Cart-ology: Intercepting Targeted Advertising via Ad Network Identity Entanglement

Targeted advertising is a pervasive practice in the advertising ecosystem, with complex representations of user identity central to targeting. Ad networks are incentivized to tie ephemeral cookies across devices to lasting durable identifiers such as email addresses in order to develop comprehensive cross-device user profiles. Third-party ad networks typically do not have relationships with users and must rely on external parties such as merchant websites for durable identity information, introducing intricate trust relationships. We find attackers can exploit these trust relationships to confuse an ad network into linking an unprivileged attacker's browser to a victim's identity, thus "impersonating" the victim to the ad network.

We present Advertising Identity Entanglement, a vulnerability to extract specific user browsing behavior from ad networks remotely, knowing only a victim's email address, with no access to the victim, ad network, or websites. This new fundamental flaw in cross-device tracking allows attackers to pass erroneous identity information to third-party ad networks, causing the networks to confuse attacker and victim. Once entangled, the attacker receives advertisements intended for the victim across the entire ad network. We find identity entanglement is a significant user privacy vulnerability where attackers can learn detailed victim browsing activity such as retail websites, products, and even specific apartments or hotels the victim has interacted with. The vulnerability is also bi-directional, with the attacker able to cause specific ads to be shown to the victim, introducing the possibility of embarrassment attacks and blackmail. We have disclosed the vulnerability; Criteo, one of the largest third-party ad networks, acknowledges the attack.