Google Blogoscoped

Wednesday, February 3, 2010

Finding Out a Visitor’s Name by Checking Their Social Network Browser History

In A Practical Attack to De-Anonymize Social Network Users, the authors write:

In this paper, we introduce a novel de-anonymization attack against users of social networking sites. In particular, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user. When unique identification is not possible, then the attack might still significantly reduce the size of the set of candidates that the victim belongs to.

To make the de-anonymization attack practical, we present a way in which an adversary can learn information about the group memberships of a user who is just browsing the web. To do this, an attacker can leverage the well-known technique of history stealing ... More precisely, using history stealing, an attacker can probe the browser history of a victim for certain URLs that reveal group memberships on a social network. By combining this information with previously collected group membership data from the social network, it is possible to de-anonymize any user (of this social network) who visits the attacker’s website. In some cases, this allows an attacker who operates a malicious website to uniquely identify his visitors by their name (or, more precisely, the names used on the corresponding social network profiles).

The authors argue that once you get a group fingerprint of a person – that is, “only a single user in the social network is a member of exactly these groups” – they’d be able to precisely identify 42% of tested social network Xing. Furthermore:

For one million users, we can narrow down the candidate set to less than 32 users, and for 90% of all users, the candidate set is reduced from initially ~1.8 million to less than 2,912 users. These results show that one can significantly narrow down the search space of candidates (who are then compared against the victim, one by one, using the basic attack).

[Via Spiegel.]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!