Endpoint

2/23/2010
05:32 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attack Unmasks User Behind The Browser

Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users

A group of researchers have discovered a simple way to reveal the identity of a user based on his interactions with social networks.

The 'deanonymization' attack uses social network groups as well as some traditional browser history-stealing tactics to narrow down and find the user behind the browser. The researchers were able to deanonymize more than half of the users in their initial test using their attack method, which entailed their joining and crawling groups within social networks, such as Germany's Xing business social network and Facebook, using a fake profile. They then matched pilfered browsing histories with social-network group members to "fingerprint" and identify them.

"Without using the group info, an attack that only uses history stealing is infeasible in a real-world scenario. So, in fact, it is the combination of history-stealing and group information that is novel," says Gilbert Wondracek, a post-doctoral researcher with the International Secure Systems Lab of the Vienna University of Technology in Austria, who co-developed the proof-of-concept.

Criminals could use this for phishing and targeted attacks. The attack requires only that the victim visit a malicious Website that contains the attack code -- there's no malicious link, per se. "We could put the attack code on a Website that contains a political, dating, religious, [or other] forum. If someone posts anonymously to this Website, there is a chance that we could find out the social network profile for this person," Wondracek says. "Since social network profiles contain a wealth of info and, per definition, the friends of this person, blackmailing is also an option."

Wondracek says he and fellow researcher Thorsten Holz had wondered how the well-known history-stealing technique could used to unmask online users via their social networking profiles. History stealing allowed them to peek at a user's URL browsing history to see if he had visited specific social network groups -- sports-related or other groups that friend or fan organizations, for instance -- that the researchers had joined.

"We can now perform an intersection and find out that there are just a few people in the whole social network that belong to exactly these ... groups. The group fingerprint is rather unique among all users," Wondracek says.

Then the attacker uses history-stealing once again to check for links that are similar to each member of the groups.

The researchers say that while their PoC was for Xing, it can work with any other social network. They crawled 7,000 public groups in Xing and found around 1.8 million users belong to at least one group. "These users are vulnerable to our attack," Holz blogged recently.

Volunteers from Xing can participate in the experiment via the researchers' demo Website here. The more regularly a Xing user participates in groups on the social network, the more likely he will be deanonymized by the PoC.

There is no fix for this attack, but workarounds include turning off browsing history or using private-browsing mode. Wondracek says the only protection social networks could provide is to change the way their Web applications use hyperlinks to move information from one point of their site to another in "keep state." Xing has implemented this as part of its response to the attack research, he says.

"I was -- and am still -- quite surprised that, a, getting the group data was so easy, and, b, almost all social networks use URLs that leak private information," Wondracek says."The attitude behind this is pretty scary from our maybe naive point of view."

The researchers will present their paper (PDF) on their preliminary results on the attack in May at the 31st IEEE Symposium on Security & Privacy.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11321
PUBLISHED: 2018-05-22
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
CVE-2018-11322
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
CVE-2018-11323
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
CVE-2018-11324
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated.
CVE-2018-11325
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen.