This attack can work on any major browser, including the anonymity-centric Tor.
The New Jersey Institute of Technology (NJIT) researchers have discovered a unique technique that can bypass anonymity protections and reveal the unique identity of a website visitor.
Researchers explained that if an attacker gains partial or full control of a website, they can easily detect if their target is visiting the site. They would identify the unique user via some public identifier such as their Twitter handle or email ID.
This technique could benefit marketers and advertisers, hackers, spyware vendors, government-sponsored hackers, or anyone who needs to identify/track users’ online activities.
The findings of this research will be unveiled at the Usenix Security Symposium to be held in Boston.
How does it work?
When visiting any website, the page captures your IP address. However, the site owner may not always receive enough information to identify you among other visitors. This hack utilizes subtle features of the target’s browsing habits and determines if they have logged into an account for any platform such as social media or YouTube, Dropbox, etc.
Moreover, this attack can work on any major browser, including the anonymity-centric Tor.
“What makes these types of attacks dangerous is they’re very stealthy. You just visit the website and you have no idea that you’ve been exposed,” researchers wrote.
The attacker would need to control the website, access the list of accounts tied to their target individual, and content posted to the target’s accounts platform. It doesn’t matter if the attacker can view the content or not because the attack works either way.
Once these requirements are completed, the attacker would embed the content on the malicious website and wait until someone clicks on it. If their target visits the site, the attacker would quickly learn as they will analyze which users can and cannot view the content.
This attack works due to several factors. Most major services, including YouTube, let users host and embed media onto a third-party website, and usually, they stay logged into all these platforms via their phones or computer devices. Therefore, the attacker can share a photo on Google Drive along with a Gmail ID of their target.
After embedding the image on the malicious web page, the target can be lured to visit it. When the visitor tries to load the photo via Google Drive, attackers would know if their target can access the content and have control of the email ID.
Who’s at Risk?
The risk of de-anonymization of web users is real. NJIT’s computer science professor and one of the authors of this research, Reza Curtmola, wrote that privacy is not an issue of concern for an average internet user when visiting a random site.
However, some users may be impacted by this attack significantly, such as people involved in organizing or participating in political protests, minority groups or people connected to these groups, and journalists.