[HN Gopher] A new attack can unmask anonymous users on any major... ___________________________________________________________________ A new attack can unmask anonymous users on any major browser (2022) Author : tysone Score : 49 points Date : 2023-06-02 19:16 UTC (3 hours ago) (HTM) web link (www.wired.com) (TXT) w3m dump (www.wired.com) | j-bos wrote: | Is this new? Seems like a long present low hanging fruit. | omgmajk wrote: | Article from 2022. | saxonww wrote: | Firefox container mode stops this. I can imagine a product that | makes every tab an ephemeral container by default, and you had to | explicitly opt-in to a container profile to share cookies, etc. | cross-tab. | pwgentleman wrote: | Yeah there's an extension called Temporary containers that does | exactly that (^: | ravenstine wrote: | Even better, type "about:profiles" into your URL bar, create a | new profile that runs in an entirely separate Firefox process, | and live your second life there. | xjay wrote: | Disable automatic updates in this case (Windows). | | When an update is applied between the first and second | profile process, any new tab won't do anything in any of the | instances. Firefox likely still doesn't detect this state. | | Edit: That is, if you use Firefox with two or more profiles, | and may start one profile later (after a new update was | published). | Aachen wrote: | If you're linked to something on twitter or discord or so, odds | are that you'll open it in that container because that's the | default behavior. While you're right, and I use containers as | well, I'm not sure that's a solid way to prevent this attack | unless the person can be convinced to diligently right click | anything they wish to open, copy the link, and manually paste | it in a fresh new tab. | fsflover wrote: | This is solved in Qubes OS by using separate VMs for | different security domains. For Discord, a single click can | be configured to open a browser in a dedicated disposable VM. | Izkata wrote: | Relevant paragraphs: | | > How this de-anonymization attack works is difficult to explain | but relatively easy to grasp once you have the gist. Someone | carrying out the attack needs a few things to get started: a | website they control, a list of accounts tied to people they want | to identify as having visited that site, and content posted to | the platforms of the accounts on their target list that either | allows the targeted accounts to view that content or blocks them | from viewing it--the attack works both ways. | | > Next, the attacker embeds the aforementioned content on the | malicious website. Then they wait to see who clicks. If anyone on | the targeted list visits the site, the attackers will know who | they are by analyzing which users can (or cannot) view the | embedded content. | | > The attack takes advantage of a number of factors most people | likely take for granted: Many major services--from YouTube to | Dropbox--allow users to host media and embed it on a third-party | website. Regular users typically have an account with these | ubiquitous services and, crucially, they often stay logged into | these platforms on their phones or computers. | | Isn't this one of the older forms of de-anonymization? And this | is pretty visible to the user too, embeds hint to even non- | technical people they can be tracked across websites. | Aachen wrote: | > And this is pretty visible to the user too | | How would even a tech savvy person know of this going on in the | background, without being suspicious a priori? Embedded frames | can be made invisible, overlaid with something else, or put | off-screen. You'd have to be very familiar with this attacker's | site to know that it's unusually slow today and loading longer | than usual, or showing it's loading while the page appears to | be already fully loaded. With the gigabytes of javascript that | are common nowadays, that's not unusual. | | The riskiest part is probably the sharing, as email | notifications of such actions are commonly sent out. | Izkata wrote: | Embeds in general can lead to this suspicion, not the attack | itself. I've seen people question "why am I logged in to | these Facebook comments? Does Facebook know I visited this | site?", which then leads to them discovering recommendations | that others have commented on here. They don't even need to | know anything technical beyond "install this addon to stop | Facebook from spying on you" and poof, this attack doesn't | work anymore. | ls612 wrote: | I'd also assume that ublockorigin will stop most of this in | its tracks. | Aachen wrote: | TL;DR (the crucial info is, predictably, at the very end): share | a picture with someone via dropbox or whatever and embed that | dropbox page on a website you control, then "analyze accessible | information about the target's browser and the behavior of their | processor as the request is happening to make an inference about | whether the content request was allowed or denied." | | So you can confirm via unspecified vectors whether a visitor is | among a specific set of persons if they are logged in with the | right user account. (Not exactly a way to unmask any anonymous | user on any major platform, the way the headline sounds.) | | Edit: oh, it's not at the very end. Beyond the horizontal line | and newsletter begging there's a few more paragraphs I didn't see | before. Credit where it's due, they didn't bury it at the end | but, instead, only 988 words stand between you and the above | information! | Blahah wrote: | https://archive.is/neUxt | Izkata wrote: | Oh haha this might be an attack itself: | | > The researchers developed a browser extension that can thwart | such attacks, and it is available for Chrome and Firefox. But | they note that it may impact performance and isn't available for | all browsers. | | And if you click through to the Firefox one... | | > This add-on is not actively monitored for security by Mozilla. | Make sure you trust it before installing. | JBiserkov wrote: | The target demographic selects itself ;-) | notjulianjaynes wrote: | I am pretty sure that how it works is almost every Firefox add | on that isn't in their recommended add ons has this warning. | Izkata wrote: | As far as I know they can get it reviewed without reaching | "recommended" status. My point is these are security | researchers that didn't bother getting it reviewed. Surely | they'd go through the effort to get it reviewed if they | really wanted to convince people it was safe, right? Seems to | imply to me there's something that would get it removed if | Mozilla did review it. | | Edit: I guess maybe reviewed and recommended are the same (I | swear they were different at one point), but there is an | email you can send to suggest extensions to reach this | status. | kodah wrote: | > "If you're an average internet user, you may not think too much | about your privacy when you visit a random website," says Reza | Curtmola, one of the study authors and a computer science | professor at NJIT. "But there are certain categories of internet | users who may be more significantly impacted by this, like people | who organize and participate in political protest, journalists, | and people who network with fellow members of their minority | group." | | I get so dizzied by statements like this. It's almost as if | researchers want to undermine their own work. Privacy can be | _essential_ for certain groups, but it should be a priority for | everyone. Frankly I 'm not even sure the statement about minority | groups is true anymore. We've seen unmasking used by | corporations, interest groups, governments, etc against a wide | variety of people with dangerous outcomes. | | I'd prefer we refactor messaging to make people realize that this | is important to everyone and that we lay an impotus to do | something about it, especially as governments all over the world | are moving to eliminate personal and online privacy. | therealcyclist wrote: | [flagged] | Sunspark wrote: | Combined with AI/ML this would be useful for PaaS to provide a | curated offering of porn, except for those from Louisiana. | green_boons wrote: | There was a similar attack from a couple years ago that checked | if favicons for sites were cached and then polled them | lelandfe wrote: | It's a classic problem. It's also why :visited was limited, why | caches were partitioned, etc. | throwawayadvsec wrote: | wouldn't that be stopped by CORS blocking which is pretty much | the norm for large websites? | lincolnq wrote: | Iframes bypass CORS, so the trick is to use an Iframe and | figure out (using some side channel since you can't peek into | the frame) whether the iframe loaded the content successfully | or whether it loaded an error page. | veeberz wrote: | There's a type of side-channel attack you can do to get around | CORS but still leak limited information. | | Suppose you want to detect whether one of N pre-chosen users of | FakeMail (a service I made up) have visited a malicious page | you control. Let's also say that in FakeMail: | | 1. you can see a hi-res version of your profile pic only if | you're authenticated | | 2. only you can see your own hi-res profile pic | | 3. the path to this private pic is unique to each user, e.g. | `/users/{user_id}/private_pic` | | The trick then is to embed an `<img>` tag with a `src` to this | private, hi-res profile pic for each of the N pre-chosen | targets in your malicious page. Then, in `onerror` and `onload` | event handlers of `img`, you can implement logic to handle | "user X is not here" and "user X is here" respectively. | | Of course, this attack could be thwarted by SameSite cookies or | browsers with protection against cross-site use of cookies. And | it's rather hard to find FakeMail's exact three conditions | needed to pull off such an attack. AND just add one more, your | targets have to be authenticated to FakeMail. It might seem | like an attack that's not viable, but this has happened before, | and iirc it was called XS-Leaks for a while when I first heard | of it. | Semaphor wrote: | Seems like anyone using a third party content blocker like | uMatrix will be immune. | myshpa wrote: | uMatrix is a lifesaver ... I enable only css, images and media | for 1st party sites, everything else is disabled by default. | | Have not seen an ad in years. ___________________________________________________________________ (page generated 2023-06-02 23:00 UTC)