Simply joining a few groups at social networking sites may reveal enough information for hackers to personally identify you, according to some recent computer science research. In a paper that will be presented at a security conference later this year, an international team of academics describes how they were able to build membership sets using information that social networking sites make available to the public, and then leverage an existing attack on browsing history to check for personal identity. That information, they argue, can then be combined with other data to create further security risks, such as a personalized phishing attack.
The vulnerability of social networking groups is the product of a few decisions that require a balancing between security and usability. The first takes the form of providing unique identifying information for groups. Many social networking sites simply track groups (like "science writers" or "Ars Technica fans" by IDs in the form of integers. These IDs make their way into a browser's history because they're often incorporated into a URL via HTTP GET, which sends information to servers via variables incorporated into the URL.
It's possible to keep that information out of the URL by using HTTP POST instead, which transfers the data separately. But POST makes it impossible to bookmark a group's page, since that information is no longer part of the URL that's stored in a bookmark. So, from a user interface perspective, it's much better to use HTTP GET.
If the group ID is in the URL, then it also shows up in the browser history, and previous work has shown that the browser history is vulnerable to being scanned by malicious websites. Again, this is the product of good user interface, as sites are able to display links that have already been visited in distinct colors as an aid to navigation. To do that, they have to be able to know where a user has been, and there are a number of ways to do this using standard Web technology. "To date, the problem has not been solved as it is often viewed as a usability feature/design issue rather than a browser bug," the authors write.
So, it's possible to identify URLs that correspond to social networking groups, and then test a user's browser history for whether they've visited them. The last step in tracing back to individual users involved obtaining a list of social networking group members. It turns out that many sites make group membership lists public, and others will allow registered users to see the membership lists for groups. LinkedIn, the authors note, displays group membership information for individual users on their public profile page. On the German social site Xing, they were even able to get access to some private group membership information simply by sending requests from a dummy account—about 10 percent of the groups seemed to accept any membership requests that came in.
This required them to generate custom crawlers for each social networking site but, barring major site redesigns, those crawlers should be able to update membership lists indefinitely.
The authors built a complete membership list for every group they could access in Xing, and then analyzed what the intersection of various membership lists could tell them about an individual's identity. For Xing, it turns out that 42 percent of the group membership intersects provided an exact identity. In other words, by knowing what groups an individual belongs to, nearly half the time you could determine precisely who that individual is.
The amount of computational effort involved isn't especially significant, either. "In total, we successfully crawled more than 43.2 million group members from 31,853 groups in a period of 23 days using only two machines," the authors noted. They also performed a pilot analysis with Facebook, and showed that it was vulnerable as well, although its massive membership size made tackling it fully beyond the scope of this work.
With the group membership database built, all that's left is to test for the presence of member pages in a browser's cache. The authors produced a JavaScript that would do that, and tested it with browsers on several platforms. Performance generally paralleled published JavaScript results, with Safari and Chrome leading the pack, and IE well behind (in this case, that's a security feature). But the important thing is the raw numbers: using Safari, they could test 90,000 URLs in under 20 seconds using a 2.8GHz Core 2 Duo laptop.
Depending on the social network, knowing an individual's identity can open up a can of worms, as far as personal information goes. A person's bank account details is unlikely to appear there, but (as noted at top), having a more complete profile of an individual makes them susceptible to spear phishing attacks, or could leave them more vulnerable to abuse by personal information obtained from other sources.
A lot of this information may be available by other means, but the addition of social networking sites to the list of vulnerabilities simply makes it harder for individuals to take appropriate steps to protect themselves. And, since this attack relies on features that are generally considered essential to good interface design, preventing this risk may be nearly impossible.
reader comments
14