Take this personally: Pollution attacks on personalized services

Xinyu Xing, Wei Meng, Dan Doozan, Alex C. Snoeren, Nick Feamster, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

10 Scopus citations

Abstract

Modern Web services routinely personalize content to appeal to the specific interests, viewpoints, and contexts of individual users. Ideally, personalization allows sites to highlight information uniquely relevant to each of their users, thereby increasing user satisfaction - and, eventually, the service's bottom line. Unfortunately, as we demonstrate in this paper, the personalization mechanisms currently employed by popular services have not been hardened against attack. We show that third parties can manipulate them to increase the visibility of arbitrary content - whether it be a new YouTube video, an unpopular product on Amazon, or a low-ranking website in Google search returns. In particular, we demonstrate that attackers can inject information into users' profiles on these services, thereby perturbing the results of the services' personalization algorithms. While the details of our exploits are tailored to each service, the general approach is likely to apply quite broadly. By demonstrating the attack against three popular Web services, we highlight a new class of vulnerability that allows an attacker to affect a user's experience with a service, unbeknownst to the user or the service provider.

Original languageEnglish (US)
Title of host publicationProceedings of the 22nd USENIX Security Symposium
PublisherUSENIX Association
Pages671-686
Number of pages16
ISBN (Electronic)9781931971034
StatePublished - Jan 1 2013
Event22nd USENIX Security Symposium - Washington, United States
Duration: Aug 14 2013Aug 16 2013

Publication series

NameProceedings of the 22nd USENIX Security Symposium

Conference

Conference22nd USENIX Security Symposium
CountryUnited States
CityWashington
Period8/14/138/16/13

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this

Xing, X., Meng, W., Doozan, D., Snoeren, A. C., Feamster, N., & Lee, W. (2013). Take this personally: Pollution attacks on personalized services. In Proceedings of the 22nd USENIX Security Symposium (pp. 671-686). (Proceedings of the 22nd USENIX Security Symposium). USENIX Association.