Everyone wants to know who is on the web and who they are. The appetite for data and new tools to collect it has proved to be so high that a huge amount of infrastructure is already in place to do that. Researchers from the New Jersey Institute of Technology warn this week about a novel technique attackers could use to de-anonymize website visitors and possibly connect the dots on many components of targets' digital lives.
The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine if that visitor controls a particular public account, like an email address or social media account.
When you visit a website, the page can capture your internet protocol address, but this doesn't give the site owner enough information to individually identify you. The hack uses subtle features of a potential target's browser activity to determine if they are in an account for an array of services. The attacks work against all browsers.
According to one of the study authors, if you are an average internet user, you may not think much about your privacy. People who organize and participate in political protest, journalists, and people who network with fellow members of their minority group may be more impacted by this. These types of attacks are very stealth. You don't know you've been exposed when you visit the website.
There is a chance that government-backed hackers and cyber-arms dealers will attempt to de-anonymize web users. Researchers have documented a number of techniques used in the wild and have witnessed situations in which attackers identified individual users.
Much of the past investigation has focused on grabbing revealing data that is leaked between websites when one service makes a request to another. As a result of this prior work, browsers and website developers have improved how data is isolated and restricted when content is loaded. The researchers were aware that attackers were motivated to look for techniques to identify users.
A law enforcement agency may have taken control of a forum for underground extremists. The users use pseudonyms, so they can't do this directly. The agency was able to get a list of suspected users of the forum on Facebook. They would now be able to correlate who goes to the forum with their Facebook profile.