Follow Your Silhouette: Identifying the Social Account of Website Visitors through User-Blocking Side Channel

This paper presents a practical side-channel attack that identifies the social web service account of a visitor to an attacker’s website. Our attack leverages the widely adopted user-blocking mechanism, abusing its inherent property that certain pages return different web content depending on whether a user is blocked from another user. Our key insight is that an account prepared by an attacker can hold an attacker-controllable binary state of blocking/non-blocking with respect to an arbitrary user on the same service; provided that the user is logged in to the service, this state can be retrieved as one-bit data through the conventional cross-site timing attack when a user visits the attacker’s website. We generalize and refer to such a property as visibility control, which we consider as the fundamental assumption of our attack. Building on this primitive, we show that an attacker with a set of controlled accounts can gain a complete and flexible control over the data leaked through the side channel. Using this mechanism, we show that it is possible to design and implement a robust, large-scale user identification attack on a wide variety of social web services. To verify the feasibility of our attack, we perform an extensive empirical study using 16 popular social web services and demonstrate that at least 12 of these are vulnerable to our attack. Vulnerable services include not only popular social networking sites such as Twitter and Facebook, but also other types of web services that provide social features, e.g., eBay and Xbox Live. We also demonstrate that the attack can achieve nearly 100% accuracy and can finish within a sufficiently short time in a practical setting. We discuss the fundamental principles, practical aspects, and limitations of the attack as well as possible defenses. We have successfully addressed this attack by collaborative working with service providers and browser vendors. key words: web security and privacy, side channel, user identification

[1]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[2]  Wei You,et al.  Scriptless Timing Attacks on Web Browser Privacy , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[3]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[4]  Fang Yu,et al.  Knowing your enemy: understanding and detecting malicious web advertising , 2012, CCS '12.

[5]  Angelos D. Keromytis,et al.  Privacy-Preserving Social Plugins , 2012, USENIX Security Symposium.

[6]  Mitsuaki Akiyama,et al.  User Blocking Considered Harmful? An Attacker-Controllable Side Channel to Identify Social Accounts , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[7]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[8]  Keith W. Ross,et al.  I Know What You're Buying: Privacy Breaches on eBay , 2014, Privacy Enhancing Technologies.

[9]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[10]  Christopher Krügel,et al.  A Practical Attack to De-anonymize Social Network Users , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Lars Backstrom,et al.  The Anatomy of the Facebook Social Graph , 2011, ArXiv.

[12]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[13]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[14]  Zhenkai Liang,et al.  I Know Where You've Been: Geo-Inference Attacks via the Browser Cache , 2015, IEEE Internet Computing.

[15]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[16]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[17]  Keith W. Ross,et al.  Estimating age privacy leakage in online social networks , 2012, 2012 Proceedings IEEE INFOCOM.

[18]  Song Li,et al.  Deterministic Browser , 2017, CCS.

[19]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[20]  Jong Kim,et al.  Identifying Cross-origin Resource Status Using Application Cache , 2015, NDSS.

[21]  Amir Herzberg,et al.  Cross-Site Search Attacks , 2015, CCS.

[22]  Ben Stock,et al.  Precise Client-side Protection against DOM-based Cross-Site Scripting , 2014, USENIX Security Symposium.

[23]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[24]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[25]  Balachander Krishnamurthy,et al.  A few chirps about twitter , 2008, WOSN '08.