Skip to main content
Privacy Sandstorm
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Privacy Sandstorm
  2. /
  3. Privacy Sandbox Proposals
  4. /
  5. Shared Storage API
  6. /
  7. CCS 2025 Paper
Edit page

CCS 2025 Paper

Title: Exploiting the Shared Storage API

Authors: Alexandra Nisenoff (Carnegie Mellon University), Deian Stefan (UC San Diego), Nicolas Christin (Carnegie Mellon University)

Abstract/Summary: As part of an effort to replace third-party cookies, Google introduced the Shared Storage API as one of their ‘‘Privacy Sandbox’’ proposals. The Shared Storage API seeks to replace some of the benign functionalities that third-party cookies facilitate while mitigating the potential privacy harms that they can cause, such as reidentifying users across websites. Shared Storage seeks to do this by allowing third parties to store data that is not partitioned by top-level website, but limiting read access to those data. We find that the implementation and design of the API have flaws that allow for both the reidentification of users across sites and the leakage of more data than intended by Google. With the API being deployed in Google Chrome and major advertisers and trackers having completed the processes required to gain access to the API, the Shared Storage API may not do as much as intended to improve the state of privacy on the web. We present several attacks on the API that circumvent the key goals laid out by Google as well as discuss potential extensions and mitigation strategies. While we have responsibly disclosed our attacks to Google, most attacks remain possible in Chrome.

gdoc_arrow_left_alt Shared Storage API Storage and Network State Partitioning gdoc_arrow_right_alt