Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy The Internet

A New Attack Can Unmask Anonymous Users On Any Major Browser (wired.com) 58

An anonymous reader quotes a report from Wired: [R]esearchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets' digital lives. The findings (PDF), which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn't necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target's browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser. "If you're an average internet user, you may not think too much about your privacy when you visit a random website," says Reza Curtmola, one of the study authors and a computer science professor at NJIT. "But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they're very stealthy. You just visit the website and you have no idea that you've been exposed."

How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it -- the attack works both ways. Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content. [...] Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site -- and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn't available for all browsers.

This discussion has been archived. No new comments can be posted.

A New Attack Can Unmask Anonymous Users On Any Major Browser

Comments Filter:
  • Starkly (Score:5, Interesting)

    by rmdingler ( 1955220 ) on Friday July 15, 2022 @10:35PM (#62707256) Journal

    In the not too distant future, anonymity will not only be virtually impossible... it will likely be frowned upon, and garnish one a label as enemy of the state.

    Why are you hiding, citizen?

    • Re:Starkly (Score:5, Interesting)

      by CaptQuark ( 2706165 ) on Saturday July 16, 2022 @12:10AM (#62707420)

      Did you notice that their tracking method can only identify you if you are currently logged into one of their target sites? They do so by embedding content you own from the target site and watch if your current authorization allows the personal content. If you are not currently logged into that target site, the authorization fails to deliver and the method fails.

      This will just emphasis the need to:
        = Not log into a social media site and then browse other sites in the same browser
        = If you remain logged into social sites use private/incognito mode to browse unknown sites
        = Use separate browsers for protected and casual browsing

      The other obvious method is to just log in, do your business, then log out. No active authorization -- no tracking. About the only two sites where I have public posts and I don't log out of when I finish are Slashdot and Amazon, but I may start fully logging out of Amazon after each session from now on.

      • by Ozeroc ( 1146595 )
        I completely agree with your post. I've always imagined this was possible and have been logging out of things immediately after use for a long time! Also been using multiple browsers/incognito mode for different categories of browsing.
        • by tsm_sf ( 545316 )
          > I've always imagined this was possible Once I understood the idea behind port knocking I started to see variations of the concept everywhere. It's almost like I have a blind spot when it comes to the idea of state accumulating remotely. Even though that's sort of my job.
      • Re:Starkly (Score:5, Interesting)

        by fahrbot-bot ( 874524 ) on Saturday July 16, 2022 @01:45AM (#62707480)

        This will just emphasis the need to:
        = Not log into a social media site and then browse other sites in the same browser
        = If you remain logged into social sites use private/incognito mode to browse unknown sites
        = Use separate browsers for protected and casual browsing

        I image using separate profiles and/or containers (Firefox) would probably be effective too as those also isolate your cookies and other local data. Logging out of sites when you're not using them apparently mitigates this issue. I use one separate Firefox profile solely for Twitter and Instagram and several containers for groups of sites in my default profile.

        • Came here to point out the same thing: https://addons.mozilla.org/en-... [mozilla.org]
          • what if this is some function of a web language being exploited and the browser only gets the tail end of the data chain? account information is displayed on the user end but objects and functions that open streams to feed an application can be run anywhere, is my theory. so..many of these security features, add on's can be made irrelevant with an extra service somewhere on the great wide web...?

          • by Burz ( 138833 )

            This isn't even necessary. Just set Firefox' Tracking Protection level to High. That will turn on the first-party-isolation feature under the hood, which keeps all cookies/metadata in separate silos depending on which "first party" site is shown in the location bar... Its all automatic! No muss, no fuss!

        • by jmccue ( 834797 )

          Sure, but what is to stop the sites from reading all your profiles ? I am sure it can happen.

          What I do, I have a few ~/.mozilla directories (Linux/BSD). I have menu picks with a wrapper. Depending on my selection I rename one of the directories to ~/.mozilla and do a chmod 000 on the other mozilla dir. This prevents profile reading. Far safer than multiple profiles.

        • Logging out of sites when you're not using them

          And avoiding the "Remember my password for this site" like the plague. Although I wonder if even the auto-fill of one's user ID (usually an e-mail address) could be exploited by rogue sites.

      • I'd hope that any political dissidents would not be browsing Facebook whilst using Tor, although it's possible that's what they're actually using it for.
      • Private/Incognito don't protect much Mutliple profiles slightly works when the browser isn't sending full surveillance back to the mother ship (Chrome).
    • by Viol8 ( 599362 ) on Saturday July 16, 2022 @05:23AM (#62707658) Homepage

      Notice how so many people under 30 think cash is yesterdays economics? They see no issue with every single transaction they make whether by contactless card or apple/google pay is logged or that but getting rid of cash we're all 100% beholden to the banks. No account? No money, and how can anyone lend you any if cash is gone?

  • by oldgraybeard ( 2939809 ) on Friday July 15, 2022 @10:45PM (#62707280)
    I thought about it and my gateway ips have only changed about 3-4 times in the last 20+ years. Static IP blocks, heck Youtube showed things I watched without me even logging in. I did have an account for a few months. They still do on my one subnet.
  • 1) This is an “attack” (if you can call it one) that works based on the “:visited” attribute
    2) It can only determine if a user has ever visited that site. Nothing else
    3) This is well known “attack” that browsers work to prevent - https://developer.mozilla.org/... [mozilla.org]
  • *Taps Head* (Score:4, Funny)

    by Kunedog ( 1033226 ) on Friday July 15, 2022 @10:52PM (#62707300)
    Major browser? Pfft . . .
    That's why you use a browser with userbase in the double digits, max.
  • by 93 Escort Wagon ( 326346 ) on Friday July 15, 2022 @11:42PM (#62707378)

    At least, that's what the Wired article says. If that's accurate, the solution is just to block all third-party content - which Safari does by default, and Firefox can easily be configured to do as well.

    Chrome might also let you block this content, but I figure that anyone using Chrome has already decided they want to be tracked.

    • by Burz ( 138833 )

      You don't have to block third parties (which is a bit drastic and prone to breakage). Someone mentioned using Firefox' containers feature, but its even simpler than that. Set the Tracking Protection level to High, then first-party isolation will be used for all sites; cookies etc. will be stored independently according to what site is being accessed in the Location bar.

  • TOR too? (Score:5, Interesting)

    by Sebby ( 238625 ) on Friday July 15, 2022 @11:58PM (#62707402)

    Weird that users would use TOR that way: logging into several sites within the same session - I would think this attack is thwarted by making sure you get a new circuit before/after logging into specific sites (ie. a full reset of your "connection")

  • Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work.

    Yes, many complicated things are simple once you've done all the prep work.

    This has a lot of prep work ...

  • by cstacy ( 534252 ) on Saturday July 16, 2022 @01:36AM (#62707472)

    I did not understand this article.

    The ultimate goal is to install malware on just one person's computer. The person is known to use Twitter.

    We begin by already knowing what his Twitter login credentials look like. We don't have his password, but Twiter gave him login cookies. And we know what the cookies for him would look like.

    In order for this attack to work, we must be able to post malicious Javascript onto Twitter, and get his browser to run it.

    The paper says you must first have partial control of Twitter and can inject this Javascript into everybody's pages.

    So stop right there, and explain to me how you make that happen.

    Now, this Javascript is *not* the malware that we want to plant on the victim's computer. Rather, it is just the script that determies whether the user is our target. If this guy is our victim, this Javascript will then proceed to uses some known exploit (?!?) to download and install the actual malware onto his machine.

    We don't want the malware on everybody's computer because that would get noticed. So we're hacking Twitter with this Javascript (which everyone will run) user-identifyer/malware-installer.

    So already I am a little confused because I don't know how you make any of the above happen. But apparently it's easy?

    We contiue...

    The attacker also needs a second web site, which they fully control. On it they put a JPG. Them they put a link to the JPG on Twitter. In the course of using Twitter, the user will load this JPG.

    The Javascript (that runs -- when?) is going to identify the user by figuring out whether he (recently) loaded this JPG.

    The first part of the trick is the attacker's web site is going to see his Twitter cookies when he tries to fetch the JPG. And the attacker's site has been set up with permissions on that JPG file. Depending on which version of the attack, the server will either serve the JPG to the guy or give a permission denied error.

    The Javasript doesn't get to see this interaction; it is not even what requested the JPG. Instead, it will examine the user's cache post-facto to see if the JPG was loaded.

    But Javascript can't simply look in the browser's cache for the JPG, because the JPG came from a third-party domain (not Twitter).

    But by beating on the CPU hardware, the Javascrip can see tiny differences in how long it takes the cache to deny the search answer.

    I guess the browser looks in the cache first to see if the JPG is there, and only afterwards checks the domain name. (Which sees odd odd to me, because isn't the "file name" in the cache ctually the URL?)

    Apparently the search takes a measurably different amount of time depennding on whether the file exists or not.

    But this whole thing just seems like a bug in how the cache works. Its logic is controlled by some domain-based security policy that I don't understand. But it seems like it ought to do the security check first, and then give the answer. Which will always be "I'm not going to tell you if that file is here or not" regardless of the file's presence. Since it's third-party content.

    Can someone please elaborate and correct all my misunderstandings?

    Probably the main thing I'm missing is how and on what page(s) you inject the JavaScript.

    • I believe you are understanding it correctly. If you go to the researchers' web page [github.io], the first thing you might notice is this requires the victim to visit a website that's under the control of the attacker.

      Now the means of attack may (or may not) be different than past attack vectors, but it's the same fundamental security issue we've been dealing with for decades now - when people go to jenky websites, there's a good chance they are gonna get hosed sooner or later.

      The other part of this appears to relate

    • by jsonn ( 792303 )
      If we have learned anything from the last 10 years of security research, then it is that timing side channels (that's the class of security issues used here) are not a bug, but a fundamental and inherent system property. There are very few circumstances where it is reliably possible to prevent them. From the perspective of a web service, it is not desirable to have constant time access to resources when it comes to permitted vs denied access. It would make denial of service attacks way too easy to do that.
    • I think you are misunderstanding one key point. The attacker doesn't need control of Twitter, they just need the targeted user to visit a web site that the attacker does control. The attacker's web site has some specific Twitter post embedded on the page, so the target's browser loads that post directly from Twitter. The attacker's web page can determine whether that post was successfully loaded or if Twitter denied access to the post, and can then identify the target based on whether or not they have acces
      • I think you are misunderstanding one key point. The attacker doesn't need control of Twitter, they just need the targeted user to visit a web site that the attacker does control. The attacker's web site has some specific Twitter post embedded on the page, so the target's browser loads that post directly from Twitter. The attacker's web page can determine whether that post was successfully loaded or if Twitter denied access to the post, and can then identify the target based on whether or not they have access to the specific post. Does that help clear it up for you?

        So the real way to prevent that is to use NoScript and not permanently allow Twitter, but only temporarily allow it on a tab where you want to load Twitter.

        (Yes, that sounds complicated, until you realize it's just two clicks to "disable restrictions on this tab".)

    • A properly crafted phishing email with a link to the attacker's fake site is all you need here.

      I wonder if the required JS could be injected by what would ostensibly be advertising tracking code.

    • I did not understand this article.

      The ultimate goal is to install malware on just one person's computer.

      Alternate explanation: You know this person is an avid reader of slashdot and very paranoid of being tracked. So you submit a story that will prey on their fears, with a link to a browser addon... ;-)

  • nothing new (Score:5, Interesting)

    by renegade600 ( 204461 ) on Saturday July 16, 2022 @03:59AM (#62707620)

    I do not consider this a new attack. There was always a way to connect the dots to find out who someone info. It can be done by sites buying, selling and trading with third parties. The key weakness is the ip address.

  • This isn't new. It just wasn't published because there's no good solution to the problem, other than always logging out of social media sites the very second you stop looking at them, or breaking the web by refusing all cross-domain links. Normally we dislike drawing attention to things bad people can do until we've got a fix because it generally just informs more bad people how to do them.

  • ... every time my browser announces "media could not be played".

  • by kyoko21 ( 198413 ) on Saturday July 16, 2022 @12:36PM (#62708234)

    That is why I have like 30 different copies of Portable Firefox that log into their individual email accounts/services.

You know you've landed gear-up when it takes full power to taxi.

Working...