DETECTION AND PREVENTION OF ACCESSIBILITY CLOAKING ATTACKS
DOI:
https://doi.org/10.32782/IT/2025-1-17Keywords:
accessibility, phishing, cyber security, sustainable development, digital inclusion, web equality, assistive technologies, inclusive design.Abstract
Digital environments enable greater integration of people with disabilities into economic and social life, supported by legislative accessibility requirements. However, this progress creates new cybersecurity vulnerabilities, particularly for assistive technology users. Objective. The objective of our study was to identify and analyze potential attack vectors associated with the unethical use of accessibility technologies and to develop methods for their detection and prevention, with specific focus on accessibility cloaking techniques. Methods. We conducted an analysis of popular assistive browser extensions and their detection methods, implemented proof-of-concept accessibility cloaking techniques using HTML and CSS, and evaluated the effectiveness of current automated testing tools in detecting these manipulations. Based on identified vulnerabilities, we developed a CLI application using AXE-Core for automated detection of accessibility cloaking markers. Results. Our analysis revealed multiple HTML/CSS-based techniques that create different experiences for users with and without assistive technologies, enabling malicious content to be hidden from regular users. While these techniques violate multiple WCAG success criteria, current automated testing tools (Wave, Axe, Lighthouse) largely failed to detect such manipulations. Our proof-of-concept detection tool, based on an agent architecture approach, successfully identified these accessibility cloaking techniques. Conclusion. Ensuring web resource accessibility without compromising security requires a comprehensive approach including regular security audits, additional verification of content displaying differently for different user groups, developer training, and automated detection tools. Our findings emphasize that accessibility’s purpose is to make content equally accessible to all users, not to create separate or hidden experiences that can be exploited for malicious purposes.
References
Web Accessibility Solution for ADA Compliance & WCAG. accessiBe. : веб-сайт. URL: https://accessibe.com/ (дата звернення: 07.04.2025).
Add-ons for Firefox (en-GB). URL: https://addons.mozilla.org/en-GB/firefox/ (дата звернення: 07.04.2025).
Akgül Y. Accessibility, usability, quality performance, and readability evaluation of university websites of Turkey: a comparative study of state and private universities. Universal Access in the Information Society. 2021. Vol. 20, № 1. P. 157–170. DOI: https://doi.org/10.1007/S10209-020-00715-W
Alim S. Web Accessibility of the Top Research-Intensive Universities in the UK. SAGE Open>. 2021. Vol. 11, № 4. DOI: https://doi.org/10.1177/21582440211056614
Bohman P. R., Andersen S. A conceptual framework for accessibility tools to benefit users with cognitive disabilities. Proc. International Cross-Disciplinary Workshop on Web Accessibility, 2005 W4A at the World Wide Web Conference, WWW2005. 2005. P. 85–89. DOI: https://doi.org/10.1145/1061811.1061828
Chrome Web Store. Extensions. Google. URL: https://chromewebstore.google.com (дата звернення: 07.04.2025).
Automated Testing Identifies 57 % Digital Accessibility Issues. Deque. URL: https://www.deque.com/blog/automated-testing-study-identifies-57-percent-of-digital-accessibility-issues/ (дата звернення: 07.04.2025).
AXE: Accessibility Testing Tools and Software. Deque. URL: https://www.deque.com/axe/ (дата звернення: 07.04.2025).
Directive (EU) 2016/2102 of the European Parliament and of the Council of 26 October 2016 on the accessibility of the websites and mobile applications of public sector bodies. URL: https://eur-lex.europa.eu/eli/dir/2016/2102/oj/eng (дата звернення: 07.04.2025).
Elyashar A., Uziel S., Paradise A., Puzis R. The Chameleon Attack: Manipulating Content Display in Online Social Media. The Web Conference 2020 – Proc. World Wide Web Conference, WWW 2020. 2020. P. 848–859. DOI: https://doi.org/10.1145/3366423.3380165
ETSI EN 301 549. Accessibility requirements for ICT products and services. V3.2.1, Mar. 2021.
Goo S. K., Irvine J. M., Andonovic I., Tomlinson A. Preserving privacy in assistive technologies. Proc. IEEE International Conference on Communications Workshops, ICC 2009. 2009. DOI: https://doi.org/10.1109/ICCW.2009.5208079
Ismail A., Kuppusamy K. S. Web accessibility investigation and identification of major issues of higher education websites with statistical measures: A case study of college websites. Journal of King Saud University – Computer and Information Sciences. 2022. Vol. 34, № 3. P. 901–911. DOI: https://doi.org/10.1016/J.JKSUCI.2019.03.011
ISO/IEC 40500:2012. Information technology – W3C Web Content Accessibility Guidelines (WCAG) 2.0. Geneva, Switzerland: International Organization for Standardization, 2012. URL: https://www.iso.org/standard/58625.html (дата звернення: 07.04.2025).
Jang Y., Song C., Chung S. P., Wang T., Lee W. A11y attacks: Exploiting accessibility in operating systems. Proc. ACM Conference on Computer and Communications Security. 2014. P. 103–115. DOI: https://doi.org/10.1145/2660267.2660295
Kuzikov B. Web Accessibility HUB. URL: https://web-accessibility.sumdu.edu.ua/ (дата звернення: 07.04.2025).
Kuzikov B. EVIL-detector. GitHub. URL: https://github.com/potapuff/evil-detector (дата звернення: 07.04.2025).
Про внесення змін до деяких законів України щодо доступу осіб з особливими освітніми потребами до освітніх послуг : Закон України від 06.09.2018 р. № 2541-VIII. URL: https://zakon.rada.gov.ua/laws/show/2541-19 (дата звернення: 07.04.2025).
Leguesse Y., Vella M., Colombo C., Hernandez-Castro J. Reducing the Forensic Footprint with Android Accessibility Attacks. Lecture Notes in Computer Science. 2020. Vol. 12386. P. 22–38. DOI: https://doi.org/10.1007/978-3-030-59817-4_2
Lei, C., Ling, Z., Zhang, Y., Dong, K., Liu, K., Luo, J., & Fu, X. Do Not Give a Dog Bread Every Time He Wags His Tail: Stealing Passwords through Content Queries (CONQUER) Attacks. Proc. Network and Distributed System Security Symposium (NDSS). 2023. DOI: https://doi.org/10.14722/ndss.2023.24005
Lynx Information. URL: https://lynx.browser.org/ (дата звернення: 27.12.2024).
Mehralian F., Salehnamadi N., Huq S. F., Malek S. Too Much Accessibility is Harmful! Automated Detection and Analysis of Overly Accessible Elements in Mobile Apps. ACM International Conference Proceeding Series. 2022. DOI: https://doi.org/10.1145/3551349.3560424
Renaud K., Coles-Kemp L. Accessible and Inclusive Cyber Security: A Nuanced and Complex Challenge. SN Computer Science. 2022. Vol. 3, № 5. P. 1–14. DOI: https://doi.org/10.1007/S42979-022-01239-1
IT Accessibility Laws and Policies. Section508.gov. URL: https://www.section508.gov/manage/lawsand-policies/ (дата звернення: 07.04.2025).
Sonowal G., Kuppusamy K. S. MASPHID: A Model to Assist Screen Reader Users for Detecting Phishing Sites Using Aural and Visual Similarity Measures. ACM International Conference Proc. Series. 2016. Vol. 25-26-August-2016. P. 87. DOI: https://doi.org/10.1145/2980258.2980443
Wang Y. The third wave? Inclusive privacy and security. ACM International Conference Proc. Series. 2017. Vol. 9. P. 122–130. DOI: https://doi.org/10.1145/3171533.3171538
WAVE Web Accessibility Evaluation Tools. URL: https://wave.webaim.org/ (дата звернення: 07.04.2025).
WebbIE Web Browser – browse the web using only text. URL: https://www.webbie.org.uk/webbrowser/index.htm (дата звернення: 07.04.2025).
