Skip to Content

Your Groups Tell Hackers Who You Are

A malicious site can find out what social-networking groups you belong to–and then figure out your identity.
July 23, 2010

People often get categorized by social group–jock, geek, soccer mom. The same is true for our online identities: If you have an account on Facebook or LinkedIn, you might also belong to several groups on each site.

Now researchers at the Vienna Institute of Technology, Institut Eurecom and UC Santa Barbara have found a way that malicious websites could find out what groups you belong to, and use that information to identify you. Such websites could use the trick for identity theft or to craft personalized scams.

The researchers found that a malicious site could “capture” a person’s social networking groups from his browser with a trick known as history stealing. By cross-referencing these groups, they could reveal someone’s social-network profile–and therefore their real-life identity–42 percent of the time. This means that an otherwise anonymous Web user could be identified correctly by a malicious site simply because the user visited that site.

“The browser can ask if these guys are a member of the iPhone group or the PC security group or the XYZ group, and by calculating intersections, we can identify them in many cases,” says Gilbert Wondracek, a postdoctoral candidate in computer science at the Vienna Institute of Technology, who led the work.

Facebook, MySpace, LinkedIn, and others major social networks let anyone see who belongs to certain groups. Other attributes can group people together as well. For example, Facebook not only has groups but also lets users express whether they “like” certain links or content.

Most people join these groups without thinking of how it might affect their privacy, says Elena Zheleva, a PhD candidate at the University of Maryland who has researched privacy issues and social networks. “People don’t think about it, but groups are one way that information is transferred about a person,” she says.

This would hardly matter if not for a well-known attack that lets a website check whether certain links are in a visitor’s browser history. This so-called history stealing involves checking to see if a user has visited a particular link. Using history stealing, an attacker can use a snippet of code on a website to ask a visitor’s browser if they have visited certain links. The technique can check thousands of links per second. Wondracek and colleagues used history stealing to find which groups people belonged on the social network Xing by checking to see if their history contained a link to the group’s page.

“It’s a perfect use of the history hack,” says Jeremiah Grossman, chief technology officer for Web security firm WhiteHat Security.

Most social networks provide relatively simple Web links for groups so that users can share them easily, says Wondracek. “Social networks have a hard time defeating this,” by making links more obscure, he says, because that would make them harder to share.

Browser makers have started to tackle history stealing by limiting the number of links a site can check every second. However, the attack, “will work, and will continue to work until most of the world upgrades their browsers to the latest version,” Grossman says.

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.