An Empirical Assessment of Security and Privacy Risks of Web-Based Chatbots

Nazar Waheed; Muhammad Ikram; Saad Sajid Hashmi; Xiangjian He; Priyadarsi Nanda

doi:10.1007/978-3-031-20891-1_23

An Empirical Assessment of Security and Privacy Risks of Web-Based Chatbots

Nazar Waheed, Muhammad Ikram, Saad Sajid Hashmi, Xiangjian He, Priyadarsi Nanda

School of Computer Science

Research output: Chapter in Book/Conference proceeding › Conference contribution › peer-review

6 Citations (Scopus)

Abstract

Web-based chatbots provide website owners with the benefits of increased sales, immediate response to their customers, and insight into customer behaviour. While Web-based chatbots are getting popular, they have not received much scrutiny from security researchers. The benefits to owners come at the cost of users’ privacy and security. Vulnerabilities, such as tracking cookies and third-party domains, can be hidden in the chatbot’s iFrame script. This paper presents a large-scale analysis of five Web-based chatbots among the top 1-million Alexa websites. Through our crawler tool, we identify the presence of chatbots in these 1-million websites. We discover that 13,392 out of the top 1- million Alexa websites (1.58%) use one of the five analysed chatbots. Our analysis reveals that the top 300k Alexa ranking websites are dominated by Intercom chatbots that embed the least number of third-party domains. LiveChat chatbots dominate the remaining websites and embed the highest samples of third-party domains. We also find that 721 (5.38%) web-based chatbots use insecure protocols to transfer users’ chats in plain text. Furthermore, some chatbots heavily rely on cookies for tracking and advertisement purposes. More than two-thirds (68.92%) of the identified cookies in chatbot iFrames are used for ads and tracking users. Our results show that, despite the promises for privacy, security, and anonymity given by most websites, millions of users may unknowingly be subject to poor security guarantees by chatbot service providers.

Original language	English
Title of host publication	Web Information Systems Engineering – WISE 2022 - 23rd International Conference, Proceedings
Editors	Richard Chbeir, Helen Huang, Fabrizio Silvestri, Yannis Manolopoulos, Yanchun Zhang, Yanchun Zhang
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	325-339
Number of pages	15
ISBN (Print)	9783031208904
DOIs	https://doi.org/10.1007/978-3-031-20891-1_23
Publication status	Published - 2022
Event	23rd International Conference on Web Information Systems Engineering, WISE 2021 - Biarritz, France Duration: 1 Nov 2022 → 3 Nov 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13724 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	23rd International Conference on Web Information Systems Engineering, WISE 2021
Country/Territory	France
City	Biarritz
Period	1/11/22 → 3/11/22

Keywords

Chatbot
Web privacy
Web-based chatbot

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-20891-1_23

Cite this

Waheed, N., Ikram, M., Hashmi, S. S., He, X., & Nanda, P. (2022). An Empirical Assessment of Security and Privacy Risks of Web-Based Chatbots. In R. Chbeir, H. Huang, F. Silvestri, Y. Manolopoulos, Y. Zhang, & Y. Zhang (Eds.), Web Information Systems Engineering – WISE 2022 - 23rd International Conference, Proceedings (pp. 325-339). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13724 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-20891-1_23

Waheed, Nazar ; Ikram, Muhammad ; Hashmi, Saad Sajid et al. / An Empirical Assessment of Security and Privacy Risks of Web-Based Chatbots. Web Information Systems Engineering – WISE 2022 - 23rd International Conference, Proceedings. editor / Richard Chbeir ; Helen Huang ; Fabrizio Silvestri ; Yannis Manolopoulos ; Yanchun Zhang ; Yanchun Zhang. Springer Science and Business Media Deutschland GmbH, 2022. pp. 325-339 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{6f57f249060048e1b6f417d58366acb4,

title = "An Empirical Assessment of Security and Privacy Risks of Web-Based Chatbots",

abstract = "Web-based chatbots provide website owners with the benefits of increased sales, immediate response to their customers, and insight into customer behaviour. While Web-based chatbots are getting popular, they have not received much scrutiny from security researchers. The benefits to owners come at the cost of users{\textquoteright} privacy and security. Vulnerabilities, such as tracking cookies and third-party domains, can be hidden in the chatbot{\textquoteright}s iFrame script. This paper presents a large-scale analysis of five Web-based chatbots among the top 1-million Alexa websites. Through our crawler tool, we identify the presence of chatbots in these 1-million websites. We discover that 13,392 out of the top 1- million Alexa websites (1.58%) use one of the five analysed chatbots. Our analysis reveals that the top 300k Alexa ranking websites are dominated by Intercom chatbots that embed the least number of third-party domains. LiveChat chatbots dominate the remaining websites and embed the highest samples of third-party domains. We also find that 721 (5.38%) web-based chatbots use insecure protocols to transfer users{\textquoteright} chats in plain text. Furthermore, some chatbots heavily rely on cookies for tracking and advertisement purposes. More than two-thirds (68.92%) of the identified cookies in chatbot iFrames are used for ads and tracking users. Our results show that, despite the promises for privacy, security, and anonymity given by most websites, millions of users may unknowingly be subject to poor security guarantees by chatbot service providers.",

keywords = "Chatbot, Web privacy, Web-based chatbot",

author = "Nazar Waheed and Muhammad Ikram and Hashmi, {Saad Sajid} and Xiangjian He and Priyadarsi Nanda",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 23rd International Conference on Web Information Systems Engineering, WISE 2021 ; Conference date: 01-11-2022 Through 03-11-2022",

year = "2022",

doi = "10.1007/978-3-031-20891-1_23",

language = "English",

isbn = "9783031208904",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "325--339",

editor = "Richard Chbeir and Helen Huang and Fabrizio Silvestri and Yannis Manolopoulos and Yanchun Zhang and Yanchun Zhang",

booktitle = "Web Information Systems Engineering – WISE 2022 - 23rd International Conference, Proceedings",

address = "Germany",

}

Waheed, N, Ikram, M, Hashmi, SS, He, X & Nanda, P 2022, An Empirical Assessment of Security and Privacy Risks of Web-Based Chatbots. in R Chbeir, H Huang, F Silvestri, Y Manolopoulos, Y Zhang & Y Zhang (eds), Web Information Systems Engineering – WISE 2022 - 23rd International Conference, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13724 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 325-339, 23rd International Conference on Web Information Systems Engineering, WISE 2021, Biarritz, France, 1/11/22. https://doi.org/10.1007/978-3-031-20891-1_23

An Empirical Assessment of Security and Privacy Risks of Web-Based Chatbots. / Waheed, Nazar; Ikram, Muhammad; Hashmi, Saad Sajid et al.
Web Information Systems Engineering – WISE 2022 - 23rd International Conference, Proceedings. ed. / Richard Chbeir; Helen Huang; Fabrizio Silvestri; Yannis Manolopoulos; Yanchun Zhang; Yanchun Zhang. Springer Science and Business Media Deutschland GmbH, 2022. p. 325-339 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13724 LNCS).

Research output: Chapter in Book/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - An Empirical Assessment of Security and Privacy Risks of Web-Based Chatbots

AU - Waheed, Nazar

AU - Ikram, Muhammad

AU - Hashmi, Saad Sajid

AU - He, Xiangjian

AU - Nanda, Priyadarsi

PY - 2022

Y1 - 2022

N2 - Web-based chatbots provide website owners with the benefits of increased sales, immediate response to their customers, and insight into customer behaviour. While Web-based chatbots are getting popular, they have not received much scrutiny from security researchers. The benefits to owners come at the cost of users’ privacy and security. Vulnerabilities, such as tracking cookies and third-party domains, can be hidden in the chatbot’s iFrame script. This paper presents a large-scale analysis of five Web-based chatbots among the top 1-million Alexa websites. Through our crawler tool, we identify the presence of chatbots in these 1-million websites. We discover that 13,392 out of the top 1- million Alexa websites (1.58%) use one of the five analysed chatbots. Our analysis reveals that the top 300k Alexa ranking websites are dominated by Intercom chatbots that embed the least number of third-party domains. LiveChat chatbots dominate the remaining websites and embed the highest samples of third-party domains. We also find that 721 (5.38%) web-based chatbots use insecure protocols to transfer users’ chats in plain text. Furthermore, some chatbots heavily rely on cookies for tracking and advertisement purposes. More than two-thirds (68.92%) of the identified cookies in chatbot iFrames are used for ads and tracking users. Our results show that, despite the promises for privacy, security, and anonymity given by most websites, millions of users may unknowingly be subject to poor security guarantees by chatbot service providers.

AB - Web-based chatbots provide website owners with the benefits of increased sales, immediate response to their customers, and insight into customer behaviour. While Web-based chatbots are getting popular, they have not received much scrutiny from security researchers. The benefits to owners come at the cost of users’ privacy and security. Vulnerabilities, such as tracking cookies and third-party domains, can be hidden in the chatbot’s iFrame script. This paper presents a large-scale analysis of five Web-based chatbots among the top 1-million Alexa websites. Through our crawler tool, we identify the presence of chatbots in these 1-million websites. We discover that 13,392 out of the top 1- million Alexa websites (1.58%) use one of the five analysed chatbots. Our analysis reveals that the top 300k Alexa ranking websites are dominated by Intercom chatbots that embed the least number of third-party domains. LiveChat chatbots dominate the remaining websites and embed the highest samples of third-party domains. We also find that 721 (5.38%) web-based chatbots use insecure protocols to transfer users’ chats in plain text. Furthermore, some chatbots heavily rely on cookies for tracking and advertisement purposes. More than two-thirds (68.92%) of the identified cookies in chatbot iFrames are used for ads and tracking users. Our results show that, despite the promises for privacy, security, and anonymity given by most websites, millions of users may unknowingly be subject to poor security guarantees by chatbot service providers.

KW - Chatbot

KW - Web privacy

KW - Web-based chatbot

UR - http://www.scopus.com/inward/record.url?scp=85142674397&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-20891-1_23

DO - 10.1007/978-3-031-20891-1_23

M3 - Conference contribution

AN - SCOPUS:85142674397

SN - 9783031208904

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 325

EP - 339

BT - Web Information Systems Engineering – WISE 2022 - 23rd International Conference, Proceedings

A2 - Chbeir, Richard

A2 - Huang, Helen

A2 - Silvestri, Fabrizio

A2 - Manolopoulos, Yannis

A2 - Zhang, Yanchun

PB - Springer Science and Business Media Deutschland GmbH

T2 - 23rd International Conference on Web Information Systems Engineering, WISE 2021

Y2 - 1 November 2022 through 3 November 2022

ER -

Waheed N, Ikram M, Hashmi SS, He X, Nanda P. An Empirical Assessment of Security and Privacy Risks of Web-Based Chatbots. In Chbeir R, Huang H, Silvestri F, Manolopoulos Y, Zhang Y, Zhang Y, editors, Web Information Systems Engineering – WISE 2022 - 23rd International Conference, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 325-339. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-20891-1_23