HEIST is a big DEAL
Newly Discovered Exploit Should Trigger a Moratorium on Blocking Adblockers and a Retooling of AdChoices
At this year’s BLACK HAT conference in Las Vegas, Belgian researchers Mathy Vanhoef and Tom Van Goethem demonstrated a newly discovered technique where JavaScript loaded by a third-party is able to circumvent the encryption of HTTPS and capture data from the page its loaded on. We’re now living in a world where visiting sites that programmatically serve ads could put your data at risk. If you are not using tracking protection or allowing third-party cookies by default, you could unknowingly load a page compromised by malware designed with this attack.
Many sites like the NYTimes.com load your email address as your login in the header of every page. Other pages on other types of sites may ask for the last four digits of your Social Security for account management purposes. An identity thief can infliltrate many other accounts with these two details alone. Social media accounts are also vulnerable to hacking since token IDs are susceptible because our social media logins follow us everywhere we go, nestled in the ubiquitous (and useless) sharing buttons on every page. The researchers express concerns that the HEIST attack can be used to collect health information for sale on the grey and black data brokerage markets.
The researchers predict that this technique will quickly become the “easiest way to to compromise accounts.”
An industry that keeps us vulnerable
To endure an attack you just need to be unlucky enough to be served a malicious ad that contains the new HEIST attack combined with other techniques as invisible malware. People who aren’t using any tracking protection, or an adblocker, or have third-party cookies enabled (the default setting), are vulnerable now that this technique is out in the wild.
This is huge problem for digital publishers because they rely on revenue provided by the adtech industry but unfortunately the scourge of malware has not been solved. There are too many weak links in the ad sales infrastructure to be hacked, especially by social engineering when people in the ad sales supply chain have every incentive to look the other way and sell to unscrupulous or even criminal buyers. The massive problem of ad fraud indicates how badly reform is necessary to protect people from this newly escalated threat model. If they struggle to keep criminal fraudsters out of the supply chain, how can they certify that it’s malware-free?
To make a bad situation worse, the adtech industry’s opt-out program called AdChoices requires third-party cookies to be enabled. People who try to do the right thing and use the industry’s “choice” mechanism only ensure they are vulnerable to this new attack.
By contrast, people who install tracking protection or an adblocker tool are protected from this threat. However, the industry has urged publishers to detect the presence of tracking protection and adblockers and then mandate or plead for their readers to disable them. Adtech’s trade group IAB calls this strategy DEAL and touts it as their most successful tactic against adblockers. When people comply, they become vulnerable to a HEIST attack. When they slog through the AdChoices opt-out process, they guarantee vulnerability by enabling third-party cookies.
Now do the right thing.
The industry should call a moratorium on asking users to disable their tracking protection or adblockers until a method to defend against the HEIST attack is devised and deployed, presumably through a close collaboration between browser makers and adtech companies. Otherwise, this industry is irresponsibly putting people at risk. The researchers, Vanhoef and Van Goethem, indicate in their white paper that blocking third-party cookies is the only known reliable defense.
The publishing and advertising industries should also demand that the Digital Advertising Alliance re-tool or sunset the AdChoices program so that it does not rely on third-party cookies. This includes Google and Facebook, who participate in the program, and are now complicit in propagating this vulnerability that could lead to identity theft or worse. People have no recourse beyond installing defensive software tools on their devices. Apple’s new Limit Ad Tracking model in iOS10 is a step in the right direction because it helps solve the problem of putting people in control of their opt-out tracking identifier on their device not set as third-party cookies across many browsers.
If the industry would honor the Do Not Track standard (like Medium, Twitter, and Pinterest) instead of pushing AdChoices, the HEIST vulnerability and a litany of other problems plaguing this shaky business would be solved. So there’s that.
As Facebook announces today that it will circumvent your adblocker, the time has come for them to reckon with their responsibility to solve the privacy, fraud, and security issues that motivate people to install adblockers as much as any other reason. The thinktank that Facebook funds, the Future of Privacy Forum, still endorses using adblockers as a form of protection from privacy invasion and malware. However, the connection between the HEIST exploit, third-party cookies, and the AdChoices program has not been formally acknowledged by anyone in the industry, yet. Will they?
Updates
To be clear, I realize that ads served on Facebook.com do not contain JavaScript so those are not the type susceptible to the HEIST attack. However, I question whether Google and Facebook can continue to support the AdChoices program because they refer their users to it to manage their off-site ad preferences knowing it makes them vulnerable to HEIST.
Facebook has now obliquely responded to this threat without referencing it nor acknowledging their continued endorsement of AdChoices.
Finally, AdChoices is a misleading mechanism because it only provides an opt-out to targeting, but not tracking, despite our expectations otherwise.