Paper review - All Your Clicks Belong to Me Investigating Click Interception
July 3, 2019
Summary
Non clickjacking detection. Used heavily instrumented version of Chromium. Finds small (100s of sites/scripts) of blatant (ad abuse, scamware) incidence.
Promises, asynchronous start callstack wont be visible when Promise returns, harder to instrument
Domain graph of which domains are owned by whom (first-party to third-party connections) - interesting research idea - better than SOP?
Click interception vs clickjacking
Brave - built in ad blocking, but browser locally analyses your browsing patterns and shows out of band ads tailored to your interests while preventing your privacy. Brave tracks time you spent on a site, converts it into attention tokens ( a cryptocurrency ) which you can earn back after watching ads and pay websites using it.
Strong Points
Found first parties putting dodgy code in their websites
Found potential new type of ad fraud in which someone could act as an ad network and trick publishers into putting their scripts into websites which does click fraud (bots clicking on ads and generating ad revenue) and passes some of the kickback to publisher
Weak Points
Could have been more tightly written Small results (about 100 websites in Alexa 250K)