Recently, researchers at the New Jersey Institute of Technology (NJIT) discovered a new technique that hackers could use to de-anonymize website visitors. In addition, this method can even give them access to much of their targets’ digital information.
Furthermore, NJIT researchers will present their findings about this novel attack technique at the Usenix Security Symposium in Boston next month. According to their findings, attackers can trick someone into loading a malicious website. As a result, they can determine whether that visitor has control of that account or email address. Hence, exposing potentially personal data of that visitor.
Moreover, when users visit a website, that page only captures their IP address. However, the de-anonymity attack technique analyzes subtle features of a target’s browser activity. Thus, identifying if the target’s account is logged into various services like YouTube, Dropbox, Twitter, Facebook, TikTok, etc. Unfortunately, the hack works against every major browser, including Tor Browser (known for its anonymity).
Reza Curtmola, a computer science professor at NJIT and one of the study authors, says the hack won’t affect every internet user. But, it will significantly impact those “internet users who organize and participate in political protest, journalists, and people who network with fellow members of their minority group.” Besides, Curtmola says these attacks are dangerous because “they’re very stealthy.” Users do not know that someone identified them when they visit the website.
Hack that de-anonymize site visitors
To de-anonymize a website visitor, attackers require a few pre-requisite things. First, they need a website they can control. Second, hackers require a list of accounts tied to people they want to identify as having visited that site. And finally, they need content posted on the platforms of their target’s accounts that enables the target to either view that content or block them from viewing it – the attack works either way.
After that, the attackers embed the content on their malicious website. And then they wait to see who clicks it. So, if anyone on their target list visits the site, they will know their identity by analyzing who can or cannot view the embedded content.
Unfortunately, many primary services, like YouTube and Dropbox, make this new attack easy to carry out by hackers. The reason is that these platforms allow their users to post media and embed it on a third-party website. In addition, users often stay logged into these services on their phones or computers. Also, these platforms allow users to restrict or limit access to certain content they upload.
How does the attack work?
First, users should remember that access to any Google Drive content is limited to the account owner. But, the people who share some content with them or who they’ve shared content with can also access that content. So, these hackers share an image on Google Drive with the Gmail address of a potential target. Then, they embed that photo on their malicious website and “lure” the victim there. So, when the visitors’ browsers try to load that image via Google Drive, attackers can accurately determine whether that visitor has control of the email address or not.
On the one hand, attackers cannot directly check if the site visitor was able to load that photo. But on the other hand, NJIT researchers believe they could “analyze accessible data about the target’s browser.” In addition, they can even determine the “behavior of the target’s processor.” Consequently, by training machine learning algorithms, hackers can discover how the victim’s browser and device process the request to view that photo. So, they successfully de-anonymize the site visitor when they know whether the victim they targeted has either viewed that image or been blocked by it.
NJIT researchers say this technique is simple even though it sounds complicated. Once the hacker has done the “prep work,” they can easily de-anonymize each visitor to their site within seconds. And these potential victims would not even detect the attack.
However, the researchers developed a browser extension that can help users prevent such attacks. But, currently, it is only available for Chrome and Firefox. In addition, they warn that it might affect the browsers’ performance.
“Vendors are trying to see if it’s worth the effort to resolve this,” Curtmola says. “They need to be convinced that it’s a serious enough issue to invest in fixing it.”
He revealed that they could eventually create a comprehensive solution to this unique problem through discussion with the World Wide Web Consortium or other forums.