Researchers are warning against a novel technique that attackers could use to de-anonymize website visitors. Further, they could connect the dots to obtain information on many aspects of the targeted users’ digital lives.

The de-anonymization attack

Researchers from NJIT have devised a way that an attacker can use to fool someone into loading a malicious website and identifying specific details of the visitor.
  • The details include the visitor controlling a specific public identifier, such as an email address or social media account to link the target visitor to a piece of potentially personal data.
  • The hack analyzes low-key features of a target’s browser activity to find out whether they are logged into an account for services such as YouTube, Facebook, Dropbox, and Twitter.

The attacks work against almost every popular browser, even the anonymity-focused Tor Browser.

Prerequisites for the attack

This de-anonymization attack requires multiple things, such as a website they control and a list of accounts linked to people attackers want to identify as having visited that site.
  • Additionally, it requires the content to be posted to the platforms of the accounts on the target list either allowing to view that content or blocking them from viewing it, the attack works both ways.
  • Next, the attacker adds the aforementioned content to the malicious website. Now, if the target visits the site, the attackers will know who they are by analyzing which users can view the content.

The missing piece

Researchers even documented a number of methods used in the wild and have observed some situations, in which the attackers have successfully identified individual users, though it was not known how. They are planning to present their findings next month at the Usenix Security Symposium in Boston.

Conclusion

The de-anonymization attack is a serious privacy concern and shows how vulnerable the digital world is. The researchers claim that fundamental and likely infeasible changes are required in the way processors are created. Further, they claim that the issue may even require chip-level changes to fix.
Cyware Publisher

Publisher

Cyware