"Cybersecurity Researchers Show How Attackers Can See Your Online Ads Knowing Only Your Email Address"
New research reveals that online adversaries can view or manipulate the online user-targeting process applied by third-party advertisers through the use of their target's email address. A four-person team of researchers from the Georgia Institute of Technology, University of Illinois Chicago (UIC), and New York University (NYU) presented their findings at the ACM Conference on Computer and Communications Security (CCS). Much of today's online advertising is specifically tailored to individuals based on their browsing history, location, and various other factors gathered by third-party advertising networks. This information is collected through tracking cookies, which are distributed by third-party advertisement networks and linked to unique identifiers such as email addresses. These cookies enable advertisers to build detailed profiles of Internet users. However, as the researchers discovered, this system can be influenced by malicious actors. Once an attacker has obtained a user's email address, they can access the information collected by any third-party advertiser monitoring a specific user's targeted advertisement stream. This could enable malicious actors to gain insight into an individual's detailed browsing history, such as online retailers and travel websites. Third-party advertising networks have no direct relationship with users, so if they want to track user activity across devices, they must rely on identity information provided by other websites, such as email addresses, according to Paul Pearce, assistant professor in Georgia Tech's School of Cybersecurity and Privacy (SCP). Their research demonstrates that the way information is passed to advertising networks is both insecure and difficult to verify. If an attacker knows a victim's email address, they can pose as a user to the advertising network, causing real privacy issues. This vulnerability is called advertising identity entanglement, and it occurs when attackers trick advertising networks into correlating the attacker's tracking cookies with a targeted person's email address, looping them into the data being gathered by third-parties. According to Pearce and his colleagues' paper, adversaries can also use the process to send advertisements of any kind to their targets. This article continues to discuss how attackers can intercept targeted advertising via advertising network identify entanglement.