Your Groups Tell Hackers Who You Are

People often get categorized by social group–jock, geek, soccer mom. The same is true for our online identities: If you have an account on Facebook or LinkedIn, you might also belong to several groups on each site.

Now researchers at the Vienna Institute of Technology, Institut Eurecom and UC Santa Barbara have found a way that malicious websites could find out what groups you belong to, and use that information to identify you. Such websites could use the trick for identity theft or to craft personalized scams.

The researchers found that a malicious site could “capture” a person’s social networking groups from his browser with a trick known as history stealing. By cross-referencing these groups, they could reveal someone’s social-network profile–and therefore their real-life identity–42 percent of the time. This means that an otherwise anonymous Web user could be identified correctly by a malicious site simply because the user visited that site.

“The browser can ask if these guys are a member of the iPhone group or the PC security group or the XYZ group, and by calculating intersections, we can identify them in many cases,” says Gilbert Wondracek, a postdoctoral candidate in computer science at the Vienna Institute of Technology, who led the work.

Facebook, MySpace, LinkedIn, and others major social networks let anyone see who belongs to certain groups. Other attributes can group people together as well. For example, Facebook not only has groups but also lets users express whether they “like” certain links or content.

Most people join these groups without thinking of how it might affect their privacy, says Elena Zheleva, a PhD candidate at the University of Maryland who has researched privacy issues and social networks. “People don’t think about it, but groups are one way that information is transferred about a person,” she says.

This would hardly matter if not for a well-known attack that lets a website check whether certain links are in a visitor’s browser history. This so-called history stealing involves checking to see if a user has visited a particular link. Using history stealing, an attacker can use a snippet of code on a website to ask a visitor’s browser if they have visited certain links. The technique can check thousands of links per second. Wondracek and colleagues used history stealing to find which groups people belonged on the social network Xing by checking to see if their history contained a link to the group’s page.

“It’s a perfect use of the history hack,” says Jeremiah Grossman, chief technology officer for Web security firm WhiteHat Security.

Most social networks provide relatively simple Web links for groups so that users can share them easily, says Wondracek. “Social networks have a hard time defeating this,” by making links more obscure, he says, because that would make them harder to share.

Browser makers have started to tackle history stealing by limiting the number of links a site can check every second. However, the attack, “will work, and will continue to work until most of the world upgrades their browsers to the latest version,” Grossman says.