TY - GEN
T1 - Take this personally
T2 - 22nd USENIX Security Symposium
AU - Xing, Xinyu
AU - Meng, Wei
AU - Doozan, Dan
AU - Snoeren, Alex C.
AU - Feamster, Nick
AU - Lee, Wenke
N1 - Funding Information:
This research was supported in part by the National Science Foundation under grants CNS-1255453, CNS-1255314, CNS-1111723, and CNS-0831300, and the Office of Naval Research under grant no. N000140911042. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation or the Office of Naval Research.
Publisher Copyright:
copyright © 2013 USENIX Security Symposium.All right reserved.
PY - 2013
Y1 - 2013
N2 - Modern Web services routinely personalize content to appeal to the specific interests, viewpoints, and contexts of individual users. Ideally, personalization allows sites to highlight information uniquely relevant to each of their users, thereby increasing user satisfaction - and, eventually, the service's bottom line. Unfortunately, as we demonstrate in this paper, the personalization mechanisms currently employed by popular services have not been hardened against attack. We show that third parties can manipulate them to increase the visibility of arbitrary content - whether it be a new YouTube video, an unpopular product on Amazon, or a low-ranking website in Google search returns. In particular, we demonstrate that attackers can inject information into users' profiles on these services, thereby perturbing the results of the services' personalization algorithms. While the details of our exploits are tailored to each service, the general approach is likely to apply quite broadly. By demonstrating the attack against three popular Web services, we highlight a new class of vulnerability that allows an attacker to affect a user's experience with a service, unbeknownst to the user or the service provider.
AB - Modern Web services routinely personalize content to appeal to the specific interests, viewpoints, and contexts of individual users. Ideally, personalization allows sites to highlight information uniquely relevant to each of their users, thereby increasing user satisfaction - and, eventually, the service's bottom line. Unfortunately, as we demonstrate in this paper, the personalization mechanisms currently employed by popular services have not been hardened against attack. We show that third parties can manipulate them to increase the visibility of arbitrary content - whether it be a new YouTube video, an unpopular product on Amazon, or a low-ranking website in Google search returns. In particular, we demonstrate that attackers can inject information into users' profiles on these services, thereby perturbing the results of the services' personalization algorithms. While the details of our exploits are tailored to each service, the general approach is likely to apply quite broadly. By demonstrating the attack against three popular Web services, we highlight a new class of vulnerability that allows an attacker to affect a user's experience with a service, unbeknownst to the user or the service provider.
UR - http://www.scopus.com/inward/record.url?scp=84910642610&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84910642610&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84910642610
T3 - Proceedings of the 22nd USENIX Security Symposium
SP - 671
EP - 686
BT - Proceedings of the 22nd USENIX Security Symposium
PB - USENIX Association
Y2 - 14 August 2013 through 16 August 2013
ER -