Ruhr-Uni-Bochum

Accept All Exploits: Exploring the Security Impact of Cookie Banners

2022

Conference / Journal

Authors

Moritz Kopmann Martin Johns Thomas Barber Marius Musch David Klein

Research Hub

Research Hub C: Sichere Systeme

Research Challenges

RC 8: Security with Untrusted Components

Abstract

The General Data Protection Regulation (GDPR) and related regulations have had a profound impact on most aspects related to privacy on the Internet. By requiring the user’s consent for e.g., tracking, an affirmative action has to take place before such data collection is lawful, leading to spread of so-called cookie banners across the Web. While the privacy impact and how well companies adhere to those regulations have been studied in detail, an open question is what effect these banners have on the security of netizens. In this work, we systematically investigate the security impact of consenting to a cookie banner. For this, we design an approach to automatically give maximum consent to these banners, enabling us to conduct a large-scale crawl. Thereby, we find that a user who consents to tracking executes 45% more third-party scripts and is exposed to 63% more security sensitive data flows on average. This significantly increased attack surface is not a mere theoretical danger, as our examination of Client-Side Cross-Site Scripting (XSS) vulnerabilities shows: By consenting, the number of websites vulnerable to our verified XSS exploits increases by 55%. In other words, more than one third of all affected websites are only vulnerable to XSS due to code that requires user consent. This means that users who consent to cookies are browsing a much more insecure and dangerous version of the Web. Beyond this immediate impact, our results also raise the question about the actual state of client-side web security as a whole. As few studies state the vantage point of their measurements, and even fewer take cookie notices into account, they most likely underreport the prevalence of vulnerabilities on the Web at large.

Tags

Web Security