Sciweavers

CCS
2010
ACM

An empirical study of privacy-violating information flows in JavaScript web applications

13 years 10 months ago
An empirical study of privacy-violating information flows in JavaScript web applications
The dynamic nature of JavaScript web applications has given rise to the possibility of privacy violating information flows. We present an empirical study of the prevalence of such flows on a large number of popular websites. We have (1) designed an expressive, fine-grained information flow policy language that allows us to specify and detect different kinds of privacy-violating flows in JavaScript code, (2) implemented a new rewriting-based JavaScript information flow engine within the Chrome browser, and (3) used the enhanced browser to conduct a large-scale empirical study over the Alexa global top 50,000 websites of four privacyviolating flows: cookie stealing, location hijacking, history sniffing, and behavior tracking. Our survey shows that several popular sites, including Alexa global top-100 sites, use privacy-violating flows to exfiltrate information about users' browsing behavior. Our findings show that steps must be taken to mitigate the privacy threat from covert flows...
Dongseok Jang, Ranjit Jhala, Sorin Lerner, Hovav S
Added 06 Dec 2010
Updated 06 Dec 2010
Type Conference
Year 2010
Where CCS
Authors Dongseok Jang, Ranjit Jhala, Sorin Lerner, Hovav Shacham
Comments (0)