New attack can reveal identities of anonymous users on any major browser
Researchers say the novel attack technique has been tested on popular websites
Researchers from the New Jersey Institute of Technology (NJIT) claim to have discovered a novel "cache side channel attack" technique that could be used to identify a specific website visitors, even if they take measures to be anonymous.
In order to carry out the cache-based targeted de-anonymisation attack, an attacker needs to control a malicious website as well as have a list of trget accounts on resource-sharing services such as Google Drive, Dropbox, YouTube, Twitter, Facebook or TikTok. These services allow users to block or grant access to content to specific individuals.
The attacker then hosts a resource, such as an image or a video on the content sharing site, and sets permissions to permit or block the targeted accounts from seeing the content, the attack will work both ways.
The next step is to embed the aforementioned content on their malicious website and then trick the victim into visiting the website and clicking on the content. This will cause the shared resource to be loaded as a pop-under window or a browser tab, or to be blocked from doing so, depending on the settings. Either way, the attacker will be able to positively identify that the visitor was on its list of targets.
It's important to note that the de-anonymisation technique depends on the targeted user being already logged in to the service.
"An attacker who has complete or partial control over a website can learn whether a specific target (i.e., a unique individual) is browsing the website," the researchers said.
"The attacker knows this target only through a public identifier, such as an email address or a Twitter handle."
In a hypothetical situation, a malicious actor may share a video from Google Drive to a target's email address before placing the video onto the webpage that is being used to entice the victim. The successful loading of the video might therefore be used as to determine whether a victim is one of the visitors to the site.
The researchers claim that the novel attack technique has been tested on popular websites including Facebook, Instagram, LinkedIn, Reddit, Tiktok, Twitter and YouTube as well as well-known browsers like Chrome, Firefox, Safari and even the high-security Tor Browser.
"If you're an average internet user, you may not think too much about your privacy when you visit a random website," says Reza Curtmola, one of the study authors and a computer science professor at NJIT.
"But there are certain categories of internet users who may be more significantly impacted by this, like people who organise and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they're very stealthy. You just visit the website and you have no idea that you've been exposed."
In January 2022, Curtmola notified the creators of Google Chrome, Apple Safari, and Mozilla Firefox, which together account for approximately 90% of all installed browsers on personal computers, about the security weakness. However, nothing has been done to address the issue since then.
According to Curtmola, the issue is challenging to resolve and that major websites' engineers are still unsure how to do so.
As mitigation, the researchers have created a browser extension for Chrome and Firefox that can stop such attacks. However, they point out that the extension can affect performance and isn't available for all browsers.
The best defence would be to log out of the affected services after using them.