{"id":1088,"date":"2010-02-04T04:16:01","date_gmt":"2010-02-04T12:16:01","guid":{"rendered":"\/?p=1088"},"modified":"2010-02-04T04:23:59","modified_gmt":"2010-02-04T12:23:59","slug":"more-unintended-consequences-of-browser-leakage","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1088","title":{"rendered":"More unintended consequences of browser leakage"},"content":{"rendered":"

Joerg Resch<\/a> at Kuppinger Cole<\/a> points us to new research showing\u00a0 how social networks can be used in conjunction with browser leakage to provide accurate identification of users who think they are browsing anonymously.<\/p>\n

Joerg writes<\/a>:<\/p>\n

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security<\/a> found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network.<\/p><\/blockquote>\n

The Practical Attack to De-Anonymize Social Network Users<\/a> begins with what is known as \u201chistory stealing\u201d.\u00a0\u00a0<\/p>\n

Browsers don\u2019t allow web sites to access the user\u2019s \u201chistory\u201d of visited sites.\u00a0 But we all know that browsers render sites we have visited in a different color than sites we have not.\u00a0 This is available programmatically through javascript by examining the a:visited<\/em> style.\u00a0 So malicious sites can play a list of URLs and examine the a:visited<\/em> style to determine if they have been visited, and can do this without the user being aware of it.<\/p>\n

\"\"<\/p>\n

This attack has been known for some time, but what is novel is its use.\u00a0 The authors claim the groups in all major social networks are represented through URLs, so history stealing can be translated into \u201cgroup membership stealing\u201d.\u00a0 This brings us to the core of this new work.\u00a0 The authors have developed a model for the identification characteristics of group memberships \u2013 a model that will outlast this particular attack, as dramatic as it is.<\/p>\n

The researchers have created a demonstration site<\/a> that works with the European social network Xing.\u00a0 Joerg tried it out and, as you can see from the table at left, it identified him uniquely \u2013 although he had done nothing to authenticate himself.\u00a0 He says<\/a>,<\/p>\n

\u201cHere is a screenshot from the self-test I did with the de-anonymizer described in my last post. I\u00b4m a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That\u00b4s weird!\u201d<\/p><\/blockquote>\n

Since I\u2019m not a user of Xing I can\u2019t explore this first hand.<\/p>\n

Joerg goes on to ask<\/a> if history-stealing is a crime?\u00a0 If it\u2019s not, how mainstream is this kind of analysis going to become?\u00a0 What is the right legal framework for considering these issues?\u00a0 One thing for sure:\u00a0 this kind of demonstration, as it becomes widely understood, risks profoundly changing the way people look at the Internet.<\/p>\n

To return to the idea <\/a>of minimal disclosure for the browser, why do sites we visit need to be able to read the a:visited<\/em> attribute?\u00a0 This should again be thought of as \u201cfingerprinting\u201d, and before a site is able to retrieve the fingerprint, the user must be made aware that it opens the possibility of being uniquely identified without authentication.<\/p>\n","protected":false},"excerpt":{"rendered":"

Another example of digital fingerprinting – this time leveraging social networks to produce unique, real-world identification without the user's knowledge<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[49,63,6,17,71,47,11,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1088"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1088"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1088\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}