Context
cookie banners prompt users for giving the consent for processing identification data. This large-scale study proves that user who consents to tracking executes 45% more third-party scripts and is exposed to 63% more security sensitive data flows on average.
More than 33% of the scripts executed after the consent has been given are vulnerably to XSS (cross site scripting).
- who consent to cookies is browsing a much more insecure and dangerous version of the same website
Exploiting cookie banners While cookie banners are supposed to give the user control over their personal data, they often employ dark patterns to lure users into giving as much consent as possible, or overwhelm them with complicated choices
The hypothesis is that if data collection requires consent by the user, the corresponding code carrying out that collection should only be executed once consent is given. Thus, providing consent via a cookie banner dialog will increase the attack surface of a website’s JavaScript code and lead to a reduction in security.
Contributions
- A methodology to automatically accept cookie dialogs, thereby maximizing the consent given for tracking (i)
- A study over the European web landscape, measuring the effects of accepting a banner with a focus on additionally loaded and executed code (ii)
- An analysis on the security impact of cookie banners based on the increase of dangerous taint flows and XSS (cross site scripting) vulnerabilities after giving consent (iii)
Discussions
While website owners do have the option to create their own custom implementation, it is non-trivial to create a banner that complies with all laws and regulations. Using a CMP (Consent Management Provider) is a common choice
The most important functionality that such a banner must provide is to ensure that no tracking cookies are stored and consequently no advertisements are shown to the user before they consent.
(i) A tool called Acceptify was build to automatically find the cookie banner and its corresponding accept button on arbitrary websites. It was possible to detect the correct click on a banner by using the TCF API as a test oracle: correctly clicking on “accept cookies” will cause this API, if present on the target website, to augment a counter
(ii) accepting a banner that gives a website the consent to process identification data causes a number of extra scripts to be loaded, mostly related to targeted advertisement. It is possible to identify the scripts loaded before and after the consent is given, and to observe how accepting cookies does, in fact, have an effect on the number of loaded scripts (44.54% more third-party code)
(iii) More external script loaded means more room for vulnerability, especially since these external scripts are often imported libraries, and they process sensitive id-related information
- it is possible to trace the information flow, that is, what this external code is doing, by performing a DTA (dynamic taint analysis) that “taint” objects or functions and “follows” the execution flow, hoping to find a sink function, such as
document.write,innerHTML,eval - the whole JavaScript code has been tested with a proof-of-concept exploit (DOM XSS)
- two versions of each website are compared: accepting and not accepting the cookies
- over one third of the domains with Client-Side XSS are only vulnerable if the user has given consent to data collection.