COOKIEGUARD: Characterizing and Isolating the First-Party Cookie Jar

Pouneh Nikkhah Bahrami,Aurore Fass,Zubair Shafiq
2024-06-08
Abstract:As third-party cookies are going away, first-party cookies are increasingly being used for tracking. Prior research has shown that third-party scripts write (or \textit{ghost-write}) first-party cookies in the browser's cookie jar because they are included in the website's main frame. What is more is that a third-party script is able to access all first-party cookies, both the actual first-party cookies as well as the ghost-written first-party cookies by different third-party scripts. Existing isolation mechanisms in the web browser such as SOP and CSP are not designed to address this lack of isolation between first-party cookies written by different third-parties. We conduct a comprehensive analysis of cross-domain first-party cookie retrieval, exfiltration, and modification on top-10K websites. Most notably, we find 18\% and 4\% of the first-party cookies are exfiltrated and overwritten, respectively, by cross-domain third-party scripts. We propose \name to introduce isolation between first-party cookies set by different third-party scripts in the main frame. To this end, \name intercepts cookie get and set operations between third-party scripts and the browser's cookie jar to enforce strict isolation between first-party cookies set by different third-party domains. Our evaluation of \name shows that it effectively blocks all cross-domain cookie read/write operations to provide a fully isolated cookie jar. While it generally does not impact appearance, navigation, or other website functionality, the strict isolation policy disrupts Single Sign-On (SSO) on just 11\% of websites that rely on first-party cookies for session management. Our work demonstrates the feasibility of isolating first-party cookies.
Cryptography and Security
What problem does this paper attempt to address?
### Problems the paper attempts to solve This paper attempts to solve the following two key research problems: 1. **How prevalent are third - party scripts retrieving, leaking, and modifying first - party cookies in the browser's cookie jar?** - As third - party cookies are gradually restricted or blocked by mainstream browsers, third - party scripts start using first - party cookies for tracking. These scripts can access and modify all first - party cookies, regardless of whether these cookies were created by themselves. This lack of isolation has led to widespread leakage and modification of first - party cookies. 2. **How to effectively isolate first - party cookies in the browser to prevent unauthorized third - party scripts from accessing, leaking, or modifying these cookies?** - Existing browser security mechanisms (such as the Same - Origin Policy (SOP) and Content Security Policy (CSP)) cannot effectively solve the problem of isolating first - party cookies among different third - party scripts. Therefore, a new mechanism needs to be designed to achieve this goal. ### Background and threat model - **Background**: - Current browser security mechanisms (such as SOP and CSP) cannot completely isolate first - party cookies, especially when third - party scripts are running in the main frame. - Third - party scripts can obtain and modify all first - party cookies through `document.cookie`, which leads to privacy and security risks. - **Threat model**: - When third - party scripts are running in the main frame, they are not restricted by SOP and can access and modify all first - party cookies. - These scripts may collect and leak sensitive information, such as browsing history, location data, or login status, and even hijack the user's session. ### Measurement methods To measure the prevalence of cross - domain cookie operations and those responsible for them, the authors adopted the following methods: 1. **Web crawler tools**: - Use a modified version of PageGraph to record web page behavior. 2. **Data collection**: - Automate web page crawling to collect comprehensive page behavior data. 3. **Analysis command - line tools**: - Implement a command - line tool named pagegraph+ to analyze the collected data and detect various cross - domain script interactions. ### Measurement and analysis results - **Inclusion of third - party scripts**: - Among the top 10,000 websites, 93.3% of the websites contain at least one third - party script, and on average, each website contains 19 third - party scripts from 9 different domains. - On average, 70% of third - party scripts are related to advertising and tracking services. - **Prevalence of cross - domain cookie operations**: - 60% of the main - frame scripts are third - party scripts, of which 64% are advertising and tracking scripts. - 42% of websites have cross - domain cookie leakage, and 32% of websites have cross - domain cookie modification. - Overall, 18% of first - party cookies are leaked by cross - domain third - party scripts, and 4% of first - party cookies are overwritten by cross - domain third - party scripts. ### Proposed solution - **COOKIE GUARD**: - Design and implement a browser extension to isolate first - party cookies created by third - party scripts in the main frame. - COOKIE GUARD ensures strict isolation between different third - party scripts by intercepting the getter and setter functions of `document.cookie`. - Evaluation results show that COOKIE GUARD successfully blocks all cross - domain cookie read - write operations and has a relatively small impact on website functionality, only breaking single - sign - on (SSO) functionality on 11% of websites. ### Main contributions 1. **Comprehensively analyze large - scale first - party cookie operations and leakage situations**. 2. **Design and implement the browser extension COOKIE GUARD to isolate first - party cookies**. 3. **Evaluate the impact of intervention measures on website functionality and their performance overhead**. Through these studies, the authors demonstrate the feasibility of implementing first - party cookie isolation in the browser, thereby improving user privacy and security.