The new attack can unmask anonymous users in any major browser: How this de-anonymization attack works is hard to explain but easy to grasp once you have the gist. Anyone carrying out an attack needs a few things to get started: a website they control, a list of accounts associated with people they want to identify as visiting that site, and content posted to platforms by the accounts on their target list that either allow the targeted accounts to view that content or block them from viewing it—the attack works both ways.
Then, the attacker embeds the above content into a malicious website. Then wait and see who will click. If someone on the targeted list visits the site, the attacker can learn who it is by analyzing which users can (or can’t) view the embedded content.
This attack takes advantage of many things that most people take for granted: many major services—from YouTube to Dropbox—allow users to host media and embed it on a third-party website. Ordinary users usually have an account with these ubiquitous services and, importantly, they often log into these platforms on their phones or computers. Finally, these services allow users to restrict access to content uploaded to them. For example, you can set your Dropbox account to be privately shared with one or a few other users. Or you can upload a video to Facebook publicly but block certain accounts from viewing it.
Researchers have discovered that these “block” or “allow” relationships are how they can reveal identities. In the “allow” version of the attack, for example, hackers could silently share a photo on Google Drive with a Gmail address of potential interest. They then embed the photo on their malicious web page and bait the target there. When visitors’ browsers try to load a photo through Google Drive, attackers can infer whether visitors are allowed to access the content—aka, whether they have control over the email address in question.
Thanks to the existing privacy protections of the major platforms, attackers cannot directly check whether site visitors can load content. But the NJIT researchers realized that they could analyze accessible information about the behavior of a target’s browser and their processor as the request was being made to make inferences about whether the content request was allowed or denied.
The technique is called a “side channel attack” because the researchers found they could make this decision accurately and reliably by training machine learning algorithms to interpret unrelated data about how the victim’s browser and device processed the request. Once an attacker learns that a user they allowed to view content has done so (or that a user they blocked has been blocked), they anonymize the site visitor.
As complicated as it may sound, researchers warn that it’s easy for attackers to do once they’ve done the prep work. It only takes a few seconds to unmask each visitor to a malicious site—and it’s virtually impossible for an unsuspecting user to detect the hack. Researchers have developed a browser extension that can block such attacks and is available for Chrome And Firefox. But they note that this affects performance and is not available for all browsers.
Through a major disclosure process to several web services, browsers and web standards organizations, the researchers said, they have opened a larger debate on how to comprehensively address the problem. For now, Chrome And Firefox The responses were not released publicly. And Kurtmola says solving the problem at the chip level would require fundamental and impossible changes in the way processors are designed. However, cooperative discussions through the World Wide Web Consortium or other forums could ultimately provide a broader solution, he said.
“Vendors are trying to figure out if it’s worth the effort to fix it,” he says. “They need to be convinced that this is a serious enough problem to invest in solving it.”