The era of online anonymity may be coming to an end. Researchers at the New Jersey Institute of Technology (NJIT) recently discovered that hackers can use a malicious website to reveal the email addresses and social media accounts of visitors. Using this method, even if your Twitter account has no resemblance to or identification of the real you, it can still be connected to your personal information. The ability to name the unnamed on the web has been a dream of advertisers and governments alike for years – but now the dream has come true.
Online Anonymity
According to the NJIT findings, owners of malicious websites can now analyze minimal features of a user’s browser to see if the target is logged into an array of accounts, from AOL to YouTube to Dropbox. Unfortunately, even for users who hid behind multiple IP addresses, all of the major browsers – including the anonymity-focused Tor Browser – are susceptible to this attack.
Even for the average person with “nothing to hide,” their personal browsing history is still invaluable to a seller. Advertisers want to know who to target, and this is a perfect way for them to obtain that information. Personalized ads, however, are perhaps the most benign reason behind such attacks. Far more malignant motives could be dangerous for journalists, political activists, protest organizers, and other “socially targeted” users who wish to stay hidden online.
A Present Reality
This is no mere theory; there is documentation of government-backed cyberhackers identifying individual users and obtaining access to their data. Reza Curtmola, an author and computer scientist at NJIT, explained the process in a hypothetical:
“Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it. They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”
There are numerous ways hackers can use backdoors to stealthily connect an IP address, email, social media account, or some other online service to a person’s identity. These methods are all quite stealthy, as Curtmola explained, “you just visit the website and you have no idea that you’ve been exposed.”
Those carrying out such attacks need a website, a list of accounts tied to people they want to identify as having visited their site, and content posted to the platforms or accounts of the people on their list that either allows the target to view the content or blocks them from it. The attacker then embeds that content on a malicious website and waits to see who clicks. If anyone on the list of targets visits the site, the attacker can figure out who they are by analyzing which users can or can’t view the embedded content.
This method takes advantage of the fact that many services allow users to stay logged in on their phones or computers. They also allow users to block or allow access to others – and it’s this relationship that reveals whether a target has control of certain accounts or not, thus linking various accounts to each other and IP addresses. Establish enough of these links, and the person’s actual identity may become clear.
Iranian Ties
Since 2008, Iranian security services have identified and arrested operators of “illicit” websites and social media organizations, and the state has apprehended and interrogated members of prohibited online communities on a public stage for propaganda purposes. Over the last 14 years, Iranian activists have developed their anonymity, making it much harder for the government to reveal who they really are. The Iranian government has used a mix of hacking tools and their hand of power to force internet service providers to disclose information on users.
Every country has its at-risk populations. Anti-Taliban political activists would be a target for this type of hacking in Afghanistan. Even in the US, political activists might not be immune to such attacks. Or, perhaps, the worst we have to worry about in America is advertisers buying and selling our data. In any case, the days of online anonymity seem numbered.