Understanding the Manipulation on Recommender Systems through Web Injection

Yubao Zhang, Jidong Xiao, Shuai Hao, Haining Wang, Sencun Zhu, Sushil Jajodia

Research output: Contribution to journalArticlepeer-review

5 Scopus citations


Recommender systems have been increasingly used in a variety of web services, providing a list of recommended items in which a user may have an interest. While important, recommender systems are vulnerable to various malicious attacks. In this paper, we study a new security vulnerability in recommender systems caused by web injection, through which malicious actors stealthily tamper any unprotected in-transit HTTP webpage content and force victims to visit specific items in some web services (even running HTTPS), e.g., YouTube. By doing so, malicious actors can promote their targeted items in those web services. To obtain a deeper understanding on the recommender systems of our interest (including YouTube, Yelp, Taobao, and 360 App market), we first conduct a measurement-based analysis on several real-world recommender systems by leveraging machine learning algorithms. Then, web injection is implemented in three different types of devices (i.e., computer, router, and proxy server) to investigate the scenarios where web injection could occur. Based on the implementation of web injection, we demonstrate that it is feasible and sometimes effective to manipulate the real-world recommender systems through web injection. We also present several countermeasures against such manipulations.

Original languageEnglish (US)
Article number8907865
Pages (from-to)3807-3818
Number of pages12
JournalIEEE Transactions on Information Forensics and Security
StatePublished - 2020

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'Understanding the Manipulation on Recommender Systems through Web Injection'. Together they form a unique fingerprint.

Cite this