Skip to Content

Your Groups Tell Hackers Who You Are

A malicious site can find out what social-networking groups you belong to–and then figure out your identity.
July 23, 2010

People often get categorized by social group–jock, geek, soccer mom. The same is true for our online identities: If you have an account on Facebook or LinkedIn, you might also belong to several groups on each site.

Now researchers at the Vienna Institute of Technology, Institut Eurecom and UC Santa Barbara have found a way that malicious websites could find out what groups you belong to, and use that information to identify you. Such websites could use the trick for identity theft or to craft personalized scams.

The researchers found that a malicious site could “capture” a person’s social networking groups from his browser with a trick known as history stealing. By cross-referencing these groups, they could reveal someone’s social-network profile–and therefore their real-life identity–42 percent of the time. This means that an otherwise anonymous Web user could be identified correctly by a malicious site simply because the user visited that site.

“The browser can ask if these guys are a member of the iPhone group or the PC security group or the XYZ group, and by calculating intersections, we can identify them in many cases,” says Gilbert Wondracek, a postdoctoral candidate in computer science at the Vienna Institute of Technology, who led the work.

Facebook, MySpace, LinkedIn, and others major social networks let anyone see who belongs to certain groups. Other attributes can group people together as well. For example, Facebook not only has groups but also lets users express whether they “like” certain links or content.

Most people join these groups without thinking of how it might affect their privacy, says Elena Zheleva, a PhD candidate at the University of Maryland who has researched privacy issues and social networks. “People don’t think about it, but groups are one way that information is transferred about a person,” she says.

This would hardly matter if not for a well-known attack that lets a website check whether certain links are in a visitor’s browser history. This so-called history stealing involves checking to see if a user has visited a particular link. Using history stealing, an attacker can use a snippet of code on a website to ask a visitor’s browser if they have visited certain links. The technique can check thousands of links per second. Wondracek and colleagues used history stealing to find which groups people belonged on the social network Xing by checking to see if their history contained a link to the group’s page.

“It’s a perfect use of the history hack,” says Jeremiah Grossman, chief technology officer for Web security firm WhiteHat Security.

Most social networks provide relatively simple Web links for groups so that users can share them easily, says Wondracek. “Social networks have a hard time defeating this,” by making links more obscure, he says, because that would make them harder to share.

Browser makers have started to tackle history stealing by limiting the number of links a site can check every second. However, the attack, “will work, and will continue to work until most of the world upgrades their browsers to the latest version,” Grossman says.

Keep Reading

Most Popular

mouse engineered to grow human hair
mouse engineered to grow human hair

Going bald? Lab-grown hair cells could be on the way

These biotech companies are reprogramming cells to treat baldness, but it’s still early days.

Death and Jeff Bezos
Death and Jeff Bezos

Meet Altos Labs, Silicon Valley’s latest wild bet on living forever

Funders of a deep-pocketed new "rejuvenation" startup are said to include Jeff Bezos and Yuri Milner.

ai learning to multitask concept
ai learning to multitask concept

Meta’s new learning algorithm can teach AI to multi-task

The single technique for teaching neural networks multiple skills is a step towards general-purpose AI.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.