PURL: Safe and Effective Sanitization of Link Decoration

https://drive.google.com/file/d/1LOg1Sm9VAwomvx6fb3vyO-GR-EuV1EB8/view?usp=drive_link

While privacy-focused browsers have taken steps to block third-party cookies and mitigate browser fingerprinting, novel tracking techniques that can bypass existing countermeasures continue to emerge. Since trackers need to exfiltrate information from the client-side to the server-side through link decoration regardless of the tracking technique they employ, a promising orthogonal approach is to detect and sanitize tracking information in decorated links. To this end, we present PURL (pronounced purel-l), a machine learning approach that leverages a cross-layer graph representation of webpage execution to safely and effectively sanitize link decoration. Our evaluation shows that PURL significantly outperforms existing countermeasures in terms of accuracy and reducing website breakage while being robust to common evasion techniques. We use PURL to perform a measurement study on top-million websites. We find that link decoration is widely abused by wellknown advertisers and trackers to exfiltrate information from browser storage, email addresses, and fingerprinting scripts.