I've known about tracking pixels for a long time but never figured that they were much of a problem. Of course, they do reveal that you read an email or accessed a web site, but there are riskier things to worry about reading emails or browsing the web.
But things have changed, as Steve Gibson pointed out in the latest installment of his Security Now podcast. From page 8 of his show notes:
I just learned how far tracking pixels have evolved. They’re easy to miss because, much like cookies, the code their presence on any webpage allows to run is hidden from us. But last Wednesday the 18th, the security researchers at Jscrambler shared what they had recently learned about what TikTok and Meta are doing.
Their headline was: “Beyond Analytics: The Silent Collection of Commercial Intelligence by TikTok and Meta Ad Pixels”. As we’ll see, this writing is targeted at web merchants who are voluntarily adding these insidious tracking pixels to their sites’ own webpages without a full appreciation or understanding of the privacy implications for their visitors.
It turns out that Meta and TikTok are grabbing both personal information (names, addresses, phone numbers, credit card information) and a log of just about everything that people are doing on sites with these tracking pixels. From the report, Gibson quotes this:
Meta’s pixel includes a feature called Automatic Events, which is enabled by default. The feature automatically scans page elements and captures information such as checkout interactions and visible payment card details, including the last digits, expiration date, and cardholder name. Since this is the default behavior and not an opt-in, merchants may not be aware that the pixel is collecting this information. On separate sites, Meta captured recipients' full names and delivery addresses when users selected address options during checkout.
This information can be used by Meta to compile a huge database of behaviour that it can sell. It's also presents a risk to anyone using those sites in the case of a security breach at Meta and because the information being sent to Meta may not be encrypted, making it a vulnerability should the user be the target of an attacker.
Both TikTok and Meta's pixel code can load and begin transmitting data before the website's consent management system has time to block it, meaning information can leave the browser before the user’s choice is applied. Even more concerning is that data may be transmitted in cleartext—occasionally within the request URL itself—exposing sensitive information to browser histories, server logs, intermediaries, and debugging tools.
This vulnerability stems not only from the pixel’s data-collection methods but also from misconfigurations during its implementation or from issues with the website's underlying architecture. Consequently, the attack surface is significantly broader than a surface-level analysis suggest
Using Firefox, which supports the full uBlock Origin, is probably a good idea. Google Chrome supports uBlock Origin Lite (which I am using), but it's not as effective as the original uBlock Origin in blocking tracking pixels, web beacons, and tracking scripts.
Yet another item to add to my To Do list.
No comments:
Post a Comment