De-Anonymizing Social Network Users

← Back to Stories (view on slashdot.org)

De-Anonymizing Social Network Users

Posted by kdawson on Monday February 1, 2010 @07:29PM from the know-what-groups-you-joined-last-summer dept.

An anonymous reader writes "The H has an article about some researchers who found a new way to de-anonymize people. Compared to the EFF's Panopticlick, the goal of this experiment is not to identify a user's browser uniquely, but to identify individual users. The test essentially exploits the fact that many social network users are identifiable by their membership of various groups. According to the researchers, it's very unlikelly that two people on any social network will belong to exactly the same groups. A 'group fingerprint' can thus allow websites to identify previously anonymous visitors. They describe the setup and all details and the results look very interesting. They also have a live demo for the social network Xing that was able to de-anonymize me."

25 of 88 comments (clear)

Min score:

Reason:

Sort:

An anonymous reader? by Tyir · 2010-02-01 19:44 · Score: 5, Funny

Probably not so anonymous anymore!
Nothing new by stephanruby · 2010-02-01 19:45 · Score: 3, Insightful

There is nothing new about this. This is what any human being (a PI, or a stalker) would intuitively try to do. This is just streamlining and automating that process.
1. Re:Nothing new by AHuxley · 2010-02-01 20:41 · Score: 4, Insightful
  
  IP can change, country can change, name can change.
  But if your the user with a Mac, version 2.0.1b of a browser posting to a small interest section, this would be great to find you again and your new set of friends.
  Thats why you never go back to the same sites if people are interested in you.
  
  --
  Domestic spying is now "Benign Information Gathering"
Can I get a big who cares? by Eskarel · 2010-02-01 19:58 · Score: 3, Interesting
So basically if
1. An attacker indexes the entire user list and group memberships of a social networking sites.
2. You regularly visit a large number of the groups you belong to on said social networking site so that their url paths are in your history.
3. You're the only person who uses your PC to log onto said social networking site.
4. You visit a malicious website using this technique.
then an attacker might be able to work out the name you use on that social networking site?
Why would anyone bother. Indexing facebook would take quite a bit of time and resources and at the end of it you'd have something which might or might not be someones real name. Even if it is their real name, what exactly are you going to do with it? So you've unmasked(maybe) the name(maybe) of someone who visited your site. It's not going to give you anything else useful unless you combine it with some other attack vector which could quite easily pick up their real name for free anyway.
I suppose you could use it to set up a honey pot site for people with certain beliefs or interests and use it to accumulate a list of people with those beliefs or interests, but to be honest, you'd probably do better social engineering their ISP to get their account details.
1. Re:Can I get a big who cares? by AHuxley · 2010-02-01 20:49 · Score: 2, Informative
  
  It could be about the connections. If you get an ip and raid a house you get 1 person and a clean computer. They alert their friends and its all over.
  With this you get the friends of friends and their interests.
  The ability to play an eco nut, poker fan, open source gamer or other 'lifestyle' undercover is very tempting.
  Over time they build a relationship and might get invited in.
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re:Can I get a big who cares? by Anonymous Coward · 2010-02-01 20:52 · Score: 3, Insightful
  
  I suppose you could use it to set up a honey pot site for people with certain beliefs or interests and use it to accumulate a list of people with those beliefs or interests
  You mean, like, a social networking site?
Uh, no thanks... by __aaclcg7560 · 2010-02-01 20:01 · Score: 4, Funny

I prefer not to de-anatomized all the Anonymous Cowards. Neutered them, sure. Let's leave it at that.
Re:No Groups by daveime · 2010-02-01 20:09 · Score: 2, Funny

Billy No-Mates, is that you ?
Summary is wrong; idea is worthless by michaelmalak · 2010-02-01 20:10 · Score: 4, Insightful

The summary is incorrectly worded. It should read "Contrasted with the EFF's..."
But worse than that, the paper itself is horribly written, especially the abstract. The threat presented is not de-anonymization within the social network (since usually most profiles are real people anyway) but rather de-anonymization of visitors to arbitrary websites if those visitors also have social networking URLs in their browser history.
Now, the big privacy hole here is browser history stealing, which is four years old. All this paper does is refine this mountain of privacy-invading information using social networking URLs that might be found there.
1. Re:Summary is wrong; idea is worthless by pipatron · 2010-02-01 21:32 · Score: 2, Insightful
  
  Which is why browsing with NoScript should be mandatory and why we should try to stop webmasters from using unnecessary javascript on their websites.
  (Oh, and please stop mocking those of us that takes basic security precautions.)
  
  --
  c++; /* this makes c bigger but returns the old value */
2. Re:Summary is wrong; idea is worthless by zdzichu · 2010-02-01 22:01 · Score: 2, Insightful
  
  The whole site and paper looks like an attempt at marketing Xing. I never heard of this site before, now it's on the news.
  
  --
  :wq
Fonts, Plugins, History... why? by advocate_one · 2010-02-01 20:11 · Score: 5, Interesting

Having gone on that panopticlick site and discovered that my browser was unique amongst some half million visitors... I was shocked that my browser was blabbing about what fonts were on my system... Why on earth would a browser transmit the list of installed fonts at all? All it needs locally are a set of alternatives, ie. if page says this font, then use this local font... wasn't that the entire point of the webfonts package?
similarly, the plugins list... another thing that doesn't need to be sent out by the browser...
Firefox devs, you listening here? these do not need to be transmitted so block them...
anyone know of a plugin that blocks them?
and why on earth is it possible to sniff the history list???

--
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
1. Re:Fonts, Plugins, History... why? by macraig · 2010-02-01 20:21 · Score: 3, Interesting
  
  You're barking up the wrong tree: you should be screaming at the JavaScript wizards, I think.
2. Re:Fonts, Plugins, History... why? by zwei2stein · 2010-02-01 20:23 · Score: 5, Informative
  
  Your font list is reported by flash and java. Your browser is innocent of this. Disabling flash & java goes long way to make your system information less accessible.
  Sniffing history is basic feature of xhtml/css, price you pay for selectors. a:visited (background-image:"slashdotorg.png") && boo! - if you go to my site, you will request specific image and i can see it in logs, boom, i know you were to slashdot.
  
  --
  -- Technology for the sake of technology is as pathetic as eschewing technology because it's technology.
3. Re:Fonts, Plugins, History... why? by Anonymous Coward · 2010-02-01 20:40 · Score: 2, Informative
  
  "anyone know of a plugin that blocks them?"
  NoScript blocks Javascript which in turn blocks most of these queries.
  Still says I'm 1 in 200.000. Probably due to running Ubuntu. I'd have to manipulate my HTTP headers to something very common to counter that. No idea if there's an add-on that does that ... or what value to use.
  Add Flashblock if you want to control the execution of Flash independently (e.g. allow JavaScript but only run one of the flash applets, like the video but not all those add/tracker applets).
4. Re:Fonts, Plugins, History... why? by advocate_one · 2010-02-01 20:45 · Score: 2, Informative
  
  I was running with noscript, flashblock and adblock... mind you, I think I had noscript set not quite so strictly... and clicked on the flash blocked box thinking it needed clicking on for the site to work...
  
  --
  Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
5. Re:Fonts, Plugins, History... why? by StripedCow · 2010-02-01 21:54 · Score: 4, Insightful
  
  Even more horrifying: in my case, my local username was part of the information that panopticlick found... the reason was that one of the plugin binaries was in a subdirectory of my homedir, and its path contained my username, and apparently the path of that binary was sent out by firefox. However, I'm not sure if the fault lies with firefox or with the particular plugin (citrix receiver for linux). Probably the latter, because in the plugin-box, it identifies itself with its full path.
  
  --
  If Pandora's box is destined to be opened, *I* want to be the one to open it.
6. Re:Fonts, Plugins, History... why? by osu-neko · 2010-02-01 22:46 · Score: 2, Interesting
  
  This is one of the reasons why, on my Windows box, my local username is "root". If it gets embedded somewhere, this doesn't tell people much. (Just to add to the confusion, it's a normal user account, not an "administrator".)
  
  --
  "Convictions are more dangerous enemies of truth than lies."
What about loners? by macraig · 2010-02-01 20:18 · Score: 5, Interesting

Brilliant plan, guys... except you still left one variable unknown: the aloof guy who doesn't belong to any groups. How do you pick him out of the crowd when he's not in it to begin with? Those aloof loners are always the ones we should be worrying about, right? That's what the movies always say.
1. Re:What about loners? by AHuxley · 2010-02-01 20:53 · Score: 2, Interesting
  
  They slip up during car trips and are spotted by local cops.
  Or buy 10X the normal amount of a substance and the local supplier pulls the FBI card as they are a upstanding citizen or are owned by the feds.
  The smart ones make their own, but then it is always the essay to trip them up.
  
  --
  Domestic spying is now "Benign Information Gathering"
Xing? by 93+Escort+Wagon · 2010-02-01 20:18 · Score: 2, Interesting

They (the authors) keep mentioning it in the same breath as Facebook, Twitter, and LinkedIn - but I've never heard of it (I realize that may not necessarily mean anything). It also seems a bit odd to see the BSD demon in one of the article graphics. I can't help but wonder if this was posted to actually discuss an attack vector against social networking sites, or if it was really some weird attempt to promote some GNU/Free social networking club.
Anyway, it seems to me that demoing a practical de-anonymization of a Facebook user or a LinkedIn profile would be more interesting.

--
#DeleteChrome
1. Re:Xing? by thePowerOfGrayskull · 2010-02-01 20:51 · Score: 3, Insightful
  
  I was wondering the same. Having never heard of xing, I went to its web site and learned that it's a "global network of professionals" that boasts "over 8 million members".
  Xing membership is a fraction of facebook, linkedin, et al. I would have to assume that it's going to be easier to "fingerprint" users of Xing when they have such a relatively small userbase. TFA doesn't say that their method works anywhere else either (though they imply that it could...); further they specify it only works for people in groups. This reduces the population of 8 million down to 1.7 million by itself. How many of those belong to just 1 or 2 groups, in which you might expect to find a high degree of overlap?
2. Re:Xing? by LKM · 2010-02-01 22:04 · Score: 3, Informative
  
  Xing is a German site similar to LinkedIn. It's quite popular in Europe. Nothing to do with BSD, GNU or anything else along those lines.
Re:False belief work both ways. by osu-neko · 2010-02-01 22:59 · Score: 3, Insightful

...register with different false data on separate sites
This attack allows for a bit of quasi-de-anonymizing in this case. It doesn't tell you that user "vikingsfan" is real life Eric J. Andersen of Frostbite Falls, MN, but it does tell you that "vikingsfan" on the site is none other than "hockeypuck" on site B, who is also the same person as "moosehead" on site C, etc.
This sounds trivial, but it's of interest to some of us who may not want people on site A to know who we are on site B, when site A is an important social locale for us, even if no one on site A knows our real name (which is probably unimportant to them in any case, it might as well be just another nick...)
Put succinctly, it can expose your alts even if it doesn't expose your RL identity.

--
"Convictions are more dangerous enemies of truth than lies."
uhh, why? by TechnoVooDooDaddy · 2010-02-02 01:31 · Score: 4, Insightful

All you have to do is post a stupid little survey to Facebook and millions of idiots will fill the silly thing out giving you their mother's maiden name, street they grew up on, and last 4 digits of their social security in return for generating a few sentences of nonsense.