Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX This paper is included in the Proceedings of the 22nd USENIX Security Symposium. August 14–16, 2013 • Washington, D.C., USA ISBN 978-1-931971-03-4 Take This Personally: Pollution Attacks on Personalized Services Xinyu Xing, Wei Meng, and Dan Doozan, Georgia Institute of Technology; Alex C. Snoeren, University of California, San Diego; Nick Feamster and Wenke Lee, Georgia Institute of Technology
Transcript
Open access to the Proceedings of the 22nd USENIX Security Symposium
is sponsored by USENIX
This paper is included in the Proceedings of the 22nd USENIX Security Symposium.August 14–16, 2013 • Washington, D.C., USA
ISBN 978-1-931971-03-4
Take This Personally: Pollution Attacks on Personalized Services
Xinyu Xing, Wei Meng, and Dan Doozan, Georgia Institute of Technology; Alex C. Snoeren, University of California, San Diego;
Nick Feamster and Wenke Lee, Georgia Institute of Technology
USENIX Association 22nd USENIX Security Symposium 671
Take This Personally: Pollution Attacks on Personalized Services
Xinyu Xing, Wei Meng, Dan Doozan, Alex C. Snoeren†, Nick Feamster, and Wenke LeeGeorgia Institute of Technology and †UC San Diego
AbstractModern Web services routinely personalize content
to appeal to the specific interests, viewpoints, and con-texts of individual users. Ideally, personalization allowssites to highlight information uniquely relevant to eachof their users, thereby increasing user satisfaction—and,eventually, the service’s bottom line. Unfortunately, aswe demonstrate in this paper, the personalization mech-anisms currently employed by popular services have notbeen hardened against attack. We show that third partiescan manipulate them to increase the visibility of arbi-trary content—whether it be a new YouTube video, anunpopular product on Amazon, or a low-ranking websitein Google search returns. In particular, we demonstratethat attackers can inject information into users’ profileson these services, thereby perturbing the results of theservices’ personalization algorithms. While the details ofour exploits are tailored to each service, the general ap-proach is likely to apply quite broadly. By demonstratingthe attack against three popular Web services, we high-light a new class of vulnerability that allows an attackerto affect a user’s experience with a service, unbeknownstto the user or the service provider.
1 Introduction
The economics of the Web ecosystem are all about clicksand eyeballs. The business model of many Web servicesdepends on advertisement: they charge for prime screenreal estate, and focus a great deal of effort on develop-ing mechanisms that make sure that the information dis-played most prominently is likely to create revenue forthe service, either through a direct ad purchase, com-mission, or at the very least improving the user’s ex-perience. Not surprisingly, malfeasants and upstandingbusiness operators alike have long sought to reverse engi-neer and exploit these mechanisms to cheaply and effec-tively place their own content—whether it be items for
sale, malicious content, or affiliate marketing schemes.Search engine optimization (SEO), which seeks to im-pact the placement of individual Web pages in the resultsprovided by search engines, is perhaps the most widelyunderstood example of this practice.
Modern Web services are increasingly relying uponpersonalization to improve the quality of their customers’experience. For example, popular websites tailor theirfront pages based on a user’s previous browsing historyat the site; video-sharing websites such as YouTube rec-ommend related videos based upon a user’s watch his-tory; shopping portals like Amazon make suggestionsbased on a user’s previous purchases; and search enginessuch as Google return customized results based upon awide variety of user-specific factors. As the Web be-comes increasingly personal, the effectiveness of broad-brush techniques like SEO will wane. In its place willrise a new class of schemes and outright attacks that ex-ploit the mechanisms and algorithms underlying this per-sonalization. In other words, personalization representsa new attack surface for all those seeking to steer usereyeballs, regardless of their intents.
In this paper, we demonstrate that contemporary per-sonalization mechanisms are vulnerable to exploit. Inparticular, we show that YouTube, Amazon, and Googleare all vulnerable to the same class of cross-site scriptingattack, which we call a pollution attack, that allows thirdparties to alter the customized content the services returnto users who have visited a page containing the exploit.Although the attack is quite effective, we do not claimthat it is the most powerful, broadly applicable, or hardto defeat. Rather, we present it as a first example of aclass of attacks that we believe will soon—if they are notalready—be launched against the relatively unprotectedunderbelly of personalization services.
Our attack exploits the fact that a service employingpersonalization incorporates a user’s past history (includ-ing, for example, browsing, searching and purchasing ac-tivities) to customize the content that it presents to the
1
672 22nd USENIX Security Symposium USENIX Association
user. Importantly, many services with personalized con-tent log their users’ Web activities whenever they arelogged in regardless of the site they are currently visiting;other services track user activities on the site even if theuser is logged out (e.g., through a session cookie). Weuse both mechanisms to pollute users’ service profiles,thereby impacting the customized content returned to theusers in predictable ways. Given the increasing portfolioof services provided by major players like Google andAmazon, it seems reasonable to expect that a large frac-tion of users will either be directly using the service or atleast logged in while browsing elsewhere on the Web.
We show that pollution attacks can be extremely effec-tive on three popular platforms: YouTube, Google, andAmazon. A distinguishing feature of our attack is thatit does not exploit any vulnerability in the user’s Webbrowser. Rather, it leverages these services’ own person-alization mechanisms to alter user’s experiences. Whileour implementation employs cross-site request forgery(XSRF) [13], other mechanisms are possible as well.
The ability to trivially launch such an attack is es-pecially worrisome because it indicates the current ap-proach to Web security is ill-equipped to address thevulnerabilities likely to exist in personalization mecha-nisms. In particular, today’s Web browsers prevent ex-ploits like cross-site scripting and request forging by en-forcing boundaries between domains though “same ori-gin” policies. The limitations of these approaches arewell known, but our attack represents a class of exploitsthat cannot be stopped by client-side enforcement: in anattempt to increase the footprint of its personalization en-gine (e.g., Google recording search queries that a userenters on a third-party page), a service with personalizedservices is providing the cross-site vector itself. Hence,only the service can defend itself from such attacks on itspersonalization. Moreover, enforcing isolation betweenindependent Web sessions seems antithetical to the goalof personalization, which seeks to increase the amount ofinformation upon which to base customization attempts.
This paper makes the following contributions:
• We describe pollution attacks against threeplatforms—YouTube, Google, and Amazon—thatallow a third party to alter the personalized contentthese services present to users who previouslyvisited a Web page containing the exploit.
• We study the effectiveness of our attack on each ofthese platforms and demonstrate that it (1) can in-crease the visibility of almost any YouTube chan-nel; (2) dramatically increase the ranking of mostwebsites in the short term, and even have lasting im-pacts on the personalized rankings of a smaller setof sites, and (3) cause Amazon to recommend rea-sonably popular products of the attacker’s choosing.
• Our attack and its effectiveness illustrates the im-portance of securing personalization mechanisms ingeneral. We discuss a number of implications of ourstudy and ways for websites to mitigate similar vul-nerabilities in the future.
The rest of the paper is organized as follows. Section 2provides a general overview of pollution attacks on per-sonalized services. Sections 3, 4, and 5 introduce specificattacks that can be launched against YouTube, Google,and Amazon, respectively, and report on our success. Wesurvey related work in Section 6 and discuss limitationsof our work and possible defenses in Section 7 beforeconcluding in Section 8.
2 Overview and Attack Model
In this section, we present a brief overview of personal-ization as it is used by popular Web services. We thenpresent a model of pollution attacks, which we applyto three different scenarios later in the paper: YouTube,Amazon, and Google.
2.1 PersonalizationOnline services are increasingly using personalization todeliver information to users that is tailored to their inter-ests and preferences. Personalization potentially createsa situation where both the service provider and the userbenefit: the user sees content that more closely matchespreferences, and the service provider presents productsthat the user is more likely to purchase (or links that theuser is more likely to click on), thus potentially resultingin higher revenues for the service provider.
The main instrument that a service provider can use toaffect the content that a user sees is modifying the choiceset, the set of results that a user sees on a particular screenin response to a particular query. The size of a choiceset differs for different services. For example, YouTubeshows the user anywhere from 12–40 videos; Amazonmay show the user up to five sets of recommended prod-ucts; Google’s initial search results page shows the topten results. Figure 1 shows several examples of choicesets on different sites.
When a user issues a query, a service’s personaliza-tion algorithm affects the user’s choice set for that query.The choice set that a personalization algorithm producesdepends on a user query, as well as a number of auxil-iary factors, including the universe of all possible con-tent and the user’s browsing history. Previous work hasclaimed that many factors, ranging from geography totime of day, may affect the choice set that a user sees.For the purposes of the attacks in this paper, we focus onhow changes to a user’s history can affect the choice set,
2
USENIX Association 22nd USENIX Security Symposium 673
Figure 1: websites with personalized services (personalized services tailor the data in the red rectangles).
Figure 2: Overview of how history pollution can ulti-mately affect the user’s choice set.
holding other factors fixed. In particular, we study howan attacker can pollute the user’s history by generatingfalse clicks through cross-site request forgery (XSRF).We describe these attacks in the next section.
2.2 Pollution Attacks
The objective of a pollution attack is to affect a user’schoice set, given a particular input. In some cases, auser’s choice set appears before the user enters any in-put (e.g., upon an initial visit to the page). In this case,the attacker’s goal may be to affect a default choice set.Figure 2 shows an overview of the attacker’s goal: theattacker aims to affect the resulting choice set by alter-ing the user’s history with false clicks, using cross-siterequest forgery as the attack vector. This attack requiresthree steps:
1. Model the service’s personalization algorithm. Weassume that the attacker has some ability to modelthe personalization algorithm that the site uses to af-fect the user’s choice set. In particular, the attackermust have some idea of how the user’s past historyaffects the user’s choice set. This information is of-ten available in published white papers, but in somecases it may require experimentation.
2. Create a “seed” to pollute the user’s history. Givensome knowledge of the personalization algorithmand a goal for how to affect the choice set, the at-tacker must design the seed that is used to affect
the user’s choice set. Depending on the service, theseed may be queries, clicks, purchases, or any otheractivity that might go into the user’s history. A goodseed can affect the user’s choice set with a minimalnumber of “false clicks”, as we describe next.
3. Inject the seed with a vector of false clicks. To pol-lute a user’s history, in most cases we require thatthe user be signed in to the site. (For some services,pollution can take place even when the user is notsigned in.) Then, the attacker can use a mechanismto make it appear as though the user is taking actionon the Web site for a particular service (e.g., click-ing on links) using a particular attack vector.
In the following sections, we explore how an attacker canapply this same procedure to attack the personalizationalgorithms of three different services: YouTube, Ama-zon, and Google search.
3 Pollution Attacks on YouTube
In this section, we demonstrate our attack on YouTube1.Following the attack steps we described in Section 2,we first model how YouTube uses the watch history of aYouTube user account to recommend videos by review-ing the literature [5]. Second, we discuss how to prepareseed data (i.e., seed videos) to promote target data (i.e.,target videos belonging to a specific channel). Third, weintroduce how to inject the seed videos to a YouTube useraccount. Finally, we design experiments and quantify theeffectiveness of our attack.
3.1 YouTube PersonalizationYouTube constructs a personalized list of recommendedvideos based upon the videos a user has previouslyviewed [5]. YouTube attempts to identify the subset ofpreviously viewed videos that the user enjoyed by con-sidering only those videos that the user watched for along period of time. Typically, YouTube recommendsvideos that other users with similar viewing histories
1A demo video is available at http://www.youtube.com/
watch?v=8hij52ws98A.
3
674 22nd USENIX Security Symposium USENIX Association
have also enjoyed. YouTube tracks the co-visitation re-lationship between pairs of videos, which reflects howlikely a user who watched a substantial portion of videoX will also watch and enjoy video Y . In general, theremay be more videos with co-visitation relationships thanthere is display area, so YouTube prioritizes videos withhigh rankings. YouTube will not recommend a video theuser has already watched.
YouTube displays recommended videos in the sugges-tion list placed alongside with a playing video (e.g., Fig-ure 5) and in the main portion of the screen at the end ofa video (Figure 1(a)). A suggestion list appearing next toa video typically contains 20–40 suggested videos, twoof which are recommended based upon personalization.At the end of a video, YouTube shows an more conciseversion of the suggestion list that contains only twelve ofthe videos from the full list; these videos may or may notcontain personal recommendations.
3.2 Preparing Seed VideosYouTube organizes videos into channels, where eachchannel corresponds to the set of uploads from a particu-lar user. In our attack, we seek to promote a set of targetvideos, ΩT , all belonging to the same YouTube channel,C. To do so, we will use an additional set of seed videos,ΩS, that have a co-visitation relationship with the targetvideos. By polluting a user’s watch history with videos inΩS, we can cause YouTube to recommend videos in ΩT .There are two ways to obtain ΩS: we can identify videoswith pre-existing co-visitation relationships to the targetvideos, or we can create the relationships ourselves.
Existing Relationships. In the simplest version of theattack, the attacker identifies existing videos to use asthe seed set. For example, given a target video setΩT belonging to channel C, the attacker could con-sider all of the other videos in the channel, C − ΩT ,as candidate seeds. For every candidate video, the at-tacker checks which videos YouTube recommends whena fresh YouTube account (i.e., a YouTube account withno history) watches it. YouTube allows its users to viewtheir recommended videos at http://www.youtube.
com/feed/recommended. If the candidate video trig-gers YouTube to recommend a video in ΩT , then the at-tacker adds the injected video to seed video set ΩS.
In general, this process allows the attacker to identifyseed videos for every target video in ΩT . The attackercannot yet launch the attack, though, because a YouTubevideo in ΩS may trigger YouTube to also recommendvideos not in ΩT . To address this issue, the attacker cansimply add these unwanted videos to the seed video setΩS because YouTube does not recommend videos thatthe user has already watched. As we will show later, the
attacker can convince YouTube that the user watched, butdid not enjoy, these unwanted videos, so their inclusionin ΩS will not lead to additional recommendations.
Fabricating Relationships. For some videos, it maybe difficult to identify a seed set ΩS that recommends allof the elements of ΩT due to lack of co-visitation rela-tionships for some of the target elements. Instead, attack-ers who upload their own content to use as the seed setcan create co-visitation relationships between this con-tent and the target set. In particular, an attacker uploadsa set of videos, Ω0, and establishes co-visitation relation-ships between Ω0 and ΩT through crowd-sourcing (e.g.,Mechanical Turk or a botnet): YouTube visitors needonly watch a video in Ω0 followed by a video in ΩT .After a sufficient number of viewing pairs, the attackercan use videos in Ω0 as the seed set. As we will show inSection 3.4.1, a relatively small number of viewing pairssuffices.
3.3 Injecting Seed Videos
To launch the attack and inject seed videos into avictim’s YouTube watch history, an attacker can harnessXSRF to forge the following two HTTP requests for eachvideo in the seed set: (1) http://www.youtube.com/user_watch?plid=<value>&video_id=<value>,and (2) http://www.youtube.com/set_awesome?
plid=<value>&video_id=<value>, where plid
and video id correspond to the values found in thesource code of the seed video’s YouTube page. Thefirst HTTP request spoofs a request from the victim tostart watching the seed video, and the second convincesYouTube that the victim watched the video for a longperiod of time. Both HTTP requests are required forvideos in ΩS to trigger the recommendation of videos inΩT , but only the first HTTP request is needed to preventthe recommendation of unwanted videos.
3.4 Experimental Design
We evaluated the effectiveness of our attack both in con-trolled environments and against real YouTube users. Wefirst validated the the attack in the simplest scenario,where the attack promoted existing YouTube channelsthrough existing co-visitation relationships. We thenconsidered the scenario where an attack seemed to up-load and promote content from a channel that the attackercreated. Finally, we conducted a small-scale experimentto demonstrate the effectiveness of the attack against avolunteer set of real YouTube users.
4
USENIX Association 22nd USENIX Security Symposium 675
3.4.1 New Accounts
We first promoted existing YouTube channels by launch-ing our attack against victims with fresh YouTube useraccounts. This experiment confirms the effectiveness ofour approach in the absence of other, potentially counter-vailing influences, such as recommendations based on auser’s existing history.
We began by selecting 100 existing YouTube channelsat random from the list of the top 2,000 most-subscribedchannels published by VidStatsX [19]. For each of theselected YouTube channels, we randomly selected 25videos from the channel as the target video set, used themethod described in the previous section to identify aseed video set, and injected the seed videos to a freshYouTube account.
We then considered promoting new content by creat-ing our own YouTube channel and similarly attackingfresh YouTube accounts. Our YouTube channel containstwo 3-minute videos. We selected one of the videos asa one-element target video set and used the other as theseed set. We created a co-visitation relationship by em-bedding both videos on a web page and recruiting volun-teers to watch both videos sequentially. We obtained 65and 68 views for our seed and target video respectively.
3.4.2 Existing Accounts
We studied the effectiveness of our pollution attack usingreal YouTube user accounts. We recruited 22 volunteerswith extensive pre-existing YouTube watch histories. Tolimit the inconvenience to our volunteers, we limited ourstudy to attempting to promote one moderately popularYouTube channel based upon existing co-visitation rela-tionships. We selected a moderately popular account be-cause a popular channel may be recommended anyway(regardless of out attack); conversely, an entirely newchannel requires a certain amount of effort to establishthe co-visitation relationships as described above and wehave limited volunteer resources.
Based on these parameters, we arbitrarily selected thechannel OnlyyouHappycamp. We believe this selectionis a reasonable candidate to be promoted using our attackfor several reasons. First, compared to popular chan-nels, most videos in OnlyyouHappycamp have low viewcounts (about 2,000 view counts per video on average)and the number of subscribers to the channel is a simi-larly modest 3,552. Both of these are easily achievableby an attacker at fairly low cost2. Second, most videos inOnlyyouHappycamp are 22 minutes long, which makesthem suitable for promotion. As we will explain in Sec-tion 3.5.1, the length of a target video affects its likeli-
2According to the prices in underground markets such asfreelancer.com and fiverr.com, 40,000 view counts and 10,000subscribers cost $15 and $30 US dollars, respectively.
1 3 5 7 9 11 14 17 20 23
Target video ID
Prom
otio
n ra
te
0.0
0.1
0.2
0.3
Figure 3: The promotion rate for each of the 25 targetvideos in channel lady16makeup. Two videos were rec-ommended in each of the 114 trials.
hood for being recommended as a result of a co-visitationrelationship with another video.
Similar to the experiments with new accounts, we ran-domly selected 15 target videos from channel Onlyy-ouHappycamp, identified a seed set, and injected theseed videos into the volunteers’ YouTube accounts. Af-ter pollution, the volunteers were asked to use their ac-counts to watch three videos of their choice and reportthe suggestion list displaying alongside each of theirthree videos.
3.5 Evaluation
We evaluated the effectiveness of our pollution attacksby logging in as the victim user and viewing 114 repre-sentative videos3. We measured the effectiveness of ourattack in terms of promotion rate: the fraction of the 114viewings when at least one of the target videos was con-tained within the video suggestion list. Recall that thelist contains at most two personalized recommendations(see Section 3.1); we deem the attack successful if oneor both of these videos are videos that were promoted asa result of a pollution attack.
3.5.1 New Accounts
Pollution attacks successfully promoted target videosfrom each of the 100 selected existing channels: Eachtime we injected seed videos for a particular channel, weobserved the target videos in the suggestion list for eachof the 114 videos. Since these are fresh accounts, thereis no other history, so our targeted videos always occupyboth of the personalized recommendation slots.
In addition, we observed the particular target videosshown in the suggestion video list varied, even when
3We attempted to view 150 videos random from a trace of YouTubeusage at our institution over the course of several months. Unfortu-nately, 36 of the videos were no longer available at the time of ourexperiment.
5
676 22nd USENIX Security Symposium USENIX Association
1 2 3 4 5 6 7 8 9Target video rank
Prom
otio
n ra
te0.
00.
10.
20.
30.
40.
50.
6
(a) Higher ranked video
1 2 3 4 5 6 7 8 9 11Target video rank
Prom
otio
n ra
te0.
00.
10.
20.
30.
40.
50.
6
(b) Lower ranked video
Figure 4: Distribution of the suggestion slots occupiedby each of the two successfully promoted target videos.
we were viewing the same video using the same victimYouTube account. In other words, every target video hasa chance to be promoted and shown on the suggestionvideo list no matter which video a victim plays. Fig-ure 3 shows the frequency with which each of the 25 tar-get videos for a representative channel, lady16makeup.In an attempt to explain this variation, we computed (1)the Pearson correlation between the showing frequenciesand the lengths of the target videos for each channel (ρt );(2) the Pearson correlation between the showing frequen-cies and the view counts of these target videos for eachchannel (ρcnt ). We found the average Pearson correla-tion values are medium (ρt = 0.54) and moderate (ρcnt =0.23), respectively. This suggests that both the length andview count of a target video influence its recommenda-tion frequency, but the length of a target video is a moresignificant factor.
Since screen real estate is precious, and users typicallyfocus on the first few items of a list, we report on the po-sition within the suggested video lists that our targetedvideos occupied when they were promoted. We observedthat the two target videos were usually placed back-to-back on the suggestion list. Figure 4 shows that YouTubeusually placed our target videos among the top few spotsof a victim’s suggestion list: in our tests with new ac-counts, the target videos were always recommended andplaced on the top 12, which meant they also appearedat the end of viewed videos. This finding is particu-larly significant because it implies that our target videosare shown even if a victim finishes watching a YouTubevideo on a third-party website (which typically embedsonly the view-screen portion of the YouTube page, andnot the full suggestion list).
Our attacks were similarly completely successful inpromoting newly uploaded content. As a control, wealso signed in as non-polluted fresh YouTube accountsand, unsurprisingly, did not find any of our new con-tent among the videos in the suggestion list. In otherwords, the videos were recommended exclusively be-cause of our attacks; our experiments were sufficiently
Figure 5: Suggestion lists before (left) and after (right)a pollution attack against a fresh YouTube user account.The video highlighted in red is our uploaded video.
200 500 1000 2000 5000 10000
0.2
0.4
0.6
0.8
1.0
Watch history
Prom
otio
n ra
te
Figure 6: Promotion success rates for 10 real YouTubeuser accounts with varying watch history lengths.
small that we did not lead YouTube to conclude that ourcontent was, in fact, universally popular. Figure 5 showsa sample screenshot comparing the suggestion lists froma victim account and another, non-exploited fresh ac-count. Finally, we found that one of our target videosoccupied the top suggestion slot while viewing 80 out ofthe 114 test videos.
3.5.2 Existing Accounts
Our attacks were somewhat less successful on realYouTube accounts. We found that 14 out of the 22 volun-teer YouTube users reported that at least one of our tar-get videos from channel OnlyyouHappycamp appearedin the suggestion list during each of their three videoviewings, a 64% promotion rate.
To understand why we were able to exploit some ac-counts and not others, we asked our volunteers to sharetheir YouTube watch histories. Ten of our volunteersshared their histories with us and allowed us to sign in to
6
USENIX Association 22nd USENIX Security Symposium 677
their YouTube accounts to conduct a further study. Thenumber of videos in the watch histories of the ten vol-unteers ranged from a few hundred to tens of thousands.Figure 6 shows the relationship between the number ofwatched videos in a watch history and the number oftimes that at least one of our target videos is displayedalong with a playing video. While there appears to be anintuitive decreasing trend (i.e., the longer the history anaccount has the more resistant it is to pollution), there areobvious outliers. For example, one account with almost3,500 previous viewings in its history succumbed to ourattacks almost 80% of the time.
Consistent with the Pearson coefficients reported ear-lier, we found that the success of our attacks depends onthe rankings and lengths of the videos that are otherwisesuggested based upon a user’s history. In particular, weobserved that the majority of the videos recommendedto users for whom our attacks have low promotion rateshave longer lengths and more view counts than our tar-get videos, while the videos that YouTube recommendsbased on the watch history of the user with 3,500 previ-ous viewings have shorter lengths than our target videos(though they generally have higher view counts than ourtargets).
Although we believe our attack demonstrates thatYouTube’s personalization mechanism is subject to ex-ploit, the persistence of the attack effects is unclear. Inour experiments, volunteers watched arbitrary YouTubevideos right after being attacked, but we believe our pol-lution attacks on YouTube are likely to last for sometime. Although YouTube does not explicitly disclosehow time factors into their recommendation system (ifat all) [5], analysis of volunteers’ watch histories indi-cates that a YouTube video that was watched as long astwo weeks prior is still used for generating recommendedvideos.
4 Google Personalized Search
In this section, we show how history pollution attackscan be launched against Google’s search engine4. Thegoal of our attack is to promote a target webpage’s rankin the personalized results that Google returns for an ar-bitrary search term by injecting seed search terms into avictim’s search history.
4.1 Search PersonalizationSearch personalization customizes search results usinginformation about users, including their previous queryterms, click-through data and previously visited web-sites. The details of Google’s personalization algorithms
4A demo video is available at http://www.youtube.com/
watch?v=73E5CLFYeu8.
are not public, but many previous studies have exploredaspects of personalized search [2,4,6,7,9,10,14–18]. Wedescribe two classes of personalization algorithms: con-textual personalization and persistent personalization.According to recent reports [11,12], many search enginesincluding Google, Bing, and Yahoo! apply both types ofpersonalization.
Contextual personalization constructs a short-termuser profile based on recent searches and clicks-through [4, 16]. When a user searches for “inexpen-sive furniture” followed by “maternity clothes,” Google’scontextual personalization algorithm typically promotessearch results that relate to “inexpensive maternityclothes” for the next few searches (we provide an anal-ysis of precisely how long this effect lasts in Ap-pendix A.2). In contrast, persistent personalization usesthe entire search history—as opposed to only recentsearches—to develop a user profile [9, 15]. Personaliza-tion that occurs over the longer term may not affect auser’s search results as dramatically, but can have longer-lasting effects for the results that a user sees. For exam-ple, searching for “Egypt” using different accounts mayresult in two distinct result sets: one about tourism inEgypt and one related to the Arab Spring.
4.2 Identifying Search TermsGiven the differing underlying algorithms that governcontextual and persistent personalization, an attackerneeds to select different sets of seed search terms depend-ing on the type of attack she hopes to launch.
Contextual Personalization. For the contextual per-sonalization attack, the keywords injected into a user’ssearch history should be both relevant to the promot-ing keyword and unique to the website being promoted.In particular, the keywords should be independent fromother websites that have similar ranking in the search re-sults, to ensure that only the target website is promoted.Presumably, an attacker promoting a specific website isfamiliar with the website and knows what keywords bestmeet these criteria, but good candidate keywords are alsoavailable in a website’s meta keyword tag. While Googleno longer incorporates meta tags into their ranking func-tion [3], the keywords listed in the meta keyword tag stillprovide a good summary of the page’s content.
Persistent Personalization. Launching a persistentpersonalization attack requires a different method of ob-taining keywords to inject. In this case, the size of thekeyword set should be larger than that used for a contex-tual attack in order to have a greater effect on the user’ssearch history. Recall that contextual attacks only affecta user’s current session, while persistent attacks pollute
7
678 22nd USENIX Security Symposium USENIX Association
a user’s search history in order to have a lasting effect onthe user’s search results. An attacker can determine suit-able keywords using the Google AdWords tool, whichtakes as an input a search term and URL and produces alist of about one hundred related keywords. Ideally, anattacker could pollute a user’s search history with eachof these terms, but a more efficient attack should be ef-fective with a much smaller set of keywords. We deter-mined that an attacker can safely inject roughly 50 key-words a minute using cross-site request forgery; morerapid search queries are flagged by Google as a screen-scraping attack. For this study, we assume an attackercan inject at most 25 keywords into a user’s profile, butthe number of keywords can increase if the user stays ona webpage for more than 30 seconds. Not all keywordlists that AdWords returns actually promote the targetwebsite. The effectiveness of this attack likely dependson several factors, including the user’s current search his-tory. In Section 4.5, we evaluate the effectiveness of thisattack under different conditions.
4.3 Injecting Search TermsAs with the pollution attacks on YouTube, the attack onGoogle’s personalized search also uses XSRF to injectthe seeds. For example, an attacker can forge a Googlesearch by embedding https://www.google.com/
search?hl=en&site=&q=usenix+security+2013
into an invisible iframe. A Web browser will issuean embedded HTTP request, even if Google searchresponse has an enabled X-Frame-Option header.Injecting search terms into a Google user’s accountaffects the search results of the user’s subsequentsearches. The number and set of search terms to injectdiffers depending on whether an attacker can execute acontextual or persistent personalization attack.
4.4 Experimental DesignTo cleanly study the effects of our proposed attacks oncontextual and persistent search personalization, we con-ducted most of our experiments using Google accountswith no search history. To validate whether our resultsapply to real users, we also conducted a limited numberof tests using accounts that we constructed to mimic thepersonae of real users.
To quantify the effectiveness of our attack in general,we must select an unbiased set of target web pages whoserankings we wish to improve. We built two test corpora,one for attacks on contextual personalization, and one forattacks on persistent personalization. We attempted topromote existing web sites using only their current con-tent and link structure; we did not perform any SEO onwebsites before conducting the attacks. We believe this
represents a conservative lower bound on the effective-ness of the attack, as any individual website owner couldengineer the content of their site to tailor it for promotionthrough search history pollution.
4.4.1 Contextual Pollution
We started by scraping 5,671 shopping-related keywordsfrom made-in-china.com to use as search terms. Wethen entered each of these terms into Google one-by-oneto obtain the top 30 (un-personalized) search results foreach. Since some of our search terms are related, not allof these URLs are unique. Additionally, we cannot hopeto improve the URLs that are already top-ranked for eachof the search terms. We obtained 151,363 URLs whoseranking we could hope to improve.
Because we cannot manually inspect each of thesewebsites to determine appropriate seed search terms, weinstead focused a subset that include the meta keywordtag. For the approximately 90,000 such sites, we ex-tracted the meta keywords or phrases from the website.Many of these keywords are generic and will appear ina wide variety of websites. To launch the attack, we re-quire keywords that are unique to the website we wish topromote (at least relative to the other URLs returned inresponse to the same query), so we ignored any keywordsthat were associated with multiple URLs in the same setof search results.
This procedure ultimately yielded 2,136 target URLsspanning 1,739 different search terms, for which we hada set of 1–3 seed keywords to try to launch a contextualpollution attack. The average search term has 1.23 resultswhose ranking we tried to improve. Figure 11 in the Ap-pendix shows the distribution of the original rankings foreach of these target websites; the distribution is skewedtoward highly ranked sites, perhaps because these sitestake care in selecting their meta tag keywords.
4.4.2 Persistent Pollution
Once again, we begin by selecting 551 shopping-relatedsearch terms and perform Google searches with each ofthe search terms to retrieve the top 30 search results. Asopposed to the contextual attack, where we search forkeywords that differentiate the results from one another,we aim to determine search terms that will be associatedwith the website and search-term pair for the long term.
As described in Section 4.2, we use a tool provided byGoogle AdWords to obtain a set of keywords that Googleassociates with the given URL and search term. Con-structing related keyword lists for each of the 29 searchreturns (again excluding the top hit, which we cannothope to improve) and 551 search terms yields 15,979 dis-tinct URLs with associated lists of keywords.
8
USENIX Association 22nd USENIX Security Symposium 679
For each URL, we select 25 random keywords fromthe AdWords list for 25 distinct trials. If a trial improveda URL’s ranking, we then test the persistence of the at-tack by performing 20 subsequent queries, each witha randomly chosen set of Google trending keywords.These subsequent queries help us verify that the URLpromotion is not just contextual, but does not vanishwhen a user searches other content. If after all 25 trialswe find no keyword sets that promote the URL’s rankingand keep it there for 20 subsequent searchers, we deemthis URL attempt a failure. If multiple keyword sets suc-ceed, we select the most effective (i.e., the set of 25 key-words that induces the largest ranking improvement) trialto include in the test set.
4.5 Evaluation
In this section, we quantify the effectiveness of searchhistory pollution with attacks that aimed to promote thetarget websites identified in the previous section. Toscope our measurements, we consider the effectivenessof the attacks only for the set of search terms that weidentify; it is quite possible, of course, that our pollutionattacks also affect the rankings of the targeted URLs forother search terms.
When measuring the effectiveness of our attack, weuse two different criteria, depending upon a website’soriginal position in the search results. In the case ofURLs that are already in the first ten search results butnot ranked first, we consider the pollution attack success-ful if it increases the ranking of a URL at all. For URLssubsequent pages, we consider the attack successful onlyif the attack moves the URL to the first page of searchresults, since improved ranking on any page that is notthe first page is unlikely to have any utility.
4.5.1 Top-Ranked Sites
For the 2,136-page contextual attack test corpus, of the846 pages that appeared on the front page prior to ourattack, we improved the ranking of 371 (44%). The per-sistent attack was markedly less effective, with only 851(17%) of the 4,959 test cases that originally appearedon the first page of the search results had ranking im-provements surviving the persistence test (i.e., they re-mained promoted after 20 random subsequent queries).In both cases, however, the probability of success de-pends greatly on the original ranking of the targetedURL. For example, promoting a second-ranked URLto the top-ranked position for contextual personalizationsucceeded 1.1% of the time, whereas promoting a tenth-ranked URL by at least one position succeeded 62.8%of the time. Similarly, for attacks on persistent person-alization, moving a second-ranked URL to the top suc-
ceeded 4.3% of the time, and moving a tenth-rankedURL to a higher-ranked position succeeded 22.7% of thetime. These results make sense, because second-rankedsites can only move into the top-ranked position, whereassites that are ranked tenth can move into any one of ninehigher spots.
To illustrate this effect and illuminate how far eachwebpage was promoted, Figure 7 shows the PDF of animproved webpage’s rank after contextual history pol-lution, based upon its position in the non-personalizedsearch results. We observed that contextual pollution wasable to promote most webpages by one or two spots, butsome low-ranking webpages were also promoted to veryhigh ranks. Similarly, Figure 8 shows the distributionsfor each result ranking for those websites whose rankingswere improved by a persistent history pollution attack.Here, the distributions appear roughly similar (althoughthe absolute probability of success is much lower), butit is difficult to draw any strong conclusions due to thesmall number of promoted sites of each rank for eitherclass of attack.
4.5.2 The Next Tier
The remaining 1,290 test websites for the contextual at-tack were initially on the second or third page of searchresults. By polluting a user’s search history with theunique meta tag keywords associated with each site, wepromoted 358 of them (28%) to the front page. Fig-ure 7(j) shows that these websites were more likely toappear at the top of the results than those pages that wereinitially at the bottom of the first page. We suspect thisphenomenon results from the choice of keywords usedin pollution: because their original rankings were low,the pollution attack requires a distinguishing keyword tomove one of the webpages to the front page at all. Ifsuch a keyword can move a search result to the first page,it might also be a good enough keyword to promote thepage to a high rank on the first page, as well.
The results from the persistent test set are markedlydifferent. Figure 8(j) shows that sites starting on the sec-ond or third page are unlikely to end up at the very topof the result list due to a persistent history attack: Only80 (less than 1%) of the 11,020 attacks that attemptedto promote a website appearing on the 2nd or 3rd pageof results was successful in moving it to the front page(and keeping it there). This results shows that persis-tent search history attacks are generally best launched forsites that are already highly ranked, as opposed to con-textual attacks, which can help even lower-ranked sites.
9
680 22nd USENIX Security Symposium USENIX Association
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.0
0.2
0.4
0.6
(a) Non-personalized rank= 2
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.0
0.2
0.4
0.6
(b) Non-personalized rank= 3
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.0
0.2
0.4
0.6
(c) Non-personalized rank= 4
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.0
0.2
0.4
0.6
(d) Non-personalized rank= 5
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.0
0.2
0.4
0.6
(e) Non-personalized rank= 6
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.0
0.2
0.4
0.6
(f) Non-personalized rank= 7
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.0
0.2
0.4
0.6
(g) Non-personalized rank= 8
1 3 5 7 9
Personalized rankP
rom
otio
n ra
te
0.0
0.2
0.4
0.6
(h) Non-personalized rank= 9
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.0
0.2
0.4
0.6
(i) Non-personalized rank =10
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.0
0.2
0.4
0.6
(j) Non-personalized rank> 10
Figure 7: Promotion rates of promoted Google search rankings for successful contextual history pollution attacks.
4.5.3 Real Users
We also evaluate the effectiveness of pollution attackson ten volunteers’ accounts with extensive pre-existingsearch histories. We find that, on average, 97.1% of our729 previously successful contextual attacks remain suc-cessful, while only 77.78% of the persistent pollution at-tacks that work on fresh accounts achieve similar suc-cess. We believe that users’ search histories sometimesinterfere with the attacks, and that user history inter-feres more with the attacks on persistent personalization.Contextualized attacks rely only on a small set of re-cent search terms to alter the personalized search results,which is unlikely to be affected by a user’s search history.In contrast, pollution attacks against persistent personal-ization rely on more of a user’s search history. If relevantkeywords are already present in a user’s search history,keyword pollution may be less effective. In any event,both attacks are relatively robust, even when launchedagainst users with long search histories.
5 Pollution Attacks on Amazon
Of the three services, Amazon’s personalization is per-haps the most evident to the end user. On one hand, thismakes pollution-based attacks less insidious, as they willbe visible to the observant user. On the other, of the threeservices, Amazon has the most direct monetization path,since users may directly purchase the goods from Ama-zon. Therefore, exploitation of Amazon’s personaliza-tion may be profitable to an enterprising attacker.
Amazon tailors a customer’s homepage based on the
previous purchase, browsing and searching behavior ofthe user. Amazon product recommendations considereach of these three activities individually and explicitlylabels its recommendations according to the aspect of theuser’s history it used to generate them. We focused on thepersonalized recommendations Amazon generates basedon the browsing and searching activities of a customerbecause manipulating the previous purchase history of acustomer may have unintended consequences.
5.1 Amazon Recommendations
Amazon displays five recommendation lists on a cus-tomer’s homepage that are ostensibly computed based onthe customer’s searching and browsing history. Four ofthese lists are derived from the products that the customerhas recently viewed (view-based recommendation); thefifth is based on the latest search term the customer en-tered (search-based recommendation). For each of theview-based recommendation lists, Amazon uses relation-ships between products that are purchased together tocompute the corresponding recommended products; thisconcept is similar to the co-visitation relationship thatYouTube uses to promote videos. For the recommenda-tion list that is computed based on the latest search termof a customer, the recommended products are the top-ranked results for the latest search term.
In contrast to the types of personalization used forYouTube and Google Search, Amazon’s personalizationis based on history that maintained by the user’s webbrowser, not by the service. Because customers fre-quently brows Amazon without being signed in, both the
10
USENIX Association 22nd USENIX Security Symposium 681
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.00
0.10
0.20
0.30
(a) Non-personalized rank= 2
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.00
0.10
0.20
0.30
(b) Non-personalized rank= 3
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.00
0.10
0.20
0.30
(c) Non-personalized rank= 4
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.00
0.10
0.20
0.30
(d) Non-personalized rank= 5
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.00
0.10
0.20
0.30
(e) Non-personalized rank= 6
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.00
0.10
0.20
0.30
(f) Non-personalized rank= 7
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.00
0.10
0.20
0.30
(g) Non-personalized rank= 8
1 3 5 7 9
Personalized rankP
rom
otio
n ra
te
0.00
0.10
0.20
0.30
(h) Non-personalized rank= 9
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.00
0.10
0.20
0.30
(i) Non-personalized rank =10
1 3 5 7 9
Personalized rank
Pro
mot
ion
rate
0.00
0.10
0.20
0.30
(j) Non-personalized rank> 10
Figure 8: Promotion rates of promoted Google search rankings for successful persistent history pollution attacks.
latest viewed products and search term of the customerare stored in session cookies on the user’s browser ratherthan in profiles on Amazon servers.
5.2 Identifying Seed Products and TermsBecause Amazon computes the view and search-basedrecommendation lists separately, the seed data requiredexploit each list must also be different.
Visit-Based Pollution. To promote a targeted productin a view-based recommendation list, an attacker mustidentify a seed product as follows. Given a targeted prod-uct that an attacker wishes to promote, the attacker visitsthe Amazon page of the product and retrieves the relatedproducts that are shown on Amazon page of the targetedproduct. To test the suitability of these related products,the attacker can visit the Amazon page of that productand subsequently check the Amazon home page. If thetargeted product appears in a recommendation list, theURL of the candidate related product can serve as a seedto promote the targeted product.
Search-Based Pollution. To promote a targeted prod-uct in a search-based recommendation list, it suffices toidentify an appropriate search term. If automation is de-sired, an attacker could use a natural language toolkit toautomatically extract a candidate keyword set from thetargeted product’s name. Any combination of these key-words that successfully isolates the targeted product canbe used as the seed search term for promoting the tar-geted product. For example, to promote product “Bre-ville BJE200XL Compact Juice Fountain 700-Watt Juice
Extractor”, an attacker can use XSRF to inject the searchterm “Breville BJE200XL” to replace an Amazon cus-tomer’s latest search term.
5.3 Injecting Views and SearchesAs with the attacks on the previous two services, the at-tacker embeds the Amazon URLs of the desired seeditems or search queries into a website that the victim’sbrowser is induced to visit with XSRF. For example, ifone seed search terms is “Coffee Maker”, the seed URLwould be something like http://www.amazon.com/s/?field-keywords=Coffee+Maker. Similarly, an at-tacker could embed the URL of a seed product into aninvisible img tag as the src of the image. When a victimvisits the attacker’s website, Amazon receives the requestfor that particular query or item and customizes the vic-tim’s Amazon website based on that search.
5.4 Experiment DesignTo evaluate the effectiveness of the pollution attackagainst, we conducted two experiments. The first exper-iment measured the effectiveness of our attack when tar-geted toward popular items across different categories ofAmazon products. The second quantified the effective-ness of our attack on randomly selected, mostly unpopu-lar Amazon products.
5.4.1 Popular Products
Amazon categorizes sellers’ products into 32 root cat-egories. To select products from each category, we
11
682 22nd USENIX Security Symposium USENIX Association
nstrGard
en
e
G
t.F.Prod
enood
Prom
otio
nra
te
0.00.20.40.60.81.0
Patio.L
awn.
Musica
l.Ium
ents
Home.K
itch
rocery
.Gou
rme
Offic
uctsBab
y
Applian
ces
Beauty
Kitchen
.Dining
Home.I
mprove
ment
Arts.Craf
ts.Sew
ing
Pet.Sup
plies
Jewelr
y
Watche
s
Camera
.PhotoSho
es
Sports
.Outd
oors
Toys.
Games
Indus
trial.S
cienti
fic
Electro
nics
Compu
ters.A
ccesso
ries
Clothin
g
Health
.Person
al.Care
Automoti
ve
Video.G
ames
Music.A
lbums
Software
Cell.Pho
nes.A
ccesso
ries
Magaz
ines
Books
Movies
.TV
Gift.Card
s.Stor
e
Search based View based
Figure 9: Promotion rates across Amazon categories.
scraped the top 100 best-selling products in each cate-gory in January 2013 and launched a separate attack tar-geting each of these 3,200 items.
5.4.2 Random Products
To evaluate the effectiveness of the polution attack forpromoting arbitrary products, we also selected prod-ucts randomly. We downloaded a list of Amazon Stan-dard Identification Number (ASIN) [1] that includes75,115,473 ASIN records. Because each ASIN repre-sents a Amazon product, we randomly sampled ASINsfrom the list and constructed a set of 3,000 products cur-rently available for sale. For every randomly selectedproduct in the list, we recorded the sale ranking of thatproduct in its corresponding category.
5.5 Evaluation
Because Amazon computes search and visit-based rec-ommendations based entirely upon the most recent his-tory, we can evaluate the effectiveness of the pollutionattack without using Amazon accounts from real users.Thus, we measured the effectiveness of our attack bystudying the success rate of promoting our targeted prod-ucts for fresh Amazon accounts.
5.5.1 Promoting Products in Different Categories
To evaluate the effectiveness of the pollution attack foreach targeted product, we checked whether the ASIN ofthe targeted product matches the ASIN of an item in therecommendation lists on the user’s customized Amazonhomepage.
Figure 9 illustrates the promotion rate of target prod-ucts in each category. The view-based and search-based
attacks produced similar promotion rates across all cate-gories, about 78% on average. Two categories had sig-nificantly lower propotion rates: Gift-Cards-Store andMovies-TV (achieving 5% and 25%, respectively).
To understand why these categories yielded lower pro-motion rates, we analyzed the top 100 best selling prod-ucts for each category. For Gift-Cards-Store, we foundthat there were two factors that distinguish gift cardsfrom other product types. First, the gift cards all hadsimilar names; therefore, using the keywords derivedfrom the product name resulted in only a small numberof specific gift cards being recommended. Second, wefound that searching any combination of keywords ex-tracted from the product names always caused a promo-tion of Amazon’s own gift cards, which may imply thatit is more difficult to promote product types that Amazoncompetes with directly.
Further investigation into the Movies-TV category re-vealed that Amazon recommends TV episodes differ-ently. In our attempts to promote specific TV episodes,we found that Amazon recommends instead the first orlatest episode of the corresponding TV series or the en-tire series. Because we declared a promotion success-ful only if the exact ASIN appears in the recommenda-tion lists, these alternate recommendations are consid-ered failures. These cases can also be considered suc-cessful because the attack caused the promotion of verysimilar products. Therefore, we believe that for all cat-egories except for Gift-Cards-Store, an attacker has asignificant chance of successfully promoting best-sellingproducts.
5.5.2 Promoting Randomly Selected Products
We launched pollution attacks on 3,000 randomly se-lected products. We calculated the Cumulative SuccessRate of products with respect to their rankings. The Cu-
12
USENIX Association 22nd USENIX Security Symposium 683
Figure 10: Cumulative promotion rates across varyingproduct ranks for different Amazon pollution attacks.
mulative Success Rate for a given range of product rank-ings is defined as the ratio of the number of successfullypromoted products to the number of target products inthat range.
Figure 10 shows the cumulative promotion rate for dif-ferent product rankings for the two different types of pol-lution attacks. As the target product decreases in popu-larity (i.e., has a higher ranking position within its cat-egory) pollution attacks become less effective, but thisphenomenon reflects a limitation of Amazon recommen-dation algorithms, not our attack. Products with lowrankings might not be purchased as often; as a result,they may have few and weak co-visit and co-purchase re-lationships with other products. Our preliminary inves-tigation finds that products which rank 2,000 or higherwithin their category have at least a 50% chance of be-ing promoted by a visit-based pollution attack, and prod-ucts with rankings 10,000 and higher have at least a 30%chance to be promoted using search-based attacks.
6 Related Work
To the best of our knowledge, the line of work mostclosely related to ours is black-hat search engine op-timization (bSEO). Although sharing a common goalas search history pollution—illicitly promoting websiterankings in search results—bSEO follows a completelydifferent approach, exploiting a search engine’s relianceon crawled Web content. Blackhat SEO engineers thecontent of and links to Web pages to obtain a favorableranking for search terms of interest [8]. Thus, techniquesthat address bSEO are unlikely to be effective againstpollution attacks. On the other hand, because bSEOtargets the general indexing and ranking process insidesearch engines, any successfully promoted website willbe visible to all search engine users, potentially signifi-cantly boosting the volume of incoming traffic. Yet, ef-fective bSEO campaigns typically involve support from
a complex network infrastructure, which may consistof hundreds of search-indexed websites (preferably withnon-trivial reputations at established search engines) tocoordinate and form a link farm [20]. These infrastruc-tures not only require a considerable amount of moneyto build and maintain, but also take time to mature andreach their full effectiveness [8]. By contrast, launchinga search history pollution attack is significantly easier.
We showed in Section 4 that a user’s personalizedsearch results can be manipulated simply by issuingcrafted search queries to Google. Without requiring anyexternal support, the entire process happens instantlywhile the user is visiting the offending Web page. Al-though our attack targets individual search users (i.e., thepolluted result is only visible to individual victims), it byno means limits the scale of the victim population, espe-cially if an exploit is placed on a high-profile, frequentlyvisited website.
7 Discussion
Our current study has several limitations. Most notably,the scale of our experiments is modest, but because wetypically randomly select the target items, we believe thatthe results of our experiments are representative, and thatthey illustrate the substantial potential impacts of pollu-tion attacks. Similarly, our specific pollution attacks arefragile, as each service can take relatively simple steps todefend againt them.
A possible defense against pollution attacks arisesfrom the fact that cross-site request forgery can bestopped if requests to a website must carry tokens issuedby the site. Enforcing this constraint, however, also pre-vents information and behaviors at third-party sites frombeing harvested for personalization and hampers the cur-rent trend of increasing the scope of data collection bywebsites for improved personalization. One short-termeffect from this study may be that (some) websites willbegin to consider the tradeoffs between the security andbenefits of personalization.
YouTube in particular uses two separate HTTP re-quests to track a YouTube’s user viewing activity thatare independent from the act of streaming of the video.One straightforward defense against pollution attacks isto monitor the time between the arrivals of the two HTTPrequests. If YouTube finds the interval is substantiallyless than the length of the video, it could ignore the sig-nal. An attacker can still always inject a short video orcontrol the timing of the HTTP requests in an effort tobypass such a defense mechanism. We did notice thatan injected short video can be used to promote multi-ple longer videos; for example, watching a single two-
13
684 22nd USENIX Security Symposium USENIX Association
second video5 causes YouTube to recommend severallong videos.
8 Conclusion
In this paper, we present a new attack on personalizedservices that exploits the fact that personalized servicesuse a user’s past history to customize content that theypresent to the user. Our attack pollutes a user’s historyby using cross-site request forgery to stealthily inject andexecute a set of targeted browsing activities in the user’sbrowser, so that when the user subsequently accesses theassociated service specific content is promoted. We illus-trate how an attacker can pollute a user’s history to pro-mote certain content across three platforms. While ourattack is simple, its impact can be significant if enoughusers’ histories are compromised.
As personalization algorithms and mechanisms in-creasingly control our interactions with the Internet, it isinevitable that they will become the targets of financiallymotivated attacks. While we demonstrate pollution at-tacks on only YouTube, Google, and Amazon, we believethat our methods are general and can be widely applied toservices that leverage personalization technologies, suchas Facebook, Twitter, Netflix, Pandora, etc. The attackswe present here are just the first few examples of poten-tially many possible attacks on personalization. With in-creasingly complex algorithms and data collection mech-anisms aiming for ever higher financial stakes, there arebound to be vulnerabilities that will be exploited by moti-vated attackers. The age of innocence for personalizationis over; we must now face the challenge of securing it.
Acknowledgments
This research was supported in part by the NationalScience Foundation under grants CNS-1255453, CNS-1255314, CNS-1111723, and CNS-0831300, and the Of-fice of Naval Research under grant no. N000140911042.Any opinions, findings, and conclusions or recommenda-tions expressed in this material are those of the authorsand do not necessarily reflect the views of the NationalScience Foundation or the Office of Naval Research.
[2] BENNETT, P. N., RADLINSKI, F., WHITE, R. W., AND
YILMAZ, E. Inferring and using location metadata to per-sonalize web search. In Proceedings of the 34th Annual
5http://www.youtube.com/watch?v=UPXK3AeRvKE
International ACM SIGIR Conference on Research andDevelopment in Information Retrieval (2011).
[3] CUTTS, M. Does Google use the “keywords” meta tag?http://www.youtube.com/watch?v=jK7IPbnmvVU.
[4] DAOUD, M., TAMINE-LECHANI, L., AND
BOUGHANEM, M. A session based personalizedsearch using an ontological user profile. In Proceed-ings of The 24th Annual ACM Symposium on AppliedComputing (2009).
[5] DAVIDSON, J., LIEBALD, B., LIU, J., NANDY, P.,VAN VLEET, T., GARGI, U., GUPTA, S., HE, Y., LAM-BERT, M., LIVINGSTON, B., AND SAMPATH, D. TheYouTube video recommendation system. In Proceedingsof the 4th ACM Conference on Recommender Systems(2010).
[6] DOU, Z., SONG, R., AND WEN, J.-R. A large-scaleevaluation and analysis of personalized search strategies.In Proceedings of the 16th ACM International Conferenceon the World Wide Web (2007).
[7] LIU, F., YU, C., AND MENG, W. Personalized websearch by mapping user queries to categories. In Pro-ceedings of the 11th ACM International Conference onInformation and Knowledge Management (2002).
[8] LU, L., PERDISCI, R., AND LEE, W. Surf: detectingand measuring search poisoning. In Proceedings of the18th ACM Conference on Computer and communicationssecurity (2011).
[9] MATTHIJS, N., AND RADLINSKI, F. Personalizing Websearch using long term browsing history. In The FourthACM International Conference on Web Search and DataMining (2011).
[10] QIU, F., AND CHO, J. Automatic identication of userinterest for personalized search. In Proceedings of the15th ACM International Conference on the World WideWeb (2006).
[11] SEARCH ENGINE LAND. Bing results get localized& personalized. http://searchengineland.com/
bing-results-get-localized-personalized-
64284.
[12] SEARCH ENGINE LAND. Google now personalizeseveryones search results. http://searchengineland.com/google-now-personalizes-everyones-
search-results-31195.
[13] SHIFLETT, C. Cross-site request forgeries.http://shiflett.org/articles/cross-site-
request-forgeries, 2004.
[14] SIEG, A., MOBASHER, B., AND BURKE, R. Web searchpersonalization with ontological user profiles. In Pro-ceedings of the 16th ACM Conference on Conference onInformation and Knowledge Management (2007).
[15] SONTAG, D., COLLINS-THOMPSON, K., BENNETT,P. N., WHITE, R. W., DUMAIS, S., AND BILLERBECK,B. Probabilistic models for personalizing Web search. InProceedings of the 5th ACM International Conference onWeb Search and Data Mining (2012).
14
USENIX Association 22nd USENIX Security Symposium 685
[16] SRIRAM, S., SHEN, X., AND ZHAI, C. A session-basedsearch engine. In Proceedings of the 27th Annual Inter-national ACM SIGIR Conference on Research and Devel-opment in Information Retrieval (2004).
[17] TAN, C., GABRILOVICH, E., AND PANG, B. To eachhis own: personalized content selection based on textcomprehensibility. In Proceedings of the 5th ACM In-ternational Conference on Web Search and Data Mining(2012).
[18] TEEVAN, J., DUMAIS, S. T., AND HORVITZ, E. Person-alizing search via automated analysis of interests and ac-tivities. In Proceedings of the 28th Annual InternationalACM SIGIR Conference on Research and Development inInformation Retrieval (2005).
[20] WU, B., AND DAVISON, B. D. Identifying link farmspam pages. In Proceedings of the Special Interest Tracksand Posters of the 14th ACM International Conference onthe World Wide Web (2005).
A Appendix
Here we provide more details regarding the actual exploitand test corpora for the search personalization attack.
A.1 Search Term VarianceAs with the various product categories on Amazon, it isreasonable to expect that the effectiveness of search his-tory pollution depends on the value of the search termbeing polluted. In other words, just as Amazon tightlycontrols the gift cards it recommends, it might be the casethat a website cannot be promoted in Google’s search re-sults as easily for a highly competitive search term, suchas “laptop”, as it can for relatively uncontested searchterms. To obtain an estimate of the value of differ-ent search terms, we again turned to Google’s AdWordsKeyword Tool. The tool provides a function that asso-ciates a given search term with a level of competition.The competition level is a measure of how expensiveit would be for URL to consistently pay enough to beranked at the top of the list of advertisers for a particularsearch term. Competition level is expressed as a valuefrom 0 to 1, with 0 having no competition and 1 havingfierce competition.
Recall that out of the 2,136 webpages that we at-tempted to promote using a contextual pollution attack,729 were successful. It is important to note that someof the promoted results were for the same initial searchterms. Therefore, the number of search terms asso-ciated with the webpages are 1,740 and 606, respec-tively. As an example, we attempted to promote bothmade-in-china.com and DHgate.com with respect to
2 4 6 8 11 14 17 20 23 26 29
Non−personalized rank
Num
ber o
f web
page
s
040
8012
0
Figure 11: Google’s original rank distribution for the2,136 webpages whose ranking we attempt to improvewith contextual search history pollution.
the original search term “watch”. The keywords injectedby the pollution attack differ, however, and are “China”and “China wholesale” respectively. For the persistentattacks, we were successful in promoting at least one re-turned website for 247 out of the 551 search terms.
Figure 12 shows the competition level distribution forboth types of attacks. Figures 12(a) and 12(b) corre-spond to the 1,740 search terms associated with our en-tire contextual test corpus and the 606 search terms forwhich there was a website we could promote. Like-wise, Figures 12(c) and 12(d) plot the competitivenessof the search terms for the 551 tested and the 247 suc-cessful persistent pollution attacks. Although the distri-butions are different between test corpora, in both cases,the distributions suggest there is no obvious correlationbetween search term competition or value and the like-lihood of being able to launch a search history pollutionattack.
A.2 Robustness
Because a contextual history pollution attack uses onlya few recent search history entries to promote a website,the lifetime of this attack is limited to the period whenGoogle’s personalization algorithm considers this con-textual information. We empirically determine Google’stimeout threshold by injecting sets of contextual key-words into a Google search profile and then pausingGoogle’s history collection. We then search alternativelyfor two distinct search terms—one that we know is af-fected by the injected keywords, and another we know isnot. We continue to search for these two terms, recordingand time stamping all the search returns.
Our analysis of many such tests with different setsof search terms indicates that Google appears to en-force a ten-minute threshold on context-based personal-ized search, which thereby limits the scope of the con-textual pollution attack. Similarly, there are limits onhow many different searches can be conducted before the
15
686 22nd USENIX Security Symposium USENIX Association
Competition level
Freq
uenc
y
0.0 0.2 0.4 0.6 0.8 1.0
010
020
030
0
(a) Entire corpus, contextual
Competition level
Freq
uenc
y
0.0 0.2 0.4 0.6 0.8 1.0
040
8012
0
(b) Successful attacks, contextual
Competition level
Freq
uenc
y
0.0 0.2 0.4 0.6 0.8 1.0
010
020
030
0
(c) Entire corpus, persistent
Competition level
Freq
uenc
y
0.2 0.4 0.6 0.8 1.0
040
8012
0
(d) Successful attacks, persistent
Figure 12: Distribution of search-term competition levels.
injected context is no longer used to personalize subse-quent queries. Our initial testing indicates that person-alization falls off after the fourth search. Hence, weconclude that the pollution attack can last for at mostfour subsequent queries or ten minutes, whichever comesfirst.
Our testing of persistent attacks shows that if a web-page remains promoted after several search terms, it willremain promoted for a long time. To determine how
long, we identified a set of 100 webpages and searchterms on which we launch a successful persistent pol-lution attack. We then inject additional randomly se-lected trending keywords one-by-one and continuallycheck whether the promotion remains. 72% of the web-sites remain promoted after 60 additional keywords, indi-cating that, when successful, persistent pollution attacksare likely to remain effective for quite some time.
