A group of academics at the New Jersey Institute of Technology (NJIT) has warned of a new technique that can be used to bypass anonymity protections and identify a unique website visitor.
“An attacker who has full or partial control over a website can learn whether a specific target (ie, a unique individual) is browsing the website,” the researchers said. said. “The attacker only knows this target through a public identifier, such as an email address or a Twitter handle.”
The cache-based target de-anonymization attack is a cross-site leak where the adversary uses a service such as Google Drive, Dropbox or YouTube to privately share a resource (e.g. an image, video or a YouTube playlist) with the target followed by embedding the shared resource in the attack website.
This can be achieved, for example, by privately sharing the resource with the target using the victim’s email address or correct username associated with the service and then inserting the leaking resource using a
In the next step, the attacker trickes the victim into visiting the malicious website and clicking on the aforementioned content, thereby loading the shared resource as a pop under window (as opposed to a pop-up) or a browser tab — a method used by advertisers to secretly load ads.
This exploit page, as displayed by the target’s browser, is used to determine whether the visitor has access to the shared resource. Successful entry indicates that the visitor is indeed the intended target.
The attack, in a nutshell, aims to expose the users of a website under the attacker’s control by associating the list of accounts associated with those individuals with their social media accounts or email addresses via a piece of shared content. .
In a hypothetical scenario, a bad actor could share a video hosted on Google Drive with a target’s email address and follow up on it by inserting this video into the decoy website. So when visitors land on the portal, successful loading of the video can be used as a benchmark to determine if their victim is one of them.
The attacks, which can be practically exploited on desktop and mobile systems with multiple CPU microarchitectures and different web browsers, are enabled through a cache-based side channel which is used to find out if the shared resource has been loaded and therefore distinguish between targeted and non-targeted users.
Put another way, the idea is to observe the subtle timing differences that occur when the shared resource is used by the two groups of users, which in turn results from differences in the time it takes to get an appropriate response from the web. server to return depending on the user’s authorization status.
The attacks also take into account a second set of client-side differences that occurs when the web browser displays the relevant content or error page based on the response received.
“There are two main reasons for differences in the observed side channel leakage between targeted and non-targeted users: a difference in timing on the server side and a difference in rendering on the client side,” the researchers said.
While most popular platforms such as Google, Facebook, Instagram, LinkedIn, Twitter, and TikTok were found to be susceptible, Apple iCloud is a remarkable service that is immune to the attack.
It is worth pointing out the de-anonymization method on the condition that the target user is already logged in to the service. As a solution, the researchers have released a browser extension called Leakuidator+ that is available for: Chrome, Firefoxand Tor browsers.
To counteract the timing and rendering of side channels, website owners are recommended to design web servers to return their responses in constant time, regardless of whether the user is provisioned to access the shared resource, and to keep their error pages as similar to the content pages to minimize the differences perceptible by the attacker.
“For example, if an authorized user were shown a video, the error page for the non-targeted user would also have to be created to show a video,” the researchers said. Adding websites should also be made to require user interaction before the content is displayed.
“Knowing the precise identity of the person currently visiting a website can be the starting point for a series of nefarious targeted activities that can be carried out by the operator of that website.”
The findings come weeks after researchers from the University of Hamburg, Germany, demonstrated that mobile devices leak identifying information such as passwords and previous vacation locations through Wi-Fi survey requests.
In a related development, MIT researchers last month revealed the root cause behind a website fingerprint attack is not due to signals generated by cache conflicts (also known as a cache-based side channel), but rather to system interruptswhile showing that interrupt-based side channels can be used to to assemble a powerful fingerprint attack on websites.