Local Frames: Exploiting Inherited Origins to Bypass Content Blockers

TL;DR

This paper reveals systemic vulnerabilities in popular web privacy tools caused by mishandling local frames, exposing users to tracking and data exfiltration despite privacy protections.

Contribution

It identifies how legacy web functionalities interact unexpectedly with privacy tools, leading to exploitable vulnerabilities, and provides a systematic analysis of these issues across multiple tools and websites.

Findings

All six tested tools had at least one vulnerability.

56% of popular websites use local frames, many of which trigger vulnerabilities.

73.7% of requests from local frames should be blocked but are not.

Abstract

We present a study of how local frames (i.e., iframes loading content like "about:blank") are mishandled by a wide range of popular Web security and privacy tools. As a result, users of these tools remain vulnerable to the very attack techniques against which they seek to protect themselves, including browser fingerprinting, cookie-based tracking, and data exfiltration. The tools we study are vulnerable in different ways, but all share a root cause: legacy Web functionality interacts with browser privacy boundaries in unexpected ways, leading to systemic vulnerabilities in tools developed, maintained, and recommended by privacy experts and activists. We consider four core capabilities supported by most privacy tools and develop tests to determine whether each can be evaded through the use of local frames. We apply our tests to six popular Web privacy and security tools -- identifying at least one vulnerability in each for a total of 19 -- and extract common patterns regarding their mishandling of local frames. Our measurement of popular websites finds that 56% employ local frames and that 73.7% of the requests made by these local frames should be blocked by popular filter lists but instead trigger the vulnerabilities we identify. From another perspective, 14.3% of all sites that we crawl make requests that should be blocked inside of local frames. We disclosed these vulnerabilities to the tool authors and discuss both our experiences working with them to patch their products and the implications of our findings for other privacy and security research.