TY - GEN
T1 - User Blocking Considered Harmful? An Attacker-Controllable Side Channel to Identify Social Accounts
AU - Watanabe, Takuya
AU - Shioji, Eitaro
AU - Akiyama, Mitsuaki
AU - Sasaoka, Keito
AU - Yagi, Takeshi
AU - Mori, Tatsuya
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/6
Y1 - 2018/7/6
N2 - This paper presents a practical side-channel attack that identifies the social web service account of a visitor to an attacker's website. Our attack leverages the widely adopted user-blocking mechanism, abusing its inherent property that certain pages return different web content depending on whether a user is blocked from another user. Our key insight is that an account prepared by an attacker can hold an attackercontrollable binary state of blocking/non-blocking with respect to an arbitrary user on the same service; provided that the user is logged in to the service, this state can be retrieved as one-bit data through the conventional cross-site timing attack when a user visits the attacker's website. We generalize and refer to such a property as visibility control, which we consider as the fundamental assumption of our attack. Building on this primitive, we show that an attacker with a set of controlled accounts can gain a complete and flexible control over the data leaked through the side channel. Using this mechanism, we show that it is possible to design and implement a robust, largescale user identification attack on a wide variety of social web services. To verify the feasibility of our attack, we perform an extensive empirical study using 16 popular social web services and demonstrate that at least 12 of these are vulnerable to our attack. Vulnerable services include not only popular social networking sites such as Twitter and Facebook, but also other types of web services that provide social features, e.g., eBay and Xbox Live. We also demonstrate that the attack can achieve nearly 100% accuracy and can finish within a sufficiently short time in a practical setting. We discuss the fundamental principles, practical aspects, and limitations of the attack as well as possible defenses.
AB - This paper presents a practical side-channel attack that identifies the social web service account of a visitor to an attacker's website. Our attack leverages the widely adopted user-blocking mechanism, abusing its inherent property that certain pages return different web content depending on whether a user is blocked from another user. Our key insight is that an account prepared by an attacker can hold an attackercontrollable binary state of blocking/non-blocking with respect to an arbitrary user on the same service; provided that the user is logged in to the service, this state can be retrieved as one-bit data through the conventional cross-site timing attack when a user visits the attacker's website. We generalize and refer to such a property as visibility control, which we consider as the fundamental assumption of our attack. Building on this primitive, we show that an attacker with a set of controlled accounts can gain a complete and flexible control over the data leaked through the side channel. Using this mechanism, we show that it is possible to design and implement a robust, largescale user identification attack on a wide variety of social web services. To verify the feasibility of our attack, we perform an extensive empirical study using 16 popular social web services and demonstrate that at least 12 of these are vulnerable to our attack. Vulnerable services include not only popular social networking sites such as Twitter and Facebook, but also other types of web services that provide social features, e.g., eBay and Xbox Live. We also demonstrate that the attack can achieve nearly 100% accuracy and can finish within a sufficiently short time in a practical setting. We discuss the fundamental principles, practical aspects, and limitations of the attack as well as possible defenses.
KW - side channel attacks
KW - social account identification
KW - web based attacks
UR - http://www.scopus.com/inward/record.url?scp=85050762599&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85050762599&partnerID=8YFLogxK
U2 - 10.1109/EuroSP.2018.00030
DO - 10.1109/EuroSP.2018.00030
M3 - Conference contribution
AN - SCOPUS:85050762599
T3 - Proceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
SP - 323
EP - 337
BT - Proceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
Y2 - 24 April 2018 through 26 April 2018
ER -