User Blocking Considered Harmful? An Attacker-controllable Side Channel to Identify Social Accounts

05/14/2018
by   Takuya Watanabe, et al.
0

This paper presents a practical side-channel attack that identifies the social web service account of a visitor to an attacker's website. Our attack leverages the widely adopted user-blocking mechanism, abusing its inherent property that certain pages return different web content depending on whether a user is blocked from another user. Our key insight is that an account prepared by an attacker can hold an attacker-controllable binary state of blocking/non-blocking with respect to an arbitrary user on the same service; provided that the user is logged in to the service, this state can be retrieved as one-bit data through the conventional cross-site timing attack when a user visits the attacker's website. We generalize and refer to such a property as visibility control, which we consider as the fundamental assumption of our attack. Building on this primitive, we show that an attacker with a set of controlled accounts can gain a complete and flexible control over the data leaked through the side channel. Using this mechanism, we show that it is possible to design and implement a robust, large-scale user identification attack on a wide variety of social web services. To verify the feasibility of our attack, we perform an extensive empirical study using 16 popular social web services and demonstrate that at least 12 of these are vulnerable to our attack. Vulnerable services include not only popular social networking sites such as Twitter and Facebook, but also other types of web services that provide social features, e.g., eBay and Xbox Live. We also demonstrate that the attack can achieve nearly 100 time in a practical setting. We discuss the fundamental principles, practical aspects, and limitations of the attack as well as possible defenses.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
08/06/2019

Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks

In a Cross-Origin State Inference (COSI) attack, an attacker convinces a...
research
05/20/2022

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web

The ubiquity of user accounts in websites and online services makes acco...
research
10/10/2018

Redirect2Own: Protecting the Intellectual Property of User-uploaded Content through Off-site Indirect Access

Social networking services have attracted millions of users, including i...
research
10/19/2021

Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques

We present a simple yet potentially devastating and hard-to-detect threa...
research
12/21/2019

Cached and Confused: Web Cache Deception in the Wild

Web cache deception (WCD) is an attack proposed in 2017, where an attack...
research
02/17/2023

Beware of Pickpockets: A Practical Attack against Blocking Cards

Today, we rely on contactless smart cards to perform several critical op...
research
10/24/2017

A Quantitative Analysis of WCAG 2.0 Compliance For Some Indian Web Portals

Web portals have served as an excellent medium to facilitate user centri...

Please sign up or login with your details

Forgot password? Click here to reset