[ad_1]
In the past, other theoretical analyzes have been conducted that have examined attacks similar to the one developed by the NJIT researchers, but much of these investigations have focused on data leaks between websites in the occasion of requests exchanged between different services. In response to the results of this work, browsers and site developers have improved the way data is isolated and restricted when loading content, making these potential attack paths less viable. Knowing the determination of attackers to seek new techniques to identify usersthe researchers wanted to explore other approaches.
“Suppose we have a forum dedicated to extremists or clandestine activists who law enforcement have secretly taken control of it – explains Curtmola – and want to identify the users of this forum, but that they cannot do so directly because the users use pseudonyms. But we imagine that law enforcement has also managed to gather a list of Facebook accounts they suspect belong to forum users. In this case they would be able to associate who visits the forum with profiles Facebook specify“.
How the attack works
While explaining how it works is difficult, this type of attack is relatively easy to understand once the basics are in place. The attacker needs a few things to get started: a website they control, a list of accounts linked to people they want to identify as visitors to that site, and the content posted on the platforms by the accounts in their target list; these contents allow or block the viewing by the targets (the attack works in both cases).
Subsequently, the aggressor embedda the content on the website it controls, and waits to see who clicks. If a person on the target list visits the site, the attackers will be able to trace its identity by analyzing which users can (or cannot) view the embedded content.
The attack exploits a number of factors that most people don’t pay attention to: many of the main services, from YouTube to Dropbox, allow users to host multimedia content and embed it on another site. It is easy for people targeted by attackers to have accounts on these very popular services, to which, crucially, they often remain logged in on their phones or computers. Finally, these services allow users to restrict access to content that is uploaded. For example, you can set up your Dropbox account to privately share a video with one or a few users, or you can upload a video to Facebook and block certain accounts from viewing it.
The functions to “block” or “allow” the viewing of content represent the crucial point that has allowed researchers to understand how to trace the identities of users. In the version of the attack where targets view content, for example, cybercriminals could share a photo on Google Drive with a potential target’s Gmail address, then embed the photo on the malicious webpage and lure the target into it. When visitors’ browsers attempt to upload the photo via Google Drive, attackers are able to accurately infer whether the user is authorized to access the content, and thus whether they have control of the email address in question.
.
[ad_2]
Source link
