Home News A New Attack Can Unmask Anonymous Users on Any Major Browser

A New Attack Can Unmask Anonymous Users on Any Major Browser

46
0


How this de-anonymization attack works is difficult to explain, but relatively easy to grasp once you get the gist of it. The person carrying out the attack needs a few things to get started: a website they control, a list of accounts associated with people they want to identify as having visited the website, and content posted to the target’s list of accounts on the platform that allows the target account to view that content or Stop them from viewing that content – the attack goes both ways.

Next, the attacker embeds the above content on a malicious website. Then they wait to see who clicks. If anyone on the target list visits the site, the attacker will know who they are by analyzing which users can (or cannot) view the embedded content.

The attack took advantage of many factors that most people might take for granted: Many major services, from YouTube to Dropbox, allow users to host media and embed it on third-party websites. Regular users often have accounts for these ubiquitous services and, crucially, frequently stay logged into these platforms on their phone or computer. Finally, these services allow users to restrict access to content uploaded to them. For example, you can set up your Dropbox account to share videos privately with one or a few other users. Alternatively, you can upload the video to Facebook publicly, but block certain accounts from viewing it.

These “block” or “allow” relationships were key to the researchers discovering they could reveal identities. For example, in the “allow” version of the attack, a hacker could quietly share a photo on Google Drive with a Gmail address that might be of interest. They then embed the photo into their malicious web page and lure the target there. When a visitor’s browser tries to load a photo via Google Drive, the attacker can accurately deduce whether the visitor is allowed to access the content — that is, whether they control the associated email address.

Due to the existing privacy protections of major platforms, attackers cannot directly check whether website visitors are able to load content. But NJIT researchers realized that they could analyze accessible information about the target browser and the behavior of the processor as the request occurred, to infer whether a request for content was allowed or denied.

The technique is known as a “side-channel attack” because researchers found that they could accurately parse data about how a victim’s browser and device handled requests by training machine learning algorithms to parse seemingly unrelated data. Make this decision reliably. Once attackers know that one of the users they allowed to view the content has done so (or that one of the users they blocked has been blocked), they can de-anonymize site visitors.

As complicated as it sounds, the researchers warn that once the attackers are done preparing, it will be simple to execute. Every visitor to a malicious website can be uncovered in just a few seconds, making it nearly impossible for an unsuspecting user to detect the hack. Researchers have developed a browser extension that blocks such attacks, and it’s available for Chrome and Firefox. But they point out that it may affect performance and is not available in all browsers.

Through a major disclosure process across numerous web services, browsers and web standards bodies, the researchers say they have begun a broader discussion on how to address the issue across the board. At this time, Chrome and Firefox have not released their responses publicly. Curtmola said fundamental and potentially infeasible changes to the way processors are designed are needed to address chip-level issues. However, he said collaborative discussions through the World Wide Web Consortium or other forums could eventually lead to broad solutions.

“The vendors are trying to see if it’s worth the effort to fix this,” he said. “They need to be convinced this is a serious enough problem to invest in fixing it.”



Source link

Previous articleHollywood Star Kevin Spacey Pleads Not Guilty After Being Accused of Sex Attacks
Next articleMicrosoft goes to Hollywood – Protocol

LEAVE A REPLY

Please enter your comment!
Please enter your name here