Skip to Content

Your Groups Tell Hackers Who You Are

A malicious site can find out what social-networking groups you belong to–and then figure out your identity.
July 23, 2010

People often get categorized by social group–jock, geek, soccer mom. The same is true for our online identities: If you have an account on Facebook or LinkedIn, you might also belong to several groups on each site.

Now researchers at the Vienna Institute of Technology, Institut Eurecom and UC Santa Barbara have found a way that malicious websites could find out what groups you belong to, and use that information to identify you. Such websites could use the trick for identity theft or to craft personalized scams.

The researchers found that a malicious site could “capture” a person’s social networking groups from his browser with a trick known as history stealing. By cross-referencing these groups, they could reveal someone’s social-network profile–and therefore their real-life identity–42 percent of the time. This means that an otherwise anonymous Web user could be identified correctly by a malicious site simply because the user visited that site.

“The browser can ask if these guys are a member of the iPhone group or the PC security group or the XYZ group, and by calculating intersections, we can identify them in many cases,” says Gilbert Wondracek, a postdoctoral candidate in computer science at the Vienna Institute of Technology, who led the work.

Facebook, MySpace, LinkedIn, and others major social networks let anyone see who belongs to certain groups. Other attributes can group people together as well. For example, Facebook not only has groups but also lets users express whether they “like” certain links or content.

Most people join these groups without thinking of how it might affect their privacy, says Elena Zheleva, a PhD candidate at the University of Maryland who has researched privacy issues and social networks. “People don’t think about it, but groups are one way that information is transferred about a person,” she says.

This would hardly matter if not for a well-known attack that lets a website check whether certain links are in a visitor’s browser history. This so-called history stealing involves checking to see if a user has visited a particular link. Using history stealing, an attacker can use a snippet of code on a website to ask a visitor’s browser if they have visited certain links. The technique can check thousands of links per second. Wondracek and colleagues used history stealing to find which groups people belonged on the social network Xing by checking to see if their history contained a link to the group’s page.

“It’s a perfect use of the history hack,” says Jeremiah Grossman, chief technology officer for Web security firm WhiteHat Security.

Most social networks provide relatively simple Web links for groups so that users can share them easily, says Wondracek. “Social networks have a hard time defeating this,” by making links more obscure, he says, because that would make them harder to share.

Browser makers have started to tackle history stealing by limiting the number of links a site can check every second. However, the attack, “will work, and will continue to work until most of the world upgrades their browsers to the latest version,” Grossman says.

Keep Reading

Most Popular

The inside story of how ChatGPT was built from the people who made it

Exclusive conversations that take us behind the scenes of a cultural phenomenon.

ChatGPT is about to revolutionize the economy. We need to decide what that looks like.

New large language models will transform many jobs. Whether they will lead to widespread prosperity or not is up to us.

Sam Altman invested $180 million into a company trying to delay death

Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.

GPT-4 is bigger and better than ChatGPT—but OpenAI won’t say why

We got a first look at the much-anticipated big new language model from OpenAI. But this time how it works is even more deeply under wraps.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.