Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/23/2010
05:32 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attack Unmasks User Behind The Browser

Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users

A group of researchers have discovered a simple way to reveal the identity of a user based on his interactions with social networks.

The 'deanonymization' attack uses social network groups as well as some traditional browser history-stealing tactics to narrow down and find the user behind the browser. The researchers were able to deanonymize more than half of the users in their initial test using their attack method, which entailed their joining and crawling groups within social networks, such as Germany's Xing business social network and Facebook, using a fake profile. They then matched pilfered browsing histories with social-network group members to "fingerprint" and identify them.

"Without using the group info, an attack that only uses history stealing is infeasible in a real-world scenario. So, in fact, it is the combination of history-stealing and group information that is novel," says Gilbert Wondracek, a post-doctoral researcher with the International Secure Systems Lab of the Vienna University of Technology in Austria, who co-developed the proof-of-concept.

Criminals could use this for phishing and targeted attacks. The attack requires only that the victim visit a malicious Website that contains the attack code -- there's no malicious link, per se. "We could put the attack code on a Website that contains a political, dating, religious, [or other] forum. If someone posts anonymously to this Website, there is a chance that we could find out the social network profile for this person," Wondracek says. "Since social network profiles contain a wealth of info and, per definition, the friends of this person, blackmailing is also an option."

Wondracek says he and fellow researcher Thorsten Holz had wondered how the well-known history-stealing technique could used to unmask online users via their social networking profiles. History stealing allowed them to peek at a user's URL browsing history to see if he had visited specific social network groups -- sports-related or other groups that friend or fan organizations, for instance -- that the researchers had joined.

"We can now perform an intersection and find out that there are just a few people in the whole social network that belong to exactly these ... groups. The group fingerprint is rather unique among all users," Wondracek says.

Then the attacker uses history-stealing once again to check for links that are similar to each member of the groups.

The researchers say that while their PoC was for Xing, it can work with any other social network. They crawled 7,000 public groups in Xing and found around 1.8 million users belong to at least one group. "These users are vulnerable to our attack," Holz blogged recently.

Volunteers from Xing can participate in the experiment via the researchers' demo Website here. The more regularly a Xing user participates in groups on the social network, the more likely he will be deanonymized by the PoC.

There is no fix for this attack, but workarounds include turning off browsing history or using private-browsing mode. Wondracek says the only protection social networks could provide is to change the way their Web applications use hyperlinks to move information from one point of their site to another in "keep state." Xing has implemented this as part of its response to the attack research, he says.

"I was -- and am still -- quite surprised that, a, getting the group data was so easy, and, b, almost all social networks use URLs that leak private information," Wondracek says."The attitude behind this is pretty scary from our maybe naive point of view."

The researchers will present their paper (PDF) on their preliminary results on the attack in May at the 31st IEEE Symposium on Security & Privacy.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.