Anonymous users on any major browser can be revealed by a new attack.

Without the user being aware of the hack, researchers have discovered a technique to leverage the fundamental features of the web to identify who visits a website. Everyone wants to be able to identify and monitor individuals throughout the internet, from advertisers and marketers to government-backed hackers and spyware developers. And even though there is currently an incredible amount of infrastructure in place to accomplish just that, the need for data and new means to capture it have proven to be insatiable.

In light of this fact, researchers from the New Jersey Institute of Technology have issued a warning this week on a unique method that attackers may employ to de-anonymize website visitors and perhaps piece together various aspects of their targets online users.

The research, which will be presented by NJIT researchers at the Usenix Security Symposium in Boston the following month, demonstrates how an attacker who successfully lures a victim into loading a malicious website can identify whether the victim is in charge of a specific public identifier, such as an email address or social media account, connecting the victim to a piece of potentially personal information.

Your IP address can be recorded by a website when you visit it, but this may not be sufficient information for the website owner to recognize you specifically. Instead, the attack examines minute details of a potential victim’s browsing behavior to ascertain whether they are signed into an account for a variety of services, including Dropbox, Twitter, Facebook, TikTok, and YouTube. Additionally, the assaults are effective against all popular browsers, including the Tor Browser, which focuses on anonymity.

As an ordinary internet user, Reza Curtmola, a professor of computer science at NJIT and one of the study’s authors, warns that you might not give your privacy any thought when you visit an unrelated website. But other groups of internet users, such as those who coordinate and take part in political protest, journalists, and those who network with other members of their minority group, may be more strongly influenced by this. Furthermore, the stealthiness of these strikes adds to their risk. You simply browse the website and are unaware that you have been exposed.

There is a real possibility that hackers with government support and cyber-arms dealers would try to de-anonymize internet users. Researchers have seen instances in which attackers were able to identify specific users, however it wasn’t immediately evident how. A variety of strategies have been recorded as being utilised in the field.

However, much of this previous inquiry has concentrated on capturing sensitive data that is spilled across websites when one service makes a request to another, as opposed to an assault like the one NJIT researchers created. These previous efforts have improved how data is segregated and controlled when content loads in browsers and website developers, making these possible attack vectors less likely. However, the researchers were interested in investigating alternative strategies since they were aware that attackers are driven to look for methods for user identification.

Imagine if a law enforcement organisation has secretly taken over a forum used by underground radicals or activists. “They want to directly identify the forum users, but they are unable to do so since they use fake names. But suppose the agency also managed to compile a list of Facebook accounts that are thought to be associated with forum participants. Now, they could connect each forum visitor with a certain Facebook identity.

How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it—the attack works both ways.

The content described above is then embedded on the malicious website by the attacker. They then watch to see whether anyone clicks. The attackers will be able to identify any visitors from the targeted list if they can determine which users can (or cannot) read the embedded information.

A lot of things that most people probably take for granted are used in the attack.

Users may host content on their own servers and embed it on other websites using a number of popular services including Dropbox and YouTube. Regular users often have an account with these widely used sites and significantly. They frequently keep these platforms open on their desktops or phones. Lastly, these platforms provide users the option to limit who can view content that has been posted. For instance, you may configure your Dropbox account to allow you to secretly share a movie with a single or small group of other people. Alternately, you may openly publish a video on Facebook and restrict access for specific users.

The key to the researchers’ discovery that identities can be revealed is in these “block” or “allow” links. For instance, under the attack’s “accept” variant, hackers may covertly share a photo on Google Drive with a Gmail account that could be of interest. Once the target has been lured there, they embed the photo on their malicious website. Attackers can determine with accuracy whether a visitor is authorised to view the content—i.e., if they are in control of the email address in question—when visitors’ browsers try to load the photo via Google Drive.

The attacker cannot immediately verify if the site visitor was able to load the content because of the privacy measures that the major platforms already have in place. However, the NJIT researchers discovered they could examine readily available data about the target’s browser and the actions of their processor while the request was being made to draw conclusions about whether it had been approved or rejected.

The method is known as a “side channel attack” since the researchers discovered that by teaching machine learning algorithms to analyse apparently irrelevant data about how the victim’s browser and device process the request, they could correctly and reliably determine this. The attacker has de-anonymized the site visitor once they are aware that the one user they permitted to see the material has done so (or that the one user they barred has been blocked).

Even while it seems challenging, the researchers caution that it would be straightforward to execute once attackers had completed the necessary preparations. Each visitor to the infected website could possibly be identified in a matter of seconds, and it would be next to impossible for an unaware user to notice the breach. For Chrome and Firefox, the researchers have created a browser plugin that can prevent similar assaults. However, they point out that it can affect performance and isn’t supported by all browsers.

The researchers claim that by engaging in a significant disclosure procedure with multiple web services, browsers, and web standards groups, they have sparked a bigger conversation about how to properly handle the problem. Chrome and Firefox have not yet made their replies available to the public. 

It is also claimed that in order to address the problem at the chip level, substantial and perhaps unfeasible modifications to the way CPUs are constructed would be required. However, there is a assertion that group talks held through the World Wide Web Consortium or other venues may finally result in a comprehensive answer.