TRAP: using TaRgeted Ads to unveil Google personal Profiles

TL;DR

This paper demonstrates how external attackers can exploit Google's targeted advertising system to infer personal user profile information, revealing significant privacy vulnerabilities in online ad services.

Contribution

It introduces a novel attack method that combines Google AdWords data with website data to extract personal information from user profiles.

Findings

The attack is effective in inferring personal data.

It exposes a significant privacy vulnerability.

The results highlight the need for more privacy-aware advertising solutions.

Abstract

In the last decade, the advertisement market spread significantly in the web and mobile app system. Its effectiveness is also due thanks to the possibility to target the advertisement on the specific interests of the actual user, other than on the content of the website hosting the advertisement. In this scenario, became of great value services that collect and hence can provide information about the browsing user, like Facebook and Google. In this paper, we show how to maliciously exploit the Google Targeted Advertising system to infer personal information in Google user profiles. In particular, the attack we consider is external from Google and relies on combining data from Google AdWords with other data collected from a website of the Google Display Network. We validate the effectiveness of our proposed attack, also discussing possible application scenarios. The result of our research shows a significant practical privacy issue behind such type of targeted advertising service, and call for further investigation and the design of more privacy-aware solutions, possibly without impeding the current business model involved in online advertisement.