RTB Protocols as Surveillance Tools: Deconstructing the Webloc Report
Just finished reviewing the Citizen Lab report on Webloc (formerly Cobwebs Technologies, now Penlink). It is wild to think that standard RTB (Real-Time Bidding) protocols, which we usually just flag as 'chatty telemetry,' are being weaponized by LE entities in Hungary, El Salvador, and the US to track 500M devices.
Technically, this isn't a vulnerability; it's the architecture working too well. When an app loads an ad, it sends a bid request containing the device's IP, User-Agent, and often GPS coordinates to hundreds of potential bidders. Webloc essentially acts as a 'super bidder' to hoover up this location data without the app or user knowing.
To visualize the risk, look at how much PII is passed in a standard OpenRTB 2.x bid request payload:
import
# Simulated data exposed in a standard bid request
mock_bid_request = {
"id": "req-123",
"device": {
"ua": "Mozilla/5.0 (Linux; Android 10; SM-G981B)",
"ip": "203.0.113.5",
"geo": {
"lat": 34.0522,
"lon": -118.2437,
"country": "USA",
"type": 1 # GPS location accuracy
},
"ifa": "550e8400-e29b-41d4-a716-446655440000" # IDFA/AAID
},
"user": {
"id": "user-tracker-99"
}
}
# Extracting PII from the 'innocent' ad request
print("Leaked Geo Data:", .dumps(mock_bid_request['device']['geo'], indent=2))
From a defense standpoint, you can't easily patch the internet's ad infrastructure. However, for high-risk targets, we can mitigate exposure by blocking known ad-tech domains or resetting MAIDs (Mobile Advertising IDs).
If you are managing mobile fleets, consider enforcing Limit Ad Tracking (LAT) via MDM profiles. Here is a sample snippet for a mobile configuration profile reference:
restrictions
allowEnterpriseBookBackup
allowPersonalHotspotModification
forceLimitAdTracking
**Discussion Question:** For those managing BYOD policies, are you enforcing strict OS-level ad tracking limits, or is the functional breakage of 'free' apps too much of a friction point for your users?
We've been fighting this battle in our SOC for months. The hardest part is attribution—it looks like normal traffic to googleads.g.doubleclick.net or similar SSP domains. We've started correlating spikes in outbound DNS requests to ad-portals with physical location changes of our executives. It's noisy, but it helps identify potential tracking attempts.
From a pentester's perspective, Cobwebs (and now Webloc) are terrifyingly efficient OSINT tools. I've used similar legal services for passive recon, and the data resolution is scary because users voluntarily opt-in to location services for weather apps or games. The exploit here isn't a code flaw; it's the lack of consent granularity in the ad exchange ecosystem.
We enforce 'Prevent Cross-App Tracking' on all corporate iOS devices via MDM. For Android, it's trickier since the opt-out is less granular. We push a private DNS profile (NextDNS) to block the majority of trackers at the DNS level. It breaks a few free games, but security wins that argument every time.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access