Skip to Content
Uncategorized

Your Groups Tell Hackers Who You Are

A malicious site can find out what social-networking groups you belong to–and then figure out your identity.
July 23, 2010

People often get categorized by social group–jock, geek, soccer mom. The same is true for our online identities: If you have an account on Facebook or LinkedIn, you might also belong to several groups on each site.

Now researchers at the Vienna Institute of Technology, Institut Eurecom and UC Santa Barbara have found a way that malicious websites could find out what groups you belong to, and use that information to identify you. Such websites could use the trick for identity theft or to craft personalized scams.

The researchers found that a malicious site could “capture” a person’s social networking groups from his browser with a trick known as history stealing. By cross-referencing these groups, they could reveal someone’s social-network profile–and therefore their real-life identity–42 percent of the time. This means that an otherwise anonymous Web user could be identified correctly by a malicious site simply because the user visited that site.

“The browser can ask if these guys are a member of the iPhone group or the PC security group or the XYZ group, and by calculating intersections, we can identify them in many cases,” says Gilbert Wondracek, a postdoctoral candidate in computer science at the Vienna Institute of Technology, who led the work.

Facebook, MySpace, LinkedIn, and others major social networks let anyone see who belongs to certain groups. Other attributes can group people together as well. For example, Facebook not only has groups but also lets users express whether they “like” certain links or content.

Most people join these groups without thinking of how it might affect their privacy, says Elena Zheleva, a PhD candidate at the University of Maryland who has researched privacy issues and social networks. “People don’t think about it, but groups are one way that information is transferred about a person,” she says.

This would hardly matter if not for a well-known attack that lets a website check whether certain links are in a visitor’s browser history. This so-called history stealing involves checking to see if a user has visited a particular link. Using history stealing, an attacker can use a snippet of code on a website to ask a visitor’s browser if they have visited certain links. The technique can check thousands of links per second. Wondracek and colleagues used history stealing to find which groups people belonged on the social network Xing by checking to see if their history contained a link to the group’s page.

“It’s a perfect use of the history hack,” says Jeremiah Grossman, chief technology officer for Web security firm WhiteHat Security.

Most social networks provide relatively simple Web links for groups so that users can share them easily, says Wondracek. “Social networks have a hard time defeating this,” by making links more obscure, he says, because that would make them harder to share.

Browser makers have started to tackle history stealing by limiting the number of links a site can check every second. However, the attack, “will work, and will continue to work until most of the world upgrades their browsers to the latest version,” Grossman says.

Deep Dive

Uncategorized

Uber Autonomous Vehicles parked in a lot
Uber Autonomous Vehicles parked in a lot

It will soon be easy for self-driving cars to hide in plain sight. We shouldn’t let them.

If they ever hit our roads for real, other drivers need to know exactly what they are.

stock art of market data
stock art of market data

Maximize business value with data-driven strategies

Every organization is now collecting data, but few are truly data driven. Here are five ways data can transform your business.

Cryptocurrency fuels new business opportunities

As adoption of digital assets accelerates, companies are investing in innovative products and services.

Mifiprex pill
Mifiprex pill

Where to get abortion pills and how to use them

New US restrictions could turn abortion into do-it-yourself medicine, but there might be legal risks.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.