Recently, the Electronic Frontier Foundation (EFF) and the International Secure Systems Lab (iSec Lab) have publicized methods of de-anonymization. The EFF released a tool to demonstrate de-anonymization via browser fingerprinting, while a iSec Lab paper was featured in Heise Security that discusses the authors’ attempts to use browser history and the unique properties of social networks to identify individuals. The threats to user privacy continue to grow more evident and sophisticated.
- Enumerate all of the groups in a social network, and store their unique URLs
- Correlate members of groups to the groups themselves
- Create a webpage that performs history stealing
- Check for the “visited” property for thousands of group URLs for a given social network when the user visits the webpage
- Identify the user by matching the groups they belong to (as indicated by the groups they have visited) with the set of users who belong to all of those groups
- If necessary, produce a second set of URLs, such as a private landing page link that includes a username, to narrow down a small set of possible users to a specific user. If a page that is restricted to an authenticated user is checked for visitation history, the attacker can be reasonably certain that the user is identified
In fact, step 6 could be particularly useful in any targeted identification attack. If an attacker has a small set of possible users that is likely to contain a targeted victim, the attacker could use a short list of guesses to private profile pages in an attempt to find a definite identity. And, although iSec Lab focused on group membership, it may be possible to use other associations (including friend lists) to accomplish the same attack. With over 300 million users, Facebook’s decision to publish friend lists openly by default could allow many individuals’ friend lists to be publicly crawled, indexed, and used as a method to perform de-anonymization.