18/11/2019 – Talk by Benjamin Krumnow

Title: mashing OpenWPM for fun and profit
Time: 10:00
Location: Acadia Lab, Building Zeta
Type: Research talk
Speaker:  Hugo Jonker
Abstract: Web bots are a widely recognized tool to conduct empirical studies in the World Wide Web. OpenWPM is a framework that uses a web bot framework to facilitates web measurements. It is used in at least 46 scientific studies. However, there are clear indications that web sites attempt to recognize web bots and thereupon serve deviating content or block bots. Due to browser fingerprinting, this can already happen with the first call of a web page. For doing so, a web server attempts to retrieve unique properties that distinguish a web bot from human-controlled web browsers. To what extent OpenWPM is vulnerable to fingerprint-based detection has yet not been questioned. In this talk, I will present our investigation of detecting OpenWPM users based on their fingerprints. For that, we conduct a systematic analysis of the OpenWPM system architecture. We determine unique properties in OpenWPM’s fingerprint by applying fingerprinting and template attack tools for each component of OpenWPM. Our study reveals over 2K not-yet known properties, that would allow any web server to detect OpenWPM users. We show that most differences in OpenWPM result from automation components or the Firefox headless mode. Nevertheless, some deviations only occur in OpenWPM and could also be used to distinguish OpenWPM from ordinary bots. For demonstration purposes, we develop a web application that detects OpenWPM-based web clients and delivers manipulated content to them.