New Browser De-anonymization Technique

Researchers have a new way to de-anonymize browser users, by correlating their behavior on one account with their behavior on another:

The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.

[…]

“Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it,” Curtmola says. “They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”

Tags: browsers, de-anonymization, privacy, side-channel attacks

Posted on July 14, 2022 at 9:31 AM • 26 Comments

Comments

Q • July 14, 2022 10:06 AM

So this attack requires JS running, right?

The article doesn’t mention any details, and doesn’t appear to have a link to the original research. Perhaps I missed it?

Mexaly • July 14, 2022 10:15 AM

Aggregator apps to the rescue?
Likewise for anonymous mode.
Glad I don’t use webmail.

LR-45 • July 14, 2022 10:35 AM

@Q
prob released at the Usenix Security Symposium in Boston next month

The Author • July 14, 2022 12:09 PM

Hi, one of the paper authors here (or is it? you never know on the Internet…)

Here’s a technical blog post with the paper, some details, and a link to the artifact repository:

https://leakuidatorplusteam.github.io

We will try to answer questions in the comments

lurker • July 14, 2022 12:42 PM

The attacks leverage the sharing/blocking functionality provided by resource-sharing services such as YouTube, Google Drive, Dropbox, or Twitter. The target user is assumed to be logged into such a sharing service.

Practice safe browsing Emily. Never go surfing while still logged in to [ email | FB | YT ]. Always log out immediately you’ve done your business. Better, don’t use webmail; and you can watch YT without logging in.

I’ll read the paper later to see how it affects my browser/OS, neither of which were mentioned in the blurb.

Legendary Teeth • July 14, 2022 12:50 PM

Seems like Firefox’s containers feature could help mitigate this, especially if they go further with it.

Winter • July 14, 2022 1:57 PM

@lurker

Never go surfing while still logged in to [ email | FB | YT ].

Better still, use different browsers for different tasks, compartmentalization. However, that might be difficult on a smartphone/tablet, if it is even possible at all.

William • July 14, 2022 2:08 PM

@Winter It’s not difficult to use multiple browsers. I do this on my phone and also on my desktop.

On my desktop, I usually keep the default browser to use 127.0.0.1 as the internet. This way, if something triggers my default browser, it’s obvious and will be going nowhere. Haven’t tried configuring it similarly on my phone.

EvilKiru • July 14, 2022 2:18 PM

@Winter: As far as I know, both Android and iOS have multiple web browsers available for them. I guess Android’s default is Chrome and I think Firefox and Opera are available. On iOS, Safari is the default and Chrome, Opera, and Firefox are available.

SpaceLifeForm • July 14, 2022 2:19 PM

I doubt most here would fall for it.

Just use good sense, if you have to Login, then do what you have to do, Logout, close the tab, and clear cookies.

I would think that stealing session cookies via MITM is a more likely threat.

Ted • July 14, 2022 2:56 PM

@Winter, EvilKiru

If I’m reading the paper right, this attack only works on mobile phones if you’re signed into the Chrome browser on your Android phone and the attacker has your Gmail email. If you are someone for whom privacy is vital, this is already a disaster.

From the paper: 4.3 Attacking Mobile Phones

Gilbert • July 14, 2022 3:22 PM

@Winter,

Different browser profiles work too, though the UIs for such are not well maintained. E.g., for Firefox, you should set $LOGNAME differently for each, or else shells/programs may send URLs to the wrong browser (unless using -noremote, and then you’ll deal with “profile already in use”).

Clive Robinson • July 14, 2022 4:12 PM

@ Bruce,

If you look back on this blog to a time shortly before Google first anounced it’s Chrome browser –yup a long time ago– you will find that I’d highlighted this problem and discussed it with @Nick P.

Nobody appeared to think it was an issue to worry about back then, lrt alone a serious one…

As I mention from time to time the ICT Industry especially the ICTsec part of it has a very very short memory at best, that is if it mostly even bothers learning from it’s history, which it mainly appears not to have done.

Clive Robinson • July 14, 2022 5:51 PM

@ lurker, Winter, ALL,

Always log out immediately you’ve done your business.

It may not help you…

As I was saying quit some number of years ago, you need to understand the consequences of,

“Security -v- Efficiency”

As an almost invarient rule, Efficiency trumps Security as “speckmanship sells, security smells” in most marketing peoples heads.

So you need to remember,

1, It’s a shared resource problem.
2, Shared resources are almost never cleared / nulled out.
3, Cache algorithms work in some odd ways.

Because getting data from semi-mutable memory like a mechanical hard drive into Core RAM is torturously slow Pages of memory get left in Core RAM untill either “paged out” or “overwritten”

Likewise Core RAM gets alocated to processes in various ways sbrk(), malloc() being common. They do not generally null the page of memory.

Data in Core RAM has not been read into CPU registers for quite some time, it usually goes through two or more levels of cache, and is “premptive” in many ways including data from other processes.

I won’t bother going into the way the algorithms work, but it is possible to find “old” data that has not been nulled out or overwritten in the chain from harddrive to CPU register…

Thus the question is,

“Can a new process get at this old process data?”

The answer to that is obviously yes if there is a mechanism by which it can happen.

As I’ve mentioned before you can use malloc() and free() to make a data path that is not realy visable in the source code,

1, Use malloc() to create a buffer,
2, Write data into the buffer,
3, Use free() to release the buffer.
4, Use malloc() to create a new buffer the same size as the buffer just released with free().
5, Examine the contents of the new buffer…

With a little care about how you use malloc and friends, you will find you can say, call a sub to read a secret key in from the user into a buffer, and pass this buffer to the crypto algorithm key handler. On return from the handler release the buffer go on and do a whole load of stuff provided it does not use malloc and friends. Then call a sub that creates the new buffer and passes it onto another sub that now has access to the secret key…

You can hide this by “overloading” the error checking sub, that is when called it “checks the buffer” to see if it exists, and drops into checking the contents are valid, if so it does not clear it instead it just marks it as valid and returns as OK…

You would be surprised at just how easy it is to hide such things from even quite experienced software developers.

There are all sorts of other tricks that happen because “Efficiency trumps security”…

lurker • July 14, 2022 6:37 PM

There are an awful lot of variables in play to make this work. The suggested mitigation is Yet Another Browser Extension. I’m lazy, I’ll go with @SLF above and MITM the session cookie.

Q • July 14, 2022 9:36 PM

Re: Yet Another Browser Extension

No thanks.

I don’t care about cookies, they can be deleted easily and regularly.

I disable JS. Hence my question above. I’m going to assume this exploit does require JS, since, so far, all browser exploits in the last many years have all required JS running.

I also disable iframes, which have been used to deliver malware via rogue sites.

I don’t run any adblocker, or any extensions. But the above settings (no JS or iframes) seems to be enough to eliminate all ads as a by-product. If sites just showed basic image ads, without all the desperate attempts to track everything to the nth degree, then I wouldn’t mind seeing them. But, alas, the ad networks don’t do that, and instead find it “necessary” to be nosey and intrusive.

I find it disheartening that whenever a new browser exploit is revealed, the proposed solutions are never to disable JS, but instead to “update” to a newer more complex browser version, with a larger attack footprint.

Stop with all the “new features” for a “better experience”. Instead, kill the complexity and reduce the overheads. Just show some basic images, and some text, I’ll understand.

MrC • July 14, 2022 9:50 PM

It sounds like any of the following “old hat” privacy/security practices should prevent this:

Disable javascript entirely.
Disable javascript JIT (thus making javascript too slow for CPU timing side channels).
Use firefox’s containers feature to isolate “sharing service owners” (e.g. Google) from everything else (thus destroying the persistent log-in from the attacker’s perspective).

Denton Scratch • July 15, 2022 12:06 PM

Disable javascript entirely.

More and more sites come with a banner header, a footer, and a completely blank content section in between, if JS is disabled.

For me, that’s enough to make me close the tab, unless it’s unique content that I really want. It’s often a storefront; that’s fine, I expect I’ll find what I wanted elsewhere. Or it’s some blog; it had better be a damned good blog to get me to drop my pants and (selectively) enable JS.

It’s hard to enable JS selectively, if the site tries to pull in 20 scripts in adddition to the embedded JS. If I can’t get a page working by enabling a couple of scripts (e.g. jQuery), I treat the site as broken.

Most of the sites “broken” in this way are not vital. Mostly they’re storefronts, built by some cheapo web-shop. I can’t remember the last time I visited a site where JS had to be enabled to view the site at all, that actually benefited in any way from the use of JS. That is: I find surfing with JS disabled works fine nearly everywhere; and where it doesn’t work, it turns out that I don’t care about the content anyway.

I suspect there’s a pretty close positive correlation between serving WAY too much JS, and having crap content.

fib • July 15, 2022 1:15 PM

Rules of fib

.A good Linux distro [preferably live],
.Well-crafted hosts file(s) [both ipv4, v6]
.Good hygiene practices [emphasis on this]

is all it takes for online security, if you’ve chosen your adversaries to be only corporations and hackers.

humdee • July 15, 2022 2:21 PM

“Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it,” Curtmola says. “They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”

This strikes as a unrealistic, even fanciful hypothetical. Anyone using an onion service or anything similar would be smart enough to not have a FB profile to begin with.

The problem of cross-contamination between a darknet identity and a clearnet identity has been noticed for years and so has the strategies designed to mitigate it: stream isolation, compartmentalization, etc. The best advice, however, has always been to not go down that road to begin with. As I like to say, if you are terrorist not a good idea to talk to mom and dad.

David • July 15, 2022 11:24 PM

Search for “Firefox Containers”. Solved.

Anonymous • July 25, 2022 4:10 PM

The fact that this works on Tor Browser is not surprising, as it is basically just Firefox ESR. That is why it is important to never assume that individual tabs are isolated from each other. One should never have two identities that they do not want correlated open in the same Tor Browser session. That is what “New Identity” is for. It restarts the browser, clearing everything.

Always assume that every tab has access to the entire virtual memory space of the browser, and your future decisions will be far better, no matter how bad microarchitectural side-channel attacks get.

Clive Robinson • July 25, 2022 7:42 PM

@ ,

“I suspect there’s a pretty close positive correlation between serving WAY too much JS, and having crap content.”

You are not alone in this observation.

But as I found years ago, if you say these “obvious things” too soon some people will call you paranoid or some such…

I guess the reason is what is called in the Far East,

“Breaking their ‘rice bowls’.”

That is they have rather more than “a little skin in the game” and they do not want that investment neutralized.

Clive Robinson • July 26, 2022 1:38 AM

Opps,

My above was to @Denton Scratch.

JonKnowsNothing • July 26, 2022 7:16 AM

@ Denton Scratch, @Clive, @All

re: disable javascript and buttered bread

RL anecdote tl;dr

Some while ago during a discussion about the lack of virtue of JavaScript with a group of techy types, and after a good go round of all the negatives involved, there was this comment:

I get paid to write JavaScript…

Knowing which side your bread is buttered on, goes with the rice bowl…

While we can bemoan much, a constant problem in tech and other highly skilled professions, is the lack of “re-training” to something else at the same level or higher.

If you spend 10yrs, after 5yrs college or school, honing your skills in Computer Language XYZ, can you effectively re-train for another 5yrs plus an additional 10 yrs for for Computer Language MNO?

We don’t have a profession that ages gracefully or updates skills effectively. We have a use-em-up and dump-em-out manner for tech employment.

Clive Robinson • July 26, 2022 5:48 PM

@ JonKnowsNothing, Denton Scratch, ALL,

“If you spend 10yrs, after 5yrs college or school, honing your skills in Computer Language XYZ, can you effectively re-train for another 5yrs plus an additional 10 yrs for for Computer Language MNO?”

This is almost certainly going to turn into one of those long threads, as has happened in the past.

The root of the problem is the education system.

These days you get taught,

“What emoloyers want now.”

Not what,

“Engineers need for a sustainable career.”

There was a time some fourty to fifty years ago when you were taught as standard the very foundations of not just the way computers worked but fundemental logic, set theory and the algorithms based in them as well as abstract data types.

This was all done in a “language independent” way. Thus it did not matter what CPU you used, if it was 8, 12, 16, 24, 32 or 36 bits wide, or if it had a small or large register file or even Cray type register systems.

These days it’s not about such fundementals you can easily rebuild on, but expensive environments and tools and code re-use to the point where it’s not even coding but plumbing.

But there is also the,

“Man and his dog”

Problem… Where the man is effectively a “hobbyist” and his dog is some pet “programing language” or “library” etc.

Because corporation managment due to neo-con mantra are always chasing down the minimize cost spiral to hell we occasionaly get reminded Log4J being just one example I hope most can atleast remember…

Which brings me to the next appaling thing in the majority of the software industry, we do not record our history let alone study it, thus we do not learn from mistakes and re-live them over and over…

There are known ways to fix these problems and I’ve mentioned them before then been shot at by people who keep avoiding the actuall issues. Thus blaim the messenger rather than take a little time studying the history of the industry and learning the lessons.

As an example we all know what evebtually happens when you build up a Tsunami of Technical Debt. Most readers here know what the basic thing that needs doing is…

But that is not fun, or sexy, or leading edge, it’s dull and requires thoughtful and commited behaviour over an increased period of time…

Writing code that can be effectively maintained requires a certain skill set, that is not difficult to aquire. But many “ace coders” hate developing software this way…

As for “full stack” do not make me laugh / cry, any CV or Job advert I see with that in it tells me something…

Any way if I mention “Victorian” boiler makers, you should be able to search for some of my previous comments…

Schneier on Security

New Browser De-anonymization Technique

Comments

Leave a comment Cancel reply