In this talk, we present a practical side-channel attack that identifies the social web service account of a visitor to an attacker's website. As user pages and profiles in social web services generally include his/her name and activities, the anonymity of a website visitor can be easily destroyed by identifying the social account.
Our attack leverages the widely adopted user-blocking mechanism, abusing its inherent property that certain pages return different content depending on whether a user is blocked by another user. Our key insight is that an account prepared by an attacker can hold an attacker-controllable binary state of blocking/non-blocking with respect to an arbitrary user on the same service. This state can be retrieved as one-bit data through the conventional cross-site timing attack when a user visits the attacker's website. We generalize this property as "visibility control," which we consider to be the fundamental assumption of our attack. Building on this primitive, an attacker with a set of controlled accounts can gain a flexible control over the data leaked through the side channel. Using this mechanism, it is possible to design a robust, large-scale user identification attack on social web services.
We performed an extensive empirical study and found that at least 12 are vulnerable: Facebook, Instagram, Tumblr, Google+, Twitter, eBay, PornHub, Medium, Xbox Live, Ashley Madison, Roblox, and Xvideos. The attack achieves 100% accuracy and finishes within a sufficiently short time in a practical setting.
We have shared details of this attack and countermeasures with service providers and browser vendors. Then, Twitter and eBay have been able to prevent the attack by changing their implementations. In addition, the "SameSite attribute" used for cookies has been added to some major browsers such as Microsoft Edge, Internet Explorer, and Mozilla Firefox.