Cart-ology: Intercepting Targeted Advertising via Ad Network Identity Entanglement
Targeted advertising is a pervasive practice in the advertising ecosystem, with complex representations of user identity central to targeting. Ad networks are incentivized to tie ephemeral cookies across devices to lasting durable identifiers such as email addresses in order to develop comprehensive cross-device user profiles. In this presentation, I will discuss a vulnerability in cross-device tracking. This attack which we call Identity Engagement enables an attacker to extract specific user browsing behavior from ad networks remotely, knowing only a victim’s email address, with no access to the victim, ad network, or websites. We find identity entanglement is a significant user privacy vulnerability where attackers can learn detailed victim browsing activity such as retail websites, products, and even specific apartments or hotels the victim has interacted with. The vulnerability is also bidirectional, with the attacker able to cause specific ads to be shown to the victim, introducing the possibility of embarrassment attacks and blackmail. We have disclosed the vulnerability; Criteo, one of the largest third-party ad networks, acknowledges the attack.
Damon McCoy is an Associate Professor of Computer Science and Engineering at New York University's Tandon School of Engineering. His research focuses on empirically measuring the security and privacy of technology systems and their intersections with society.