A group of academics, Mojtaba Zaheri, Yossi Oren and Reza Curtmola from the New Jersey Institute of Technology (NJIT) has warned of a novel technique that could be used to defeat anonymity protections and identify a unique website visitor.
“An attacker who has complete or partial control over a website can learn whether a specific target (i.e., a unique individual) is browsing the website,” the researchers said.
“The attacker knows this target only through a public identifier, such as an email address or a Twitter handle.”
The attacker leverages a service such as Google Drive, Dropbox, or YouTube to privately share a resource with the user’s connections (e.g., image, video, YouTube playlist, Vimeo, Twitter, Facebook, Instagram, etc.) with the target, followed by embedding the shared resource into the attack website.
As an effective mitigation, the NJIT researchers have developed and released a free and simple to use browser extension called Leakuidator+ that’s available for Chrome, Firefox, and Tor browsers. I highly recommend installing it.
In the most basic term the attacker, seeks to reveal the users of a website by connecting the list of accounts tied to those individuals with their social media accounts or email addresses through a shared content, as noted on the above platforms.
Platforms such as those from Google, Facebook, Instagram, LinkedIn, Twitter, and TikTok were found susceptible, one notable service that’s immune to the attack is Apple iCloud.
“As an example, if an authorized user was going to be shown a video, the error page for the non-targeted user should also be made to show a video,” the researchers said, adding websites should also be made to require user interaction before rendering content.
“Knowing the precise identity of the person who is currently visiting a website can be the starting point for a range of nefarious targeted activities that can be executed by the operator of that website.”
As an effective mitigation, the NJIT researchers have developed and released a free and simple to use browser extension called Leakuidator+ that’s available for Chrome, Firefox, and Tor browsers. I highly recommend installing it.
Leakuidator+ helps users to protect themselves against what is known as cross-site leaks, a class of vulnerabilities derived from “side-channels” built into the web platform.
When browsing the web, Leakuidator+ keeps users safe against deanonymization attacks by protecting their online identities associated with storage sites such as Google Drive, One Drive, and Dropbox; media sharing sites such as YouTube, Google Photos, Amazon Photos, and Flickr; code-hosting repositories such as GitHub, GitLab, Bitbucket, and Assembla; social media sites such as Facebook, Twitter, and Instagram, and other websites.
Leakuidator+ has two modes of operation, Relaxed and Exact, which reflect the criteria used for identifying potentially dangerous requests made by a website. For each dangerous request identified, the user has the option to let the request pass through or to continue being protected. Prior user decisions can be recorded for future use, and are accessible for editing through the options page.
Has TLS checked into this and verified it is legit? Who wrote this article? If it is an advertisement it should say that. If it’s someone’s advice it should say who that someone is. It says “I highly recommend”… Who is the “I”? For all we know this is a very well crafted method, planned out by those very same hackers and malicious actors in order to get thousands of people to download their “app” to “protect” themselves when in reality it’s letting them in.. I’m not saying that’s the case, and I’m not at all a tech expert but every tech expert I’ve always heard, including those on this site such as Ron Benvenisti, always tell us to know first that what we are clicking or downloading is safe.
This is Ron. I wrote the article. It is not an ad in the least, as usual. It works. Download it! For some reason my byline was left out. Attn: Ed.
Thank you TLS for clarifying by adding Ron’s name to the article.