New attack could expose anonymous users in any major browser

- Advertisement -

Everything from advertisers and marketers, government-backed hackers, and spyware makers want to identify and track users online. And while a staggering amount of infrastructure has already been put in place to do this, the appetite for data and new tools to collect it has proven insatiable. With that in mind, researchers at the New Jersey Institute of Technology are warning this week of a new method attackers could use to deanonymize website visitors and potentially connect the dots in many components of victims’ digital lives.

- Advertisement -

The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into downloading a malicious website can determine whether that visitor controls a certain public identifier, such as an email address. or social media account. thereby linking the visitor to a piece of potentially personal data.

- Advertisement -

When you visit a website, the page may capture your IP address, but this does not necessarily give the site owner enough information to identify you individually. Instead, the hack analyzes subtle details of a potential target’s browser activity to determine if they’re signed into an account for a variety of services, from YouTube and Dropbox to Twitter, Facebook, TikTok and more. In addition, the attacks work against all major browsers, including the anonymity-focused Tor Browser.

“If you’re a regular Internet user, you might not think too much about your privacy when visiting a random website,” says Reza Kurtmola, one of the study’s authors and a professor of computer science at NJIT. “But there are certain categories of Internet users who may be affected more, such as people who organize and participate in political protests, journalists and people who communicate with other members of their minority group. And what makes these types of attacks dangerous is that they are very stealthy. You just go to the site and have no idea that you have been exposed.”

- Advertisement -

The risk that government-backed hackers and cyberweapon dealers attempt to deanonymize web users is not purely theoretical. The researchers recorded amount from technology have been used in the wild and witnessed situations in which attackers have identified individual users, although it is not clear how.

Other theoretical work looked at an attack similar to the one developed by the NJIT researchers, but most of this previous research focused on collecting revealing data that was leaked between websites when one service sends a request to another. As a result of this previous work, browser and website developers have improved ways to isolate and restrict data when downloading content, making these potential attack paths less feasible. However, knowing that attackers are interested in finding methods to identify users, the researchers wanted to explore additional approaches.

“Let’s say you have a forum of underground extremists or activists, and law enforcement secretly took control of it,” says Kurtmola. “They want to identify the users of this forum, but they can’t do it directly because the users use pseudonyms. But suppose the agency also managed to collect a list of Facebook accounts that are suspected of being users of this forum. Now they will be able to match who visits the forum with a specific Facebook identity.”

It’s hard to explain how this deanonymization attack works, but it’s relatively easy to understand once you get the gist. Someone conducting an attack needs a few things to get started: a website they control, a list of accounts associated with people they want to identify as having visited that site, and the content hosted on the account platforms in their a target list that either allows target accounts to view that content or blocks them from viewing—the attack works both ways.

The attacker then embeds the aforementioned content into a malicious website. Then they wait to see who will click. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or can’t) view the embedded content.

The attack exploits a number of factors that most people take for granted: Many large services, from YouTube to Dropbox, allow users to host media files and embed them on a third-party website. Regular users usually have an account with these ubiquitous services, and most importantly, they often stay on these platforms from their phones or computers. Finally, these services allow users to restrict access to the content they upload. For example, you can set up your Dropbox account to privately share videos with one or more other users. Or you can publicly upload the video to Facebook, but prevent certain accounts from viewing it.

These “blocking” or “allowing” relationships are at the core of how researchers have found that they can reveal identities. For example, in the “permissive” version of the attack, hackers can discreetly share a Google Drive photo with a Gmail address of potential interest. They then embed the photo on their malicious web page and lure the target there. When visitor browsers attempt to download a photo via Google Drive, attackers can determine exactly whether the visitor is allowed to access the content, i.e. whether they have control over the email address in question.

With existing privacy protections on major platforms, it is not possible for an attacker to directly verify that a site visitor has been able to download content. But NJIT researchers realized that they could analyze available information about the target’s browser and their processor’s behavior when a request occurs to infer whether the content request was allowed or denied.

The technique is known asside channel attackbecause the researchers found that they could accurately and reliably make that determination by training machine learning algorithms to analyze seemingly unrelated data about how the victim’s browser and device process the request. Once the attacker knows that one user they have allowed to view content has done so (or that one user they have blocked has been blocked), they will deanonymize the site visitor.

As difficult as it sounds, the researchers warn that it will be easy to accomplish after the attackers do their homework. It only takes a couple of seconds to expose every visitor to a malicious site, and it will be almost impossible for an unsuspecting user to detect a hack. Researchers have developed a browser extension that can prevent such attacks, and it’s available for Chrome and Firefox. But they note that this may affect performance and is not available for all browsers.

As a result of a major disclosure process to numerous web services, browsers and web standards bodies, the researchers say they have begun a broader discussion on how to comprehensively address this issue. Currently, Chromium as well as fire fox responses were not publicly released. And Kurtmola says that solving the problem at the chip level would require fundamental and probably unfeasible changes in processor design. However, he says that collaborative discussions through the World Wide Web Consortium or other forums may eventually lead to a common solution.

“Suppliers are trying to figure out if it’s worth trying to solve this problem,” he says. “They need to be convinced that this is a big enough problem to invest in.”

Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox