An Empirical Assessment of Security and Privacy Risks of Web based-Chatbots

WISE Pub Date : 2022-05-17 DOI:10.48550/arXiv.2205.08252
Nazar Waheed, M. Ikram, S. S. Hashmi, Xiangjian He, P. Nanda
{"title":"An Empirical Assessment of Security and Privacy Risks of Web based-Chatbots","authors":"Nazar Waheed, M. Ikram, S. S. Hashmi, Xiangjian He, P. Nanda","doi":"10.48550/arXiv.2205.08252","DOIUrl":null,"url":null,"abstract":"Web-based chatbots provide website owners with the benefits of increased sales, immediate response to their customers, and insight into customer behaviour. While Web-based chatbots are getting popular, they have not received much scrutiny from security researchers. The benefits to owners come at the cost of users' privacy and security. Vulnerabilities, such as tracking cookies and third-party domains, can be hidden in the chatbot's iFrame script. This paper presents a large-scale analysis of five Web-based chatbots among the top 1-million Alexa websites. Through our crawler tool, we identify the presence of chatbots in these 1-million websites. We discover that 13,515 out of the top 1-million Alexa websites (1.59%) use one of the five analysed chatbots. Our analysis reveals that the top 300k Alexa ranking websites are dominated by Intercom chatbots that embed the least number of third-party domains. LiveChat chatbots dominate the remaining websites and embed the highest samples of third-party domains. We also find that 850 (6.29%) of the chatbots use insecure protocols to transfer users' chats in plain text. Furthermore, some chatbots heavily rely on cookies for tracking and advertisement purposes. More than two-thirds (68.92%) of the identified cookies in chatbot iFrames are used for ads and tracking users. Our results show that, despite the promises for privacy, security, and anonymity given by the majority of the websites, millions of users may unknowingly be subject to poor security guarantees by chatbot service providers","PeriodicalId":424892,"journal":{"name":"WISE","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"WISE","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.48550/arXiv.2205.08252","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

Abstract

Web-based chatbots provide website owners with the benefits of increased sales, immediate response to their customers, and insight into customer behaviour. While Web-based chatbots are getting popular, they have not received much scrutiny from security researchers. The benefits to owners come at the cost of users' privacy and security. Vulnerabilities, such as tracking cookies and third-party domains, can be hidden in the chatbot's iFrame script. This paper presents a large-scale analysis of five Web-based chatbots among the top 1-million Alexa websites. Through our crawler tool, we identify the presence of chatbots in these 1-million websites. We discover that 13,515 out of the top 1-million Alexa websites (1.59%) use one of the five analysed chatbots. Our analysis reveals that the top 300k Alexa ranking websites are dominated by Intercom chatbots that embed the least number of third-party domains. LiveChat chatbots dominate the remaining websites and embed the highest samples of third-party domains. We also find that 850 (6.29%) of the chatbots use insecure protocols to transfer users' chats in plain text. Furthermore, some chatbots heavily rely on cookies for tracking and advertisement purposes. More than two-thirds (68.92%) of the identified cookies in chatbot iFrames are used for ads and tracking users. Our results show that, despite the promises for privacy, security, and anonymity given by the majority of the websites, millions of users may unknowingly be subject to poor security guarantees by chatbot service providers
基于Web的聊天机器人安全与隐私风险的实证评估
基于网络的聊天机器人为网站所有者提供了增加销售、即时响应客户和洞察客户行为的好处。虽然基于网络的聊天机器人越来越受欢迎,但它们并没有受到安全研究人员的太多审查。所有者的利益是以用户的隐私和安全为代价的。漏洞,如跟踪cookie和第三方域名,可以隐藏在聊天机器人的iFrame脚本中。本文对排名前100万的Alexa网站中的五个基于网络的聊天机器人进行了大规模分析。通过我们的爬虫工具,我们在这100万个网站中识别出聊天机器人的存在。我们发现,在排名前100万的Alexa网站中,有13515个(1.59%)使用了我们分析的五个聊天机器人之一。我们的分析显示,Alexa排名前30万的网站主要由嵌入第三方域名数量最少的对讲聊天机器人主导。LiveChat聊天机器人主导了其余的网站,并嵌入了最高的第三方域名样本。我们还发现850个(6.29%)聊天机器人使用不安全的协议以纯文本传输用户的聊天内容。此外,一些聊天机器人严重依赖cookie进行跟踪和广告。聊天机器人iFrames中超过三分之二(68.92%)的识别cookie用于广告和跟踪用户。我们的研究结果表明,尽管大多数网站都承诺保护隐私、安全和匿名,但数百万用户可能在不知不觉中受到聊天机器人服务提供商的不良安全保障
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信