Protected Web Components: Hiding Sensitive Information in the Shadows

Most modern Web applications depend on the integration of code from third-party providers, such as JavaScript libraries and advertisements. Because the included code runs within the page's security context, it represents an attractive attack target, allowing the compromise of numerous Web applications through a single attack vector (such as a malicious advertisement). Such opportunistic attackers aim to execute low-profile, nontargeted, widely applicable data-gathering attacks, such as the silent extraction of user-specific data and authentication credentials. In this article, the authors show that third-party code inclusion is rampant, even in privacy-sensitive applications such as online password managers, thereby potentially exposing the user's most sensitive data to attackers. They propose protected Web components, which leverage the newly proposed Web components, repurposing them to protect private data against opportunistic attacks, by hiding static data in the Document Object Model (DOM) and isolating sensitive interactive elements within a component. This article is part of a special issue on IT security.