Top of page
Content Area

Novel Privacy Threat "Silhouette" in Social Web Services

NTT has discovered a new privacy threat "Silhouette" in social web services. If a user of a social web service (SWS) happens to visit a malicious third-party website, this threat has the potential of identifying the name of the user‘s SWS account from that third-party site. A SWS account contains various types of information such as the user‘s real name and face photo, location information, and daily posts, so its unintended identification by a third party can result in the disclosure of critical personal information that could then lead to attacks involving social engineering, blackmail, etc. For example, search results, advertisements commonly included on websites, and links included in e-mail can provide access to a malicious site completely unrelated to that user‘s SWS. The malicious site can then secretly communicate with the SWS that the user is apparently using and identify the name of the user‘s SWS account.

This threat leverages the widely adopted user-blocking mechanism, abusing its inherent property that certain pages return different web content depending on whether a user is blocked from another user in SWS. In the context of web security, it is a type of timing attack using cross-site request forgery. We have been striving to improve security mechanisms by cooperating with global services and browser vendors that might be affected by this threat and promoting the implementation of appropriate countermeasures. Please see appendix for more information on this research including detailed principle, countermeasures, and our activities.

Obtain response time with cross-site request forgery

Download

Related Articles

  • T. Watanabe, E. Shioji, M. Akiyama, K. Sasaoka, T. Yagi, and T. Mori: "User Blocking Considered Harmful? An Attacker-controllable Side Channel to Identify Social Accounts," Proceedings of the 3rd IEEE European Symposium on Security and Privacy (Euro S&P 2018), April 2018

Related Information

Footer Area

Copyright © 2018 Nippon Telegraph and Telephone Corporation