Characterizing Pixel Tracking through the Lens of Disposable Email Services

Disposable email services provide temporary email addresses, which allows people to register online accounts without exposing their real email addresses. In this paper, we perform the first measurement study on disposable email services with two main goals. First, we aim to understand what disposable email services are used for, and what risks (if any) are involved in the common use cases. Second, we use the disposable email services as a public gateway to collect a large-scale email dataset for measuring email tracking. Over three months, we collected a dataset from 7 popular disposable email services which contain 2.3 million emails sent by 210K domains. We show that online accounts registered through disposable email addresses can be easily hijacked, leading to potential information leakage and financial loss. By empirically analyzing email tracking, we find that third-party tracking is highly prevalent, especially in the emails sent by popular services. We observe that trackers are using various methods to hide their tracking behavior such as falsely claiming the size of tracking images or hiding real trackers behind redirections. A few top trackers stand out in the tracking ecosystem but are not yet dominating the market.

[1]  Heng Yin,et al.  Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis , 2018, NDSS.

[2]  Tadayoshi Kohno,et al.  Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016 , 2016, USENIX Security Symposium.

[3]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[4]  Nick Nikiforakis,et al.  Are You Sure You Want to Contact Us? Quantifying the Leakage of PII via Website Contact Forms , 2016, Proc. Priv. Enhancing Technol..

[5]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning , 2011 .

[6]  Emiliano De Cristofaro,et al.  Adblocking and Counter Blocking: A Slice of the Arms Race , 2016, FOCI.

[7]  William K. Robertson,et al.  Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions , 2016, Financial Cryptography.

[8]  Xiao Ma,et al.  Anonymity, Intimacy and Self-Disclosure in Social Media , 2016, CHI.

[9]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[10]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[11]  Haining Wang,et al.  A study of personal information in human-chosen passwords and its security implications , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[12]  Serge Egelman,et al.  Fingerprinting Web Users Through Font Metrics , 2015, Financial Cryptography.

[13]  Timothy Libert,et al.  Exposing the Hidden Web: An Analysis of Third-Party HTTP Requests on 1 Million Websites , 2015, ArXiv.

[14]  Roger Piqueras Jover,et al.  Crime scene investigation: SMS spam data analysis , 2012, IMC '12.

[15]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy , 2009, AAAI Spring Symposium: Intelligent Information Privacy Management.

[16]  Damon McCoy,et al.  Dialing Back Abuse on Phone Verified Accounts , 2014, CCS.

[17]  Balachander Krishnamurthy,et al.  On the leakage of personally identifiable information via online social networks , 2010, Comput. Commun. Rev..

[18]  Nan Jiang,et al.  Greystar : Fast and Accurate Detection of SMS Spam Numbers in Large Cellular Networks using Grey Phone Space , 2013 .

[19]  Vern Paxson,et al.  Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials , 2017, CCS.

[20]  Patrick Traynor,et al.  Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[21]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[22]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[23]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[24]  Zhiyun Qian,et al.  The ad wars: retrospective measurement and analysis of anti-adblock filter lists , 2017, Internet Measurement Conference.

[25]  Gang Wang,et al.  Northeastern University , 2021, IEEE Pulse.

[26]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[27]  Daniel Gruss,et al.  Use-After-FreeMail: Generalizing the Use-After-Free Problem and Applying it to Email Services , 2018, AsiaCCS.

[28]  Balachander Krishnamurthy,et al.  Privacy leakage vs . Protection measures : the growing disconnect , 2011 .

[29]  Aaron Alva,et al.  Cross-Device Tracking: Measurement and Disclosures , 2017, Proc. Priv. Enhancing Technol..

[30]  Geoffrey H. Ball,et al.  ISODATA, A NOVEL METHOD OF DATA ANALYSIS AND PATTERN CLASSIFICATION , 1965 .

[31]  Georgios Zervas,et al.  Understanding Emerging Threats to Online Advertising , 2016, EC.

[32]  Jeffrey Dean,et al.  Distributed Representations of Words and Phrases and their Compositionality , 2013, NIPS.

[33]  Nikolaos Laoutaris,et al.  Tracing Cross Border Web Tracking , 2018, Internet Measurement Conference.

[34]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[35]  Patrick Traynor,et al.  Characterizing the Security of the SMS Ecosystem with Public Gateways , 2019, ACM Trans. Priv. Secur..

[36]  Nick Nikiforakis,et al.  Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions , 2017, WWW.

[37]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[38]  Zhiyun Qian,et al.  Detecting Anti Ad-blockers in the Wild , 2017, Proc. Priv. Enhancing Technol..

[39]  Jordan Frith,et al.  Anonymity, pseudonymity, and the agency of online identity: Examining the social practices of r/Gonewild , 2015, First Monday.

[40]  Nick Cramer,et al.  Automatic Keyword Extraction from Individual Documents , 2010 .

[41]  Nethanel Gelernter,et al.  The Password Reset MitM Attack , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[42]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[43]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[44]  Arvind Narayanan,et al.  I never signed up for this! Privacy implications of email tracking , 2018, Proc. Priv. Enhancing Technol..

[45]  Julie Thorpe,et al.  On Semantic Patterns of Passwords and their Security Impact , 2014, NDSS.

[46]  Gang Wang,et al.  The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services , 2018, CODASPY.