A new attack can reveal the identity of anonymous users on any major browser
Researchers from the New Jersey Institute of Technology (NJIT) claim to have discovered a new “cache side-channel attack” technique that could be used to identify visitors to a specific website, even if they take steps to remain anonymous.
In order to carry out the targeted cache-based de-anonymization attack, an attacker must control a malicious website and have a list of target accounts on resource sharing services such as Google Drive, Dropbox, YouTube, Twitter , Facebook or TIC Tac. These services allow users to block or grant access to content to specific people.
The attacker then hosts a resource, such as an image or video on the content sharing site, and sets permissions to allow or prevent the targeted accounts from viewing the content, the attack will work both ways.
The next step is to embed the aforementioned content on their malicious website and then trick the victim into visiting the website and clicking on the content. This will cause the shared resource to load as a popup or browser tab, or crash, depending on the settings. Either way, the attacker will be able to identify with certainty that the visitor was on their target list.
It is important to note that the de-anonymization technique depends on whether the targeted user is already logged into the service.
“An attacker who has full or partial control over a website can tell if a specific target (i.e. a unique individual) is browsing the website,” the researchers said.
“The attacker only knows this target through a public identifier, such as an email address or a Twitter handle.”
In a hypothetical situation, a malicious actor can share a video from Google Drive to a target’s email address before placing the video on the webpage that is used to lure the victim. The successful loading of the video could therefore be used to determine if a victim is among the visitors to the site.
The researchers claim that the new attack technique has been tested on popular websites such as Facebook, Instagram, LinkedIn, Reddit, Tiktok, Twitter and YouTube, as well as well-known browsers such as Chrome, Firefox, Safari and even the high-security Tor browser.
“If you’re an average internet user, you might not think too much about your privacy when you visit a random website,” says Reza Curtmola, one of the study’s authors and professor of computer science at NJIT. .
“But certain categories of internet users may be more affected by this, such as people who organize and participate in political protests, journalists and people who network with other members of their minority group. And what makes these types of “Dangerous attacks is that they’re very stealthy. You just visited the website and you have no idea you’ve been exposed.”
In January 2022, Curtmola informed the creators of Google Chrome, Apple Safari and Mozilla Firefox, which together account for around 90% of all browsers installed on personal computers, of the security flaw. However, nothing has been done to fix the problem since then.
According to Curtmola, the problem is difficult to solve and engineers from major websites still don’t know how to go about it.
As a mitigation, the researchers created a browser extension for Chrome and Firefox that can stop such attacks. However, they point out that the extension may affect performance and is not available for all browsers.
The best defense would be to log out of the affected services after using them.