Paper Info
Title
Take this personally: pollution attacks on personalized services
Abstract
Modern Web services routinely personalize content to appeal to the specific interests, viewpoints, and contexts of individual users. Ideally, personalization allows sites to highlight information uniquely relevant to each of their users, thereby increasing user satisfaction--and, eventually, the service's bottom line. Unfortunately, as we demonstrate in this paper, the personalization mechanisms currently employed by popular services have not been hardened against attack. We show that third parties can manipulate them to increase the visibility of arbitrary content--whether it be a new YouTube video, an unpopular product on Amazon, or a low-ranking website in Google search returns. In particular, we demonstrate that attackers can inject information into users' profiles on these services, thereby perturbing the results of the services' personalization algorithms. While the details of our exploits are tailored to each service, the general approach is likely to apply quite broadly. By demonstrating the attack against three popular Web services, we highlight a new class of vulnerability that allows an attacker to affect a user's experience with a service, unbeknownst to the user or the service provider.
Year
Venue
Keywords
2013
USENIX Security
personalized service,modern web service,arbitrary content,personalization mechanism,popular web service,popular service,new youtube video,user satisfaction,personalization algorithm,pollution attack,service provider,individual user
Field
DocType
Citations 
Services computing,World Wide Web,Internet privacy,Visibility,Computer security,Viewpoints,Computer science,Exploit,Service provider,Web service,Personalization,Vulnerability
Conference
7
PageRank 
References 
Authors
0.57
14
6
Name
Order
Citations
PageRank
Xinyu Xing137035.71
Wei Meng2506.53
Dan Doozan3201.49
Alex C. Snoeren43228239.85
Nick Feamster54736390.57
Wenke Lee69351628.83