Endpoint
2/23/2010
05:32 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attack Unmasks User Behind The Browser

Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users

A group of researchers have discovered a simple way to reveal the identity of a user based on his interactions with social networks.

The 'deanonymization' attack uses social network groups as well as some traditional browser history-stealing tactics to narrow down and find the user behind the browser. The researchers were able to deanonymize more than half of the users in their initial test using their attack method, which entailed their joining and crawling groups within social networks, such as Germany's Xing business social network and Facebook, using a fake profile. They then matched pilfered browsing histories with social-network group members to "fingerprint" and identify them.

"Without using the group info, an attack that only uses history stealing is infeasible in a real-world scenario. So, in fact, it is the combination of history-stealing and group information that is novel," says Gilbert Wondracek, a post-doctoral researcher with the International Secure Systems Lab of the Vienna University of Technology in Austria, who co-developed the proof-of-concept.

Criminals could use this for phishing and targeted attacks. The attack requires only that the victim visit a malicious Website that contains the attack code -- there's no malicious link, per se. "We could put the attack code on a Website that contains a political, dating, religious, [or other] forum. If someone posts anonymously to this Website, there is a chance that we could find out the social network profile for this person," Wondracek says. "Since social network profiles contain a wealth of info and, per definition, the friends of this person, blackmailing is also an option."

Wondracek says he and fellow researcher Thorsten Holz had wondered how the well-known history-stealing technique could used to unmask online users via their social networking profiles. History stealing allowed them to peek at a user's URL browsing history to see if he had visited specific social network groups -- sports-related or other groups that friend or fan organizations, for instance -- that the researchers had joined.

"We can now perform an intersection and find out that there are just a few people in the whole social network that belong to exactly these ... groups. The group fingerprint is rather unique among all users," Wondracek says.

Then the attacker uses history-stealing once again to check for links that are similar to each member of the groups.

The researchers say that while their PoC was for Xing, it can work with any other social network. They crawled 7,000 public groups in Xing and found around 1.8 million users belong to at least one group. "These users are vulnerable to our attack," Holz blogged recently.

Volunteers from Xing can participate in the experiment via the researchers' demo Website here. The more regularly a Xing user participates in groups on the social network, the more likely he will be deanonymized by the PoC.

There is no fix for this attack, but workarounds include turning off browsing history or using private-browsing mode. Wondracek says the only protection social networks could provide is to change the way their Web applications use hyperlinks to move information from one point of their site to another in "keep state." Xing has implemented this as part of its response to the attack research, he says.

"I was -- and am still -- quite surprised that, a, getting the group data was so easy, and, b, almost all social networks use URLs that leak private information," Wondracek says."The attitude behind this is pretty scary from our maybe naive point of view."

The researchers will present their paper (PDF) on their preliminary results on the attack in May at the 31st IEEE Symposium on Security & Privacy.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.