01-06-2013, 02:20 PM
A Practical Attack to De-Anonymize Social Network Users
A Practical Attack.pdf (Size: 553.69 KB / Downloads: 13)
Abstract
Social networking sites such as Facebook,
LinkedIn, and Xing have been reporting exponential growth
rates. These sites have millions of registered users, and they are
interesting from a security and privacy point of view because
they store large amounts of sensitive personal user data.
In this paper, we introduce a novel de-anonymization attack
that exploits group membership information that is available
on social networking sites. More precisely, we show that
information about the group memberships of a user (i.e.,
the groups of a social network to which a user belongs) is
often sufficient to uniquely identify this user, or, at least, to
significantly reduce the set of possible candidates. To determine
the group membership of a user, we leverage well-known
web browser history stealing attacks. Thus, whenever a social
network user visits a malicious website, this website can launch
our de-anonymization attack and learn the identity of its
visitors.
INTRODUCTION
Social networking sites such as Facebook, LinkedIn, Twitter,
and Xing have been increasingly gaining in popularity
[1]. In fact, Facebook has been reporting growth rates as
high as 3% per week, with more than 300 million registered
users as of September 2009 [2]. Furthermore, this site has
more than 30 billion page views per month, and it is reported
to be the largest photo storage site on the web with over one
billion uploaded photos. Clearly, popular social networking
sites are critical with respect to security and especially
privacy due to their very large user base.
BACKGROUND
In this section, we provide a brief introduction to the
background concepts to allow the reader to better understand
our attack. We first present a model of social networks, and
define the terminology we use within this paper. We then
list our assumptions about the attacker. We continue with an
overview of the common structure of social networks, and
discuss the aspects of this structure that we exploit. Finally,
we explain why social networks are commonly prone to
history stealing attacks.
Structure of Social Networking Sites
1) Overview:
Most social networking sites share the
same basic structure. Each user v within the network has
a profile pv that contains (partially sensitive) information.
This information, for example, can be the user’s full name,
photographs, date of birth, relationship status, former and
current employers, and education. One of the core technical
components of a social network is its website, and the
underlying web application. The web application provides
the main functionalities of the social network. This functionality
often comprises of features that allow a web visitor to
become a member, to edit personal profiles, to view other
user profiles, or to join groups. To become a member of a
social network, users can sign up at the website. This process
usually only requires a valid e-mail address for verification
purposes.
History Stealing
History stealing is a known attack in which a malicious
website can extract the browsing history of a visitor. One
of the first descriptions of this attack dates back to the
year 2000 [10], and the technique was re-discovered several
times in the recent years (e.g., [11], [12]). The core
observation behind this attack is the fact that a web browser
treats hyperlinks differently depending on whether or not a
hyperlink was previously accessed by a user. This means
that a browser implements the function v(p) (that is, the
browser implicitly checks whether a target URL p is in the
browsing history v).
Basic Attack
As mentioned in the previous section, certain dynamic hyperlinks
contain explicit information about individual groups
g 2 G and users v 2 V within a given social network S.
An attacker can take advantage of this fact by using history
stealing to probe for URLs that encode user information. In
particular, the attacker can probe for a URL that contains
an identifier of user v. When a link is found that contains
this identifier for v, then the attacker can reasonable assume
that the browser was used by v in the past to access the
user-specific URL .
Possible Attack Scenarios
De-anonymizing website visitors allows an adversary to
launch targeted attacks against unsuspecting victims. Such
attacks could be targeted phishing attempts [13], or could
support social engineering efforts to spread malware (e.g.,
a message such as “Hello Mr. Gerald Stonart, we have
discovered that your computer is infected. Please download
and install this file.” might be displayed to Mr. Stonart). In
addition, many people in political or corporate environments
use social networks for professional communication (e.g.,
LinkedIn). Identifying these “high value” targets might be
advantageous for the operator of a malicious website, revealing
sensitive information about these individuals. For example,
a politician or business operator might find it interesting
to identify and de-anonymize any (business) competitors
checking her website. Furthermore, our attack is a huge
privacy breach: any website can determine the identity of
a visitor, even if the victim uses techniques such as onion
routing [14] to access the website – the browser nevertheless
keeps the visited websites in the browsing history.
Of course, analogous to the situation where attackers
compromise and abuse legitimate websites for drive-by
downloads, the de-anonymization technique presented in this
work can be used in a large-scale setup. That is, an attacker
could abuse several compromised (but otherwise legitimate)
websites as a vehicle for a de-anonymization attack.
DE-ANONYMIZATION ATTACKS
With the background concepts introduced in the previous
section, we now present our attack in more detail. We first
introduce a basic variation of the attack, which is not feasible
in practice. We then show how this basic approach can
be refined to work for real-world social networks. Finally,
we discuss how group membership information, a critical
component for the advanced attack, can be obtained with a
reasonable (limited) amount of resources.
Client-side Mitigation
On the client-side, history stealing is more difficult to
fix without sacrificing functionality. Obviously, the goal
is to prevent browsers from leaking sensitive and private
information via style information. As a solution, browsers
could generally restrict client-side scripts from accessing the
CSS properties of hyperlinks. Unfortunately, this could also
break existing websites that legitimately do so.
In [6], the authors offer a clever solution by extending
the same-origin concept of web browsers to visited links.
Unfortunately, so far, none of the published countermeasures
to history sniffing have experienced wide-spread adoption,
whether on the server, nor on the client-side.
CONCLUSION
In this paper, we introduce a novel, practical deanonymization
attack that makes use of the group information
in social networking sites. Using empirical, realworld
experiments, we show that the group membership of
a user in a social network (i.e., the groups within a social
network in which a user is a member), may reveal enough
information about an individual user to identify her when
visiting web pages from third parties.
The implications of the attack we present are manifold.
The attack requires a low effort, and has the potential to
affect millions of registered social networking users who
have group memberships.