. https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf. Accessed: 16.09.2021.

[36]

OWASP Foundation Inc. 2017. OWASP Top 10 – 2017 – The Ten Most Critical Web Application Security Risks. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. Accessed: 23.07.2021.

[37]

OWASP Foundation Inc. 2021. OWASP Top 10 – 2021. https://owasp.org/Top10/. Accessed: 16.09.2021.

[38]

European Parliament and the Council. 2002. Directive 2002/22/EC of the European Parliament and of the Council. https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32002L0022.

[39]

European Parliament and the Council. 2002. Directive 2002/58/EC of the European Parliament and of the Council. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058.

[40]

European Parliament and the Council. 2002. Directive 2009/136/EC of the European Parliament and of the Council. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009L0136.

[41]

Privacy International. 2019. Most cookie banners are annoying and deceptive. This is not consent.Online https://privacyinternational.org/explainer/2975/most-cookie-banners-are-annoying-and-deceptive-not-consent. Accessed 27.06.2022.

[42]

Iskander Sanchez-Rola, Matteo Dell’Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. 2019. Can I Opt Out Yet? GDPR and the Global Illusion of Cookie Control. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. 340–351.

Digital Library

[43]

Iskander Sanchez-Rola, Matteo Dell’Amico, Davide Balzarotti, Pierre-Antoine Vervier, and Leyla Bilge. 2021. Journey to the center of the cookie ecosystem: Unraveling actors’ roles and relationships. In IEEE Symposium on Security and Privacy.

[44]

Cristiana Santos, Nataliia Bielova, and Célestin Matte. 2020. Are cookie banners indeed compliant with the law? : Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners. Technology and Regulation 2020 (Dec. 2020), 91–135. https://doi.org/10.26116/techreg.2020.009

[45]

Cristiana Santos, Midas Nouwens, Michael Toth, Nataliia Bielova, and Vincent Roca. 2021. Consent Management Platforms Under the GDPR: Processors and/or Controllers?. In Privacy Technologies and Policy. Springer International Publishing, 47–69.

[46]

Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most Websites Don’t Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 179–194.

Digital Library

[47]

Sooel Son and Vitaly Shmatikov. 2013. The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In NDSS. https://doi.org/ndss2013/postman-always-rings-twice-attacking-and-defending-postmessage-html5-websites

[48]

Steven Sprecher, Christoph Kerschbaumer, and Engin Kirda. 2022. SoK: All or Nothing-A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). IEEE, 206–222.

[49]

Marius Steffens, Marius Musch, Martin Johns, and Ben Stock. 2021. Who’s hosting the block party? studying third-party blockage of csp and sri. In NDSS.

[50]

Marius Steffens, Christian Rossow, Martin Johns, and Ben Stock. 2019. Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. In NDSS. https://doi.org/ndss-paper/dont-trust-the-locals-investigating-the-prevalence-of-persistent-client-side-cross-site-scripting-in-the-wild/

[51]

Marius Steffens and Ben Stock. 2020. PMForce: Systematically Analyzing postMessage Handlers at Scale. In ACM CCS. https://doi.org/10.1145/3372297.3417267

Digital Library

[52]

Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In USENIX Security Symposium.

[53]

Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies, and Martin Johns. 2015. From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting. In ACM CCS. https://doi.org/10.1145/2810103.2813625

Digital Library

[54]

Mike Ter Louw, Karthik Thotta Ganesh, and VN Venkatakrishnan. 2010. AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In USENIX Security.

[55]

Michael Toth, Nataliia Bielova, and Vincent Roca. 2022. On dark patterns and manipulation of website publishers by CMPs. In PETS 2022-22nd Privacy Enhancing Technologies Symposium.

[56]

UniConsent. 2022. Google Ad Manager Integration. Online https://www.uniconsent.com/docs/tutorials/gam-integration.

[57]

UniConsent. 2022. Google global site tag Integration. Online https://www.uniconsent.com/docs/tutorials/gtag-integration.

[58]

Steven Van Acker, Philippe De Ryck, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2011. WebJail: least-privilege integration of third-party components in web mashups. In ACSAC.

[59]

W3C Privacy Community Group. 2021. First-Party Sets. Online https://github.com/privacycg/first-party-sets.

[60]

WIRED. 1999. Sun on Privacy: ’Get Over It’. https://www.wired.com/1999/01/sun-on-privacy-get-over-it/. Accessed 17.06.2022.

Cited By

Birrell ERodolitz JDing ALee JMcReynolds EHutson JLerner A(2024)SoK: Technical Implementation and Human Impact of Internet Privacy Regulations2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00206(673-696)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00206
Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Rautenstrauch JMitkov MHelbrecht THetterich LStock B(2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00094
Show More Cited By

Index Terms

Accept All Exploits: Exploring the Security Impact of Cookie Banners
1. Security and privacy
  1. Software and application security
    1. Web application security
  2. Systems security
    1. Browser security

Recommendations

Cookie Banners, What's the Purpose?: Analyzing Cookie Banner Text Through a Legal Lens
WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

A cookie banner pops up when a user visits a website for the first time, requesting consent to the use of cookies and other trackers for a variety of purposes. Unlike prior work that has focused on evaluating the user interface (UI) design of cookie ...
Crumbled Cookies: Exploring E-commerce Websites’ Cookie Policies with Data Protection Regulations
Despite stringent data protection regulations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other country-specific laws, numerous websites continue to use cookies to track user activities, raising ...
Scriptless attacks: Stealing more pie without touching the sill
Web Application Security Web @ 25

Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

December 2022

1021 pages

ISBN:9781450397599

DOI:10.1145/3564625

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

European Union?s Horizon 2020
DFG

Conference

ACSAC

ACSAC: Annual Computer Security Applications Conference

December 5 - 9, 2022

TX, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
393
Total Downloads

Downloads (Last 12 months)132
Downloads (Last 6 weeks)4

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Birrell ERodolitz JDing ALee JMcReynolds EHutson JLerner A(2024)SoK: Technical Implementation and Human Impact of Internet Privacy Regulations2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00206(673-696)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00206
Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Rautenstrauch JMitkov MHelbrecht THetterich LStock B(2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00094
Ormeno MDao HHerskovic VFukuda K(2024)Do Cookie Banners Respect My Browsing Privacy? Measuring the Effectiveness of Cookie Rejection for Limiting Behavioral AdvertisingIEEE Access10.1109/ACCESS.2024.349453912(174539-174550)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3494539
Ahmad ZCalzavara SCasarin SStock B(2024)Information flow control for comparative privacy analysesInternational Journal of Information Security10.1007/s10207-024-00886-023:5(3199-3216)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1007/s10207-024-00886-0
Weidmann NBarber TWressnegger C(2023)Load-and-Act: Increasing Page Coverage of Web ApplicationsInformation Security10.1007/978-3-031-49187-0_9(163-182)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-49187-0_9

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents