Researchers from the New Jersey Institute of Technology (NJIT) have issued a warning about a novel method that could be used to circumvent anonymity protections and identify a unique website visitor.
When a hacker gains control of a website, they can see which users are visiting it, and if they are a specific target (such as a single person). An email address or Twitter handle is the only way an attacker can identify this target.
Cross-site leak: The cache-based targeted deanonymization attack uses a service like Google Drive, Dropbox, or YouTube to share a resource with the target and then embed it into the target's attack website; this is a cross-site leak.
For example, the victim's email address or service username can be used to share a leaky resource privately and then an iframe> HTML tag can be used to insert the leaky resource.
A pop-under window (as opposed to a pop-up) or browser tab is used to load the shared resource, which is how advertisers sneakily load ads when they trick the victim into visiting the malicious website and clicking on the above-mentioned content.
Visitors who can access the shared resource are confirmed as intended targets by this exploit page, rendered by their browser, which determines whether or not they're capable of doing so.
A shared piece of content can be used to link a user's social media accounts or email addresses to a list of accounts that belong to that person. This allows the attacker to identify the website's visitors.
For example, a bad actor could send an email to the target's Gmail account, and then insert a video hosted on Google Drive into the lure website. As a result, when users arrive at the portal, they could use the video's successful loading to determine if their victim is one of them.
By employing a cache-based side channel, the attacks can be used on both desktop and mobile systems with multiple CPU microarchitectures and different web browsers, making it possible to distinguish between targeted and non-targeted users.
What this means is that you're looking for small differences in response times caused by the web server's varying response times depending on the user's authorization status when they both try to access a shared resource.
Another set of client-side differences is taken into account when the web browser renders the relevant content or error page in accordance with the response received by the attacks as well.
A server-side timing difference and a client-side rendering difference are the main causes of the observed side channel leakage differences between targeted and non-targeted users, the researchers said.
However, despite the vulnerability of the majority of well-known services such as Google Drive, Dropbox, and OneDrive, Apple iCloud was found to be impervious to the attack.
An important point to keep in mind is that the de-anonymization method relies on an existing account for the targeted user to be successful. Leakuidator+, a browser extension that can be installed on Chrome, Firefox, and Tor browsers, has been released by the researchers as a form of mitigation.
Owners of websites are advised to design their web servers to return their responses in constant time, regardless of whether a user is authorized to access the shared resource, in order to minimize differences that an attacker can observe between the response timing and rendering.
Websites should also require user interaction before content is rendered, researchers said. "As an example, if an authorized user was going to be shown a video, the error page should also be made to show a video," they said.
A website's operator has the ability to engage in a variety of nefarious targeted activities by knowing the precise identity of the person who is currently visiting the site.
They follow up on previous research from the University of Hamburg, Germany, that showed how Wi-Fi probe requests allow mobile devices to leak personal information such as passwords and past vacation destinations.
According to MIT researchers last month, the root cause of a website fingerprinting attack was not due to signals generated by cache contention (aka a cache-based side channel) but rather due to system interrupts, and they demonstrated that interrupt-based side channels can be used to mount a powerful website fingerprinting attack.
Post a Comment
Your suggestions and comments are welcome