2

Is it possible to serve up specific content to an end-user? For example, I know your IP address, and other device information. Can I use that to serve up certain search results on a search engine, certain videos on websites, and use that to target an individual with specific advertisements? Obviously I am not interested in carrying out such attacks, rather seeing if it is feasible.

Additionally, what information can identify a device if a VPN is in use?

Johnny
  • 1,051
  • 5
  • 19
BestReasonofWiseMen
  • 21
  • 2

1 Answers1

4

Yes, this is a common practice. There are many ways to identify a user. Here's a few.

  • user agent string in the request

  • browser fingerprinting (pantoclick

  • IP address (country, region, ISP, known VPN ranges, blacklists, etc.)

  • referrer header

  • cookies

  • previous history (look through your own logs to ID return traffic)

  • URL history harvesting

  • css fingerprinting

There's an almost endless way of identifying different users/clients. Serving different content is supported in pretty much every language/server. It's the basis of dynamic web apps (facebook, Twitter, pretty much every interactive webpage)

Daisetsu
  • 5,110
  • 1
  • 14
  • 24
  • Thank you for your response! For a specific example, could a black hat serve up certain pages/sites in search results on a search engine like Google, or would a company have to have corrupt software engineers for that to be possible? – BestReasonofWiseMen Nov 09 '18 at 18:44
  • I think I may have misinterpreted what you were asking. It seems like you're talking about an attacker modifying a victims web traffic to/from a website the attacker doesn't control, is that what you meant? – Daisetsu Nov 09 '18 at 18:46
  • You answered one part of my question, but I failed to communicate the other half of my question effectively! You answered the first part very well, and I greatly appreciate it! My follow-up question for you since you seem very knowledgeable was could an attacker modify search results? :) – BestReasonofWiseMen Nov 09 '18 at 18:48
  • If the search results were sent over an insecure channel (not using TLS a.k.a HTTPS) then yes, provided they had performed a Man in the Middle attack, and we're in line between the website and the victim, or on the victims network. Most traffic (including Google) is now encrypted (https) by default. – Daisetsu Nov 09 '18 at 18:51
  • Thank you! My last question is could a private company like Google alter search results from the back-end? Or could a computer manufacturer display certain pages in the search section of a web browser. I.E typing in a few words and have it search through a database to display articles with certain topics (ex. bring up any pages mentioning certain topics, like babies or pizza)? – BestReasonofWiseMen Nov 09 '18 at 18:59
  • Google can and does sent personalised search results to you based off your account, location, and potentially other information. This is not a secret. A manufacturer could mess with search results, if they added malware to your company router before you bought it. – Daisetsu Nov 09 '18 at 19:02
  • @BestReasonofWiseMen please edit your question with this new detail – schroeder Nov 09 '18 at 19:38