Giters

stevenwdv / leaky-forms

Fork: Main repository of LeakyForms Study

Home Page:https://homes.esat.kuleuven.be/~asenol/leaky-forms/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission (USENIX Security'22)

This repository contains the code for our paper titled Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission.

The paper is based on a measurement of email and password collection that occurs before the form submission on the top 100,000 websites. We evaluate the effect of user location (EU vs. US), browser configuration (desktop vs. mobile), and interaction with consent dialogs (accept all/reject all/no interaction).

For a more detailed overview please visit the project's homepage.

Crawler

Code: https://github.com/asumansenol/leaky-forms-crawler

A high-level overview of our crawler is given below: Crawler Arch

We extended DuckDuckGo’s Tracker Radar Collector to measure email and password exfiltration. Our crawler was capable of detecting and filling email and password fields, and intercepting script access to filled input fields.

Email field detection: In order to identify email fields, we integrated into our crawler Firefox Relay’s Fathom-based email field classifier. Using this model allowed us to identify 76% more email fields than we would detect by simply searching for input fields with type email.

Consent automation: We integrated Consent-O-Matic into our crawler to investigate the effect of users’ consent preferences. Consent-O-Matic (Nouwens et al.) is a browser extension that can recognize and interact (e.g., accept or reject cookies) with various Consent Management Provider (CMP) pop-ups. We configured Consent-O-Matic to log detected CMPs, and interact with the CMP.

Data

The data from ten crawls performed between May 2021 and June 2021 is available for download from this link.

Leak Detector

Code: https://github.com/asumansenol/leaky-forms/tree/main/leak-detector

Leak detector module searches for the filled email address and the password, and their various encodings and hashes in the HTTP traffic. The module is based on Englehardt et al.’s method, but it was improved to detect novel ways to exfiltrate the personal data.

Analysis

Code: https://github.com/asumansenol/leaky-forms/tree/main/analysis

You can find the Jupyter notebooks, pickles and CSVs that are used in the analysis folder.

LeakInspector

Code: https://github.com/leaky-forms/leak-inspector

It is a proof-of-concept browser add-on that warns users against sniff attempts and blocks requests containing personal information. You can find the source code of this add-on in this repo.

Reference

@article{
    author    = {Asuman Senol and Gunes Acar and Mathias Humbert and Frederik Zuiderveen Borgesius},
    title     = {{Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission}},
    booktitle = {Proceedings of the 31st USENIX Security Symposium (USENIX)},
    year      = 2022,
    month     = August
}

About

Fork: Main repository of LeakyForms Study

https://homes.esat.kuleuven.be/~asenol/leaky-forms/

Languages

Language:Jupyter Notebook 76.9%Language:Python 18.7%Language:JavaScript 4.3%Language:Shell 0.1%