Researchers have succeeded in developing an attack that can identify anonymous visitors to a website. The technique, which bypasses all the protections put in place by browsers, can be launched without the Internet user realizing that his identity has been exposed.
There are many tools to protect your privacy on the web, such asto hide his . Le for example, uses a decentralized network and even goes so far as to impose a size of upon opening to prevent sites from using dimensions to identify a computer. However, even with all these precautions, it is not always possible to .
Researchers from in the United States, have discovered a method that makes it possible to identify Internet users thanks to their profiles on et . Concretely, it is not a question of discovering the identity of a lambda Internet user, but of confirming the visit of someone whose account is already known.
The attack relies on sharing content from major platforms
To get started, it is necessary to own a website. This could be a site run by hackers, or for example an anonymous forum that law enforcement has taken over. This attack is somewhat devious, and relies entirely on selective content sharing features of sites like Facebook,, but also et and many others. Site managers must therefore have a list of suspects, of whom they know at least one online account.
The attack consists in creating a publication, either limited to one or more people in this list, or public but prohibited to these same people. It works both ways. All they have to do is share the post on their site. Thehave safeguards in place to prevent the site owner from knowing whether visitors have seen the content. However, and this is the central point of this attack, they may have information on the functioning of the from .
An attack that uses CPU cache access time
Sites cannot see the contents of other sites’ cache memory, but this memory is limited and requested by all processors. By loading content that requires a lot of cache memory, they can measure the execution time. Using machine learning, they can then identify the delay produced when other specific content competes for that cache. This allows them to infer whether or not the browser was able to load the post. Thus, if the Internet user has opened a file onthat was only shared with one account, they can confirm its identity.
This kind of attack can hardly be launched inand presents little risk for the majority of Internet users. However, the technique could be a way for governments to online activists and journalists, political opponents or minorities. And there’s no way to know if his identity has been exposed. Pending a possible fix at the browser level, the researchers published the Leakuidator+ extension on Chrome and Mozilla Firefox, which warns the user of a suspicious request and gives them the choice to display the content or not.