View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 17, 2018

Ad blocking Anti-Tracking Browser Extensions can be Bypassed

Researchers have discovered that browser add-ons and extensions intended to protect your privacy are not as secure as you may think.

By CBR Staff Writer

Extensions, add-ons and in-browser software designed to protect your security and privacy have holes which may allow threat actors and surveillance scripts to circumvent such barriers.

Academics from the Catholic University in Leuven, Belgium (KU Leuven) have uncovered ways to bypass the protections of these offerings which are designed to prevent third-parties from tracking your online activities.

Presented at the USENIX Security ’18 conference, the research, titled “Who left open the cookie jar?” reveals how features such as Tracking Protection in Firefox can be circumvented to snatch user cookies.

Cookies are automatically tagged onto HTTP requests and are used to track pages visited, purchases made and can also be used to login to website domains.

However, if obtained by threat actors they may be used in cross-site scripting (XSS) attacks to hijack accounts and steal sensitive data. Cookies may also be collected en masse by advertising agencies for the purpose of covert data mining.

In order to test the defensive capabilities of in-browser protections the group created a framework to verify whether or not cookie and request policies were compatible with maintaining user privacy or whether browser stipulations on tracking could be avoided.


The researchers found that: “Despite their significant merits, the way cookies are implemented in most modern browsers also introduces a variety of attacks and other unwanted behavior.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

“More precisely, because cookies are attached to every request, including third-party requests, it becomes more difficult for websites to validate the authenticity of a request.”

The researchers tested a total of 7 browsers and 46 browser extensions and found that “most mechanisms” could be circumvented.

In addition, all of the in-browser protections and all of the extensions could be bypassed by at least one technique.

In a paper documenting the test, KU Leuven said that the framework was used to investigate cookie responses and circumvention by way of HTML tags, response headers, redirects, JavaScript, PDF-based JavaScript, the AppCache API and the Service Worker API.

A variety of implementation, design and configuration flaws all allowed the in-browser and third-party protections to be circumvented in some way.

The researchers crawled the Alexa top 10,000 websites to see whether or not any of these discovered flaws were in use and found no evidence to suggest that the bypasses are being actively exploited in the wild.

The academics have revealed their findings to browser vendors and extension developers and are working with the companies in question to develop solutions to mitigate the risk of user compromise.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.