Navigating Murky Waters: Automated Browser Feature Testing for Uncovering Tracking Vectors

Abstract

—Modern web browsers constitute complex application platforms with a wide range of APIs and features. Critically, this includes a multitude of heterogeneous mechanisms that allow sites to store information that explicitly or implicitly alters client-side state or functionality. This behavior implicates any browser storage, cache, access control, and policy mechanism as a potential tracking vector. As demonstrated by prior work, tracking vectors can manifest through elaborate behaviors and exhibit varying characteristics that differ vastly across different browsing contexts. In this paper we develop CanITrack, an automated, mechanism-agnostic framework for testing browser features and uncovering novel tracking vectors. Our system is designed for facilitating browser vendors and researchers by streamlining the systematic testing of browser mechanisms. It accepts methods to read and write entries for a mechanism and calls these methods across different browsing contexts to determine any potential tracking vulnerabilities that the mechanism may expose. To demonstrate our system’s capabilities we test 21 browser mechanisms and uncover a slew of tracking vectors, including 13 that enable third-party tracking and two that bypass the isolation offered by private browsing modes. Importantly, we show how two separate mechanisms from Google’s highly-publicized and widely-discussed Privacy Sandbox initiative can be leveraged for tracking. Our experimental findings have resulted in 20 disclosure reports across seven major browsers, which have set remediation efforts in motion. Overall, our study highlights the complex and formidable challenge that browsers currently face when trying to balance the adoption of new features and protecting the privacy of their users, as well as the potential benefit of incorporating CanITrack into their internal testing pipeline.