When surfing the net beyond the realms of social networks or forums, I, and probably most of you too, assume that our presence is anonymous. So last Monday I was really surprised when I visited the de-anonymizing site created by researchers Thorsten Holz and Gilbert Wondracek which quickly ‘exposed’ me within a short space of time by entering a bare minimum of information. This scenario was well below my personal expectations in terms of anonymity, but in my function as VP Operations at XING AG, it got me really excited as the majority of the de-anonymizing process was based on information from our Group sites.

«We are amazed at how swiftly and professionally XING reacted by creating a hotfix – especially seeing that such a hotfix requires an inestimable amount of time and effort»

Gilbert Wondracek

XING’s data protection maxim is ‘Our customers trust XING and its users’ and a key part of that trust is our customers’ right to decide for themselves how they want to appear in public and which data they want to post online. As a result of these considerations and our experience in security, we immediately initiated a number of measures to prevent this kind of classic history stealing and make it impossible for online users to be exposed. The technique deployed was of a purely academic and experimental nature specific to the intended purpose. As far as we are aware, this experiment posed no threat to XING users and their data whatsoever. Despite this, we decided to react immediately before the process became established beyond its current experimental context.

De-Anonymizing

Put simply, de-anonymizing takes place in two steps (for a detailed description, please refer to the researchers’ original report):

  1. A fingerprint is taken of the browser being used. To achieve this, the browser’s history is used, i.e., the place where visited sites are stored. This history is then used for the browser’s back button and to color visited links (purple by default, and blue for unvisited links). Of course the history can’t be retrieved from the browser, but by using JavaScript we can query the color of a link to easily find out whether a site has been visited in the past. If the link to, say, http://www.google.com is purple, then the user has already visited the site (it must be the exact same address – http://www.google.com/search/ would therefore not work in this case). So if the user has already been on the XING site, then we could query all of the Groups on the XING platform which have an address (according to the following model: http://www.xing.com/net/<Gruppenkürzel>). This method allowed us to clearly identify a large number of users.
  2. Publicly accessible Groups can be used to create a database which allows publicly known Group users to be matched to their fingerprint. To do this, you need to visit all of the public Groups and then crawl them. With a little bit of technical expertise, a service can then be programmed to provide the fingerprint of all users with this exact same fingerprint or a similar one. When I saw this in action, it seemed to work really well…

Counter-Measures

As a user you can simply delete your browser’s history on a regular basis and set your browser to private mode. Firefox also provides a plug-in (SafeHistory) to prevent against such attacks (only works with Firefox up to version 2, unfortunately.

Timeline

February 1, 2010, 10 a.m.: We hear about the problem for the first time and test the site

12 noon: Initial contact with the researchers, followed by an internal investigation into the situation

1 p.m.: Counter-measures devised and agreed on

2 p.m.: Start of development as a top priority

February 3, 2010, 12 noon: QA phase launched

February 4, 2010, 5:08 p.m.: Hotfix goes live

We at XING are of course obliged to do all we can to protect our users. Based on this, we have now put a counter-measure in place to meet the recommendations made by Thorsten Holz and Gilbert Wondracek.

To be more specific, we have added a random number to all the relevant links on the platform (i.e. links containing Group names) which is then saved in the history, meaning that there is a probability of about zero that someone can guess the URL using the ‘yes/no’ question and answer game as the browser will only accept the exact same string as being the URL visited in the past. We are currently monitoring usage and will take further action over the next few days if required.

The upshot of all this is that your browser should now prevent anyone from de-anonymizing your XING profile. However, please bear in mind that your browser’s history will still contain entries dating back several hours, days or even weeks, so it’s best to be on the safe side and delete your browser’s history once you’ve finished surfing.

If you have any other questions, please feel free to contact the XING Group or post a comment here in the blog.


4
Comments
Leave a comment
Joe from article libre de droit on 29.07.2010 at 21:42h CET

Thank you for this article which exlique us a little more on the strategy used by XING. Of a practical aspect this system, Is very brilliant because to day almost everywhere on Web, he asks us for our personal information.

After a short period the people get discouraged to sign up for web site.

Compagny gona lose money…

XING is great invention !

Best Regars
Joe from article libre de droit

Ronny on 08.08.2010 at 08:33h CET

Web privacy attacks are a serious challenge and provide opportunity for those seeking personal and commercial data. However, many users are unaware of these vulnerabilities and dont protect themseleves accordingly. This work I think helps to highlight the issue and the potential counter measures. However, there are some compatibility issues with safe history for firefox.

Sylvain for Article Référencé on 19.09.2010 at 11:10h CET

Thanks for pointing out this concern.
I was aware of this ‘leak’ of privacy data; This technique can be used very easily using a few lines of Jquery.
Altough, it is very powerfull and we can only imagine how harmfull it can be within bad hands…

Don on 17.05.2013 at 05:02h CET

I got this website from my friend who shared with
me regarding this website and at the moment
this time I am visiting this web site and reading
very informative articles here.

RSS-Feeds RSS feed for comments on this post.