privacy-model icon indicating copy to clipboard operation
privacy-model copied to clipboard

Published 20 hours ago verified publisher icon michaelkleber

Identity sharding and URL parameter tracking

Open ehsan opened this issue 5 years ago • 1 comments

Let's consider the following attack scenario:

  • The user goes to site.example and login using a third-party login.adtech.example frame.
  • site.example has a first-party script from analytics.adtech.example/analytics.js.
  • After the successful login, login.adtech.example frame does a parent.postMessage() to communicate the user's PII to a message handler set up by analytics.js.
  • The said message handler runs the loop in [1].
  • The user clicks a link to news.example which also has analytics.adtech.example/analytics.js embedded.
  • analytics.js looks at location.search to obtain the user's PII.
  • Now the user's identity has been joined across sites.

[1] pseudo-code

  for (each link in document) {
    link.href = injectPII(link.href);
  }

ehsan avatar Aug 30 '19 19:08 ehsan

Indeed, so this is an example of joining that a browser should try to prevent. All three of the linked related works speak to various ways to try to cut down on "navigational tracking" / "link decoration". Some action against this threat would need to be a part of "Browsers impose limits [...] with the goal of preventing the joinability of these per-1p identities."

michaelkleber avatar Aug 30 '19 20:08 michaelkleber