​On-Site Javascript Trackers Open Gaping Security Holes

ExchangeWire invite Dr Augustine Fou (pictured below), a cybersecurity and ad fraud researcher, who advises advertisers, publishers, and agencies on the technical aspects of fighting digital ad fraud and improving the effectiveness of digital advertising, to explain the threats that javascript trackers pose to website owners (i.e. publishers) when installed on their sites. Dr Fou frequently reports on the topics of cybersecurity and ad fraud, having recently written a piece about covert keylogging, where javascript trackers and analytics packages can collect logins and passwords from users without their knowledge.

They steal your data without paying for it

Let’s start with a javascript-based analytics package that everyone is familiar with – Google Analytics. It is installed on-site by adding a few lines of code to the website’s page templates so every page will have the analytics trackers. The javascript of Google Analytics collects information about visitors and their visits – like how many of them came, how long did they stay, and at what pages they looked. The javascript can also detect things like the screen resolution, operating system, browser version, geolocation of the user, and many other factors about the users.

Normally, these analytics are used by the website owner to better understand their audience. But once third-party javascript trackers are installed on the site, the third parties have access to all of this information, and more, if they choose to do less-than-ethical things. The collection of detailed analytics by third parties is often referred to as 'data leakage'; but the problem has grown to be so large, when dozens upon dozens of javascript trackers are added to sites, that the leak is more like a flood.

So, would you give third parties the login to your Google Analytics? Further, what if I told you they were using your data and making money from it, under the cover of programmatic ad tech and data management providers?

Recommended action: publishers should drastically reduce the number of third-party javascript embeds on their site to reduce this data leakage problem and the security risks detailed below.

They steal your ad dollars by raiding your cookie jar

In programmatic advertising, the promise to advertisers is that they can reach audiences no matter where they show up. Ad exchanges have vast numbers of sites in their networks, so they can show ads to particular users when they show up on any site in the network. In fact, if a user expresses interest in specific topics by visiting certain sites, they can be re-targeted with ads that match that interest. And advertisers are willing to pay premiums to get their ads in front of those targeted users.

Dr Augustine FouBecause of this, knowing who the user is (without needing personal information from the user) has become very important and, therefore, very valuable. Typically, websites set cookies on the users who visit their site, for convenience in identifying them when they come back. Sites also set session cookies, so they know users have already logged in. Third-party javascript trackers installed on the site can read the site’s cookies, including session cookies, copy them, and send them back to data collection servers. But why would they do that?

Having studied ad fraud for many years, I, and other researchers, have shown that the 'bad guys' actively cover their tracks to avoid detection. They do this by making their fraud bots appear to be human. The best way to accomplish this is by 'collecting cookies' – sending their bots to websites and allowing the site to set cookies; but easier still is just stealing cookies from real human visitors (i.e. 'cookie cloning').

Once the fraud bots have a beautiful collection of cookies, they become particularly attractive targets for advertisers who will pay extra to show ads to them. The bot is then directed to go to a cash-out site owned by the bad guys. When an ad impression is created on that site, the ad dollars go there. That’s how the bad guys steal ad dollars away from legitimate sites. That’s why big publishers have seen ad revenue declines in recent years, as programmatic advertising continues to grow.

Recommended action: publishers should reduce third-party javascript trackers on their site to reduce the risk of cookie cloning. Sites should also monitor for bots constantly and prevent cookies from being given to bots, used to siphon away ad revenue.

They steal your users’ passwords and personal information

Finally, to add insult to injury, third-party javascript trackers can log keystrokes. So, if they are installed on pages where users enter logins and passwords, they can collect these. Do you really trust third-party javascript to do the right thing and not collect your users’ logins and passwords? And remember the part about cloning session cookies and re-using them so the bots they send to your site appear to be logged-in users? Ever wonder how researchers (not even black hat hackers) could so easily scrape 70,000 OKCupid users’ profile information? This occurred with a group of Danish researchers, who then publicly released the dataset of nearly 70,000 users of the online dating site.

Javascript installed on the site can also do far more nefarious things, as other ethical hackers and we have demonstrated. For example, clickjacking – a practice where javascript rewrites elements on a webpage, such as a video play button, to hijack users’ clicks for fraudulent purposes. These clicks can be simply fake clicks on ads, or worse, clicks to approve the installation of malware. Normally, human users would never approve a popup prompt to install software; but if they thought they were clicking play on a video, or clicking a hyperlink, they would never suspect the clickjacking, as I have previously reported.

Hopefully, it is clear now that not only have javascript trackers not added any value to publishers’ sites or helped them grow ad revenue; these third-party trackers embedded on the site actually allow data leakage, or worse, open up security holes that are jaw-droppingly gaping.

Recommended action: publishers should reduce or eliminate third-party javascript trackers embedded on site to close the gaping security holes that they create. Websites can use analytics packages from reputable companies or, better yet, host their own javascript-based analytics so they don’t give third parties direct access to the entire website and all its users.