A new targeted attack can be used to ID anonymous website visitors

Researchers from the New Jersey Institute of Technology released last week the details of a new targeted attack that can reveal the identity of a supposedly anonymous website visitor. It allows a bad actor who has control over a website to determine whether specifically targeted people visit it. It does this by using services, like YouTube, Google Drive, or Dropbox, that users may be logged into in the background to identify an anonymous ID like a username. It’s a difficult attack to protect against as it doesn’t rely on things like cookies, browser fingerprinting, or any of the usual methods for tracking website visitors, that browsers like Firefox and Safari are starting to block.

This attack is a bit complicated if you don’t understand how it works, so let’s break it down. It relies on the attackers having three things:

• Control over a website that their target might conceivably visit (or be tricked into visiting).
• Their target’s email address, Facebook account, Twitter account, or some other publicly identifiable profile. 
• A service like Facebook, YouTube, Google Drive, or Dropbox that allows for documents, files, or anything else to be shared with specific users. 

The attackers have to assume that, like most internet users, their target probably stays logged into most of these resource-sharing services. This, after all, is how Facebook is able to track so much data about its users. 

[Related: With site-specific ‘cookie jars,’ Firefox hopes to curb user tracking]

A simple version of the attack would look something like this: Say, a hacker wants to install something like the Pegasus spyware on my computer but they don’t want to install it on every website visitor’s because they worry that security researchers would discover it and come up with ways to mitigate the threat. They know I’m into science and technology because I write for Popular Science, and they know my email address because it’s public. To target me, they could set up a fake science press release site (or better yet, blackmail or hack their way into control of a legitimate one) and embed a Google Document in the page. The document is set so that it’s public to everyone except for a single blocked Google account—the one associated with my email address.

If you or anyone else visits the page, the document loads normally. However, if I visit the page (and I’m logged into Gmail in the background), the document doesn’t load. The hackers can’t see any of this but they can use Javascript to probe the performance of the CPU cache, which can measure the time it takes to read data, and use that to infer whether the document is loading for the user or not. After gaining total control of the website and honing in on the targeted user, they could deploy a zero-day “zero-click” attack to install their spyware on my computer without me noticing—and without installing it for anyone else by mistake. All they have to do is get me to visit the website. 

While this is very much a targeted attack, the researchers also suggest another broader possible use case for the attack. If the FBI discovered a forum being used by anonymous extremists and was able to take control of it (a tactic they’ve used in the past), they could potentially deanonymize a number of users based on a list of suspected Facebook accounts associated with the group. 

It can also impact many different types of devices and browsers. The researchers used it across multiple desktop and mobile CPU architectures (including Intel, Apple, and Qualcomm), operating systems (including Windows, macOS, and Android), browsers (including Chrome, Safari, Firefox, and the security focused Tor Browser), and popular resource-sharing services (including Google, Twitter, LinkedIn, TikTok, Facebook, Instagram, and Reddit). They concluded that “a large majority of Internet users are vulnerable.”

And even if you know you’re vulnerable, it’s still a hard attack to prevent. The researchers have reached out to the affected browser vendors and sharing services, but said that there is no “immediate fix… that does not dramatically affect user browsing experience.” In the interim, they’ve released a plug-in for Chrome and Firefox called Leakuidator+ that can mitigate some variants of the attack, by stripping third-party identifying data like cookies from any potentially risky request.

Meanwhile, users can take preventative steps by not giving out unnecessary logins to sharing services, not logging into personal accounts on another device such as a work computer or vice versa, and using Safari, Tor, Firefox, or another browser that limits third-party cookies by default (as it makes certain variants of the attack impossible to pull off). 

Almost all these steps will make using the internet less pleasant and more inconvenient—but that is the sacrifice you have to make if you fear you could be a victim of a sophisticated targeted (and likely state-sponsored) attack. These are the types of hacks that Apple’s new Lockdown Mode was designed to deal with.