A New Attack Can Unmask Anonymous Users On Any Major Browser (wired.com) 58
An anonymous reader quotes a report from Wired: [R]esearchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets' digital lives. The findings (PDF), which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.
When you visit a website, the page can capture your IP address, but this doesn't necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target's browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser. "If you're an average internet user, you may not think too much about your privacy when you visit a random website," says Reza Curtmola, one of the study authors and a computer science professor at NJIT. "But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they're very stealthy. You just visit the website and you have no idea that you've been exposed."
How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it -- the attack works both ways. Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content. [...] Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site -- and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn't available for all browsers.
When you visit a website, the page can capture your IP address, but this doesn't necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target's browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser. "If you're an average internet user, you may not think too much about your privacy when you visit a random website," says Reza Curtmola, one of the study authors and a computer science professor at NJIT. "But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they're very stealthy. You just visit the website and you have no idea that you've been exposed."
How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it -- the attack works both ways. Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content. [...] Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site -- and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn't available for all browsers.
Starkly (Score:5, Interesting)
In the not too distant future, anonymity will not only be virtually impossible... it will likely be frowned upon, and garnish one a label as enemy of the state.
Why are you hiding, citizen?
Re:Starkly (Score:5, Insightful)
LOL. Did you miss Snowdon and other whisteblowers?
Re:Starkly (Score:5, Insightful)
China is a capitalist dictatorship, it has as much to do with communism as the Democratic People's Republic of Korea has to do with democracy. You shouldn't believe authoritarian regimes when they self-describe as good.
It's dictatorship which you want to be complaining about here.
Re: (Score:1)
China is a capitalist dictatorship, it has as much to do with communism as the Democratic People's Republic of Korea has to do with democracy. You shouldn't believe authoritarian regimes when they self-describe as good.
It's dictatorship which you want to be complaining about here.
LOL, yes, they just somehow got communism wrong, like, er ... every single other communist state always.
Re: Starkly (Score:3)
Real communism doesn't seem to work due to human nature. Therefore all attempts have degenerated into dictatorships. Regardless of the origin and ideological justification, most dictatorships are effectively the same evil. The USA, if the slow motion coup d'etat of the republicans succeeds, will be just as bad as China already is.
Re: Starkly (Score:5, Informative)
Communism, i.e. a classless society where everyone participates equally in decision making works if everyone can get together to make those decisions and the issues at hand are simple enough for everyone to understand. Such societies tend to be limited in size to Dunbar's Number [wikipedia.org]. In other words, tribal.
Re: (Score:2)
LOL, yes, they just somehow got communism wrong
No they just decided to quit communism in 1989.
FYI, communism is the system where there is no private property and all economy is centrally owned and managed. A North Korean resident cannot open a company. If foreign company wants to do business in NK, it will have to open a joint-venture with the NK government and the NK government will own 50% of the business (source: https://thediplomat.com/2018/0... [thediplomat.com] ). To the contrary, today's China is a market economy, anyone can buy land, open a factory, sell products
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re:Starkly (Score:5, Interesting)
Did you notice that their tracking method can only identify you if you are currently logged into one of their target sites? They do so by embedding content you own from the target site and watch if your current authorization allows the personal content. If you are not currently logged into that target site, the authorization fails to deliver and the method fails.
This will just emphasis the need to:
= Not log into a social media site and then browse other sites in the same browser
= If you remain logged into social sites use private/incognito mode to browse unknown sites
= Use separate browsers for protected and casual browsing
The other obvious method is to just log in, do your business, then log out. No active authorization -- no tracking. About the only two sites where I have public posts and I don't log out of when I finish are Slashdot and Amazon, but I may start fully logging out of Amazon after each session from now on.
Re: (Score:2)
Re: (Score:2)
Re:Starkly (Score:5, Interesting)
This will just emphasis the need to:
= Not log into a social media site and then browse other sites in the same browser
= If you remain logged into social sites use private/incognito mode to browse unknown sites
= Use separate browsers for protected and casual browsing
I image using separate profiles and/or containers (Firefox) would probably be effective too as those also isolate your cookies and other local data. Logging out of sites when you're not using them apparently mitigates this issue. I use one separate Firefox profile solely for Twitter and Instagram and several containers for groups of sites in my default profile.
Firefox Multi-Account Containers (Score:3)
Re: (Score:1)
what if this is some function of a web language being exploited and the browser only gets the tail end of the data chain? account information is displayed on the user end but objects and functions that open streams to feed an application can be run anywhere, is my theory. so..many of these security features, add on's can be made irrelevant with an extra service somewhere on the great wide web...?
Re: (Score:2)
This isn't even necessary. Just set Firefox' Tracking Protection level to High. That will turn on the first-party-isolation feature under the hood, which keeps all cookies/metadata in separate silos depending on which "first party" site is shown in the location bar... Its all automatic! No muss, no fuss!
Re: (Score:2)
This is the comment I came for. Thank you.
Re: (Score:2)
Sure, but what is to stop the sites from reading all your profiles ? I am sure it can happen.
What I do, I have a few ~/.mozilla directories (Linux/BSD). I have menu picks with a wrapper. Depending on my selection I rename one of the directories to ~/.mozilla and do a chmod 000 on the other mozilla dir. This prevents profile reading. Far safer than multiple profiles.
Re: Starkly (Score:2)
Logging out of sites when you're not using them
And avoiding the "Remember my password for this site" like the plague. Although I wonder if even the auto-fill of one's user ID (usually an e-mail address) could be exploited by rogue sites.
Re: Starkly (Score:2)
Re: (Score:1)
And a lot of the Kool Kids want to expedite this (Score:5, Insightful)
Notice how so many people under 30 think cash is yesterdays economics? They see no issue with every single transaction they make whether by contactless card or apple/google pay is logged or that but getting rid of cash we're all 100% beholden to the banks. No account? No money, and how can anyone lend you any if cash is gone?
Not sure I care! (Score:3)
Making a mountain of an ant hill (Score:1)
2) It can only determine if a user has ever visited that site. Nothing else
3) This is well known “attack” that browsers work to prevent - https://developer.mozilla.org/... [mozilla.org]
Not an anthill - read the actual paper (Score:2)
The authors of the paper are using more sophisticated ways of figuring out if a particular piece of web content was loaded.
Re: (Score:2)
*Taps Head* (Score:4, Funny)
That's why you use a browser with userbase in the double digits, max.
Re: (Score:2)
Re: (Score:1)
Major browser? Pfft . . .
Would using a "major" browser for "general" browsing be a downgrade???
Re:*Taps Head* (Score:5, Funny)
Re: (Score:2)
Are you reading this on Lynx?
It relies on third-party embedded content (Score:5, Interesting)
At least, that's what the Wired article says. If that's accurate, the solution is just to block all third-party content - which Safari does by default, and Firefox can easily be configured to do as well.
Chrome might also let you block this content, but I figure that anyone using Chrome has already decided they want to be tracked.
Re: (Score:2)
You don't have to block third parties (which is a bit drastic and prone to breakage). Someone mentioned using Firefox' containers feature, but its even simpler than that. Set the Tracking Protection level to High, then first-party isolation will be used for all sites; cookies etc. will be stored independently according to what site is being accessed in the Location bar.
TOR too? (Score:5, Interesting)
Weird that users would use TOR that way: logging into several sites within the same session - I would think this attack is thwarted by making sure you get a new circuit before/after logging into specific sites (ie. a full reset of your "connection")
#duh (Score:2)
Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work.
Yes, many complicated things are simple once you've done all the prep work.
This has a lot of prep work ...
I don't understand (a great many things) (Score:5, Interesting)
I did not understand this article.
The ultimate goal is to install malware on just one person's computer. The person is known to use Twitter.
We begin by already knowing what his Twitter login credentials look like. We don't have his password, but Twiter gave him login cookies. And we know what the cookies for him would look like.
In order for this attack to work, we must be able to post malicious Javascript onto Twitter, and get his browser to run it.
The paper says you must first have partial control of Twitter and can inject this Javascript into everybody's pages.
So stop right there, and explain to me how you make that happen.
Now, this Javascript is *not* the malware that we want to plant on the victim's computer. Rather, it is just the script that determies whether the user is our target. If this guy is our victim, this Javascript will then proceed to uses some known exploit (?!?) to download and install the actual malware onto his machine.
We don't want the malware on everybody's computer because that would get noticed. So we're hacking Twitter with this Javascript (which everyone will run) user-identifyer/malware-installer.
So already I am a little confused because I don't know how you make any of the above happen. But apparently it's easy?
We contiue...
The attacker also needs a second web site, which they fully control. On it they put a JPG. Them they put a link to the JPG on Twitter. In the course of using Twitter, the user will load this JPG.
The Javascript (that runs -- when?) is going to identify the user by figuring out whether he (recently) loaded this JPG.
The first part of the trick is the attacker's web site is going to see his Twitter cookies when he tries to fetch the JPG. And the attacker's site has been set up with permissions on that JPG file. Depending on which version of the attack, the server will either serve the JPG to the guy or give a permission denied error.
The Javasript doesn't get to see this interaction; it is not even what requested the JPG. Instead, it will examine the user's cache post-facto to see if the JPG was loaded.
But Javascript can't simply look in the browser's cache for the JPG, because the JPG came from a third-party domain (not Twitter).
But by beating on the CPU hardware, the Javascrip can see tiny differences in how long it takes the cache to deny the search answer.
I guess the browser looks in the cache first to see if the JPG is there, and only afterwards checks the domain name. (Which sees odd odd to me, because isn't the "file name" in the cache ctually the URL?)
Apparently the search takes a measurably different amount of time depennding on whether the file exists or not.
But this whole thing just seems like a bug in how the cache works. Its logic is controlled by some domain-based security policy that I don't understand. But it seems like it ought to do the security check first, and then give the answer. Which will always be "I'm not going to tell you if that file is here or not" regardless of the file's presence. Since it's third-party content.
Can someone please elaborate and correct all my misunderstandings?
Probably the main thing I'm missing is how and on what page(s) you inject the JavaScript.
Re: (Score:2)
I believe you are understanding it correctly. If you go to the researchers' web page [github.io], the first thing you might notice is this requires the victim to visit a website that's under the control of the attacker.
Now the means of attack may (or may not) be different than past attack vectors, but it's the same fundamental security issue we've been dealing with for decades now - when people go to jenky websites, there's a good chance they are gonna get hosed sooner or later.
The other part of this appears to relate
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:3)
Re: (Score:2)
I think you are misunderstanding one key point. The attacker doesn't need control of Twitter, they just need the targeted user to visit a web site that the attacker does control. The attacker's web site has some specific Twitter post embedded on the page, so the target's browser loads that post directly from Twitter. The attacker's web page can determine whether that post was successfully loaded or if Twitter denied access to the post, and can then identify the target based on whether or not they have access to the specific post. Does that help clear it up for you?
So the real way to prevent that is to use NoScript and not permanently allow Twitter, but only temporarily allow it on a tab where you want to load Twitter.
(Yes, that sounds complicated, until you realize it's just two clicks to "disable restrictions on this tab".)
Re: (Score:2)
Re: (Score:2)
A properly crafted phishing email with a link to the attacker's fake site is all you need here.
I wonder if the required JS could be injected by what would ostensibly be advertising tracking code.
Re: (Score:2)
I did not understand this article.
The ultimate goal is to install malware on just one person's computer.
Alternate explanation: You know this person is an avid reader of slashdot and very paranoid of being tracked. So you submit a story that will prey on their fears, with a link to a browser addon... ;-)
nothing new (Score:5, Interesting)
I do not consider this a new attack. There was always a way to connect the dots to find out who someone info. It can be done by sites buying, selling and trading with third parties. The key weakness is the ip address.
This isn't new. (Score:2)
This isn't new. It just wasn't published because there's no good solution to the problem, other than always logging out of social media sites the very second you stop looking at them, or breaking the web by refusing all cross-domain links. Normally we dislike drawing attention to things bad people can do until we've got a fix because it generally just informs more bad people how to do them.
I smile quietly ... (Score:2)
Portable Firefox (Score:3)
That is why I have like 30 different copies of Portable Firefox that log into their individual email accounts/services.
Re: (Score:2)
You should check out Firefox Multi-Account Containers and reduce your headache 30x.
https://addons.mozilla.org/en-... [mozilla.org]