AdCube: WebVR Ad Fraud and Practical Confinement of Third-Party Ads


Hyunjoo Lee, Jiyeon Lee, and Daejun Kim, Korea Advanced Institute of Science and Technology; Suman Jana, Columbia University; Insik Shin and Sooel Son, Korea Advanced Institute of Science and Technology


Web technology has evolved to offer 360-degree immersive browsing experiences. This new technology, called WebVR, enables virtual reality by rendering a three-dimensional world on an HTML canvas. Unfortunately, there exists no browser-supported way of sharing this canvas between different parties. Assuming an abusive ad service provider who exploits this absence, we present four new ad fraud attack methods. Our user study demonstrates that the success rates of our attacks range from 88.23% to 100%, confirming their effectiveness. To mitigate the presented threats, we propose AdCube, which allows publishers to specify the behaviors of third-party ad code and enforce this specification. We show that AdCube is able to block the presented threats with a small page loading latency of 236 msec and a negligible frame-per-second (FPS) drop for nine WebVR official demo sites.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {272202,
author = {Hyunjoo Lee and Jiyeon Lee and Daejun Kim and Suman Jana and Insik Shin and Sooel Son},
title = {{AdCube}: {WebVR} Ad Fraud and Practical Confinement of {Third-Party} Ads},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {2543--2560},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video