Forgot your password?
typodupeerror
Privacy Social Networks

De-Anonymizing Social Network Users 88

Posted by kdawson
from the know-what-groups-you-joined-last-summer dept.
An anonymous reader writes "The H has an article about some researchers who found a new way to de-anonymize people. Compared to the EFF's Panopticlick, the goal of this experiment is not to identify a user's browser uniquely, but to identify individual users. The test essentially exploits the fact that many social network users are identifiable by their membership of various groups. According to the researchers, it's very unlikelly that two people on any social network will belong to exactly the same groups. A 'group fingerprint' can thus allow websites to identify previously anonymous visitors. They describe the setup and all details and the results look very interesting. They also have a live demo for the social network Xing that was able to de-anonymize me."
This discussion has been archived. No new comments can be posted.

De-Anonymizing Social Network Users

Comments Filter:
  • by Eskarel (565631) on Tuesday February 02, 2010 @03:58AM (#30992480)

    So basically if

    1. An attacker indexes the entire user list and group memberships of a social networking sites.
    2. You regularly visit a large number of the groups you belong to on said social networking site so that their url paths are in your history.
    3. You're the only person who uses your PC to log onto said social networking site.
    4. You visit a malicious website using this technique.

    then an attacker might be able to work out the name you use on that social networking site?

    Why would anyone bother. Indexing facebook would take quite a bit of time and resources and at the end of it you'd have something which might or might not be someones real name. Even if it is their real name, what exactly are you going to do with it? So you've unmasked(maybe) the name(maybe) of someone who visited your site. It's not going to give you anything else useful unless you combine it with some other attack vector which could quite easily pick up their real name for free anyway.

    I suppose you could use it to set up a honey pot site for people with certain beliefs or interests and use it to accumulate a list of people with those beliefs or interests, but to be honest, you'd probably do better social engineering their ISP to get their account details.

  • by advocate_one (662832) on Tuesday February 02, 2010 @04:11AM (#30992536)
    Having gone on that panopticlick site and discovered that my browser was unique amongst some half million visitors... I was shocked that my browser was blabbing about what fonts were on my system... Why on earth would a browser transmit the list of installed fonts at all? All it needs locally are a set of alternatives, ie. if page says this font, then use this local font... wasn't that the entire point of the webfonts package?

    similarly, the plugins list... another thing that doesn't need to be sent out by the browser...

    Firefox devs, you listening here? these do not need to be transmitted so block them...

    anyone know of a plugin that blocks them?

    and why on earth is it possible to sniff the history list???

  • What about loners? (Score:5, Interesting)

    by macraig (621737) <mark DOT a DOT craig AT gmail DOT com> on Tuesday February 02, 2010 @04:18AM (#30992554)

    Brilliant plan, guys... except you still left one variable unknown: the aloof guy who doesn't belong to any groups. How do you pick him out of the crowd when he's not in it to begin with? Those aloof loners are always the ones we should be worrying about, right? That's what the movies always say.

  • Xing? (Score:3, Interesting)

    by 93 Escort Wagon (326346) on Tuesday February 02, 2010 @04:18AM (#30992556)

    They (the authors) keep mentioning it in the same breath as Facebook, Twitter, and LinkedIn - but I've never heard of it (I realize that may not necessarily mean anything). It also seems a bit odd to see the BSD demon in one of the article graphics. I can't help but wonder if this was posted to actually discuss an attack vector against social networking sites, or if it was really some weird attempt to promote some GNU/Free social networking club.

    Anyway, it seems to me that demoing a practical de-anonymization of a Facebook user or a LinkedIn profile would be more interesting.

  • by macraig (621737) <mark DOT a DOT craig AT gmail DOT com> on Tuesday February 02, 2010 @04:21AM (#30992570)

    You're barking up the wrong tree: you should be screaming at the JavaScript wizards, I think.

  • by AHuxley (892839) on Tuesday February 02, 2010 @04:53AM (#30992702) Homepage Journal
    They slip up during car trips and are spotted by local cops.
    Or buy 10X the normal amount of a substance and the local supplier pulls the FBI card as they are a upstanding citizen or are owned by the feds.
    The smart ones make their own, but then it is always the essay to trip them up.
  • by Anonymous Coward on Tuesday February 02, 2010 @05:14AM (#30992758)

    Just as people who don't take privacy seriously aren't really anonymous, people who think that these revelations actually make people not anonymous online helps cater to said false belief, and keeping true Anonymous Cowards (who has the smarts to either not register on networking sites, or register with different false data on separate sites) safer, for the moment.

    Posted as Anonymous Coward for obvious reasons.

  • by osu-neko (2604) on Tuesday February 02, 2010 @06:46AM (#30993086)
    This is one of the reasons why, on my Windows box, my local username is "root". If it gets embedded somewhere, this doesn't tell people much. (Just to add to the confusion, it's a normal user account, not an "administrator".)

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...