Skip to content

Targeted Deanonymization via the Cache Side Channel

https://leakuidatorplusteam.github.io/

A paper describing the attacks will appear in the 31st USENIX Security Symposium (Boston, 10–12 August, 2022). A preprint of the paper is available here. The paper is the result of a collaboration between a group of researchers at the New Jersey Institute of Technology: Mojtaba Zaheri, Yossi Oren, and Reza Curtmola.

According to the authors, this attack has some nasty elements:

  • It can precisely target any user with a specific public identifier, otherwise leave non-targeted users untouched.
  • It can target users logged into highly popular resource-sharing services, for example Google, Dropbox, Twitter, Facebook.
  • It works on users who use any browser including Tor Browser.
  • It's scalable to attack large numbers of users.
  • It gives no indication to the victim that they are being attacked.
  • Effective countermeasures may involve a compromise of usability.

On the Internet, the casual person surfing a website has a reasonable expectation that their identity remains private. We reveal new cache-based target deanonymization attacks which threaten user anonymity: An attacker who has complete or partial control over a website can learn whether a specific target (i.e., a unique individual) is browsing the website. The attacker knows this target only through a public identifier, such as an email address or a Twitter handle.

The attacks leverage the sharing/blocking functionality provided by resource-sharing services such as YouTube, Google Drive, Dropbox, or Twitter. The target user is assumed to be logged into such a sharing service. The attacks exploit the CPU cache side channel on the target’s device, and can bypass isolation mechanisms and various defenses deployed by browser vendors or resource-sharing services.

We evaluated the attacks on multiple hardware microarchitectures, multiple operating systems and multiple browser versions, including the highly-secure Tor Browser, and demonstrated practical targeted deanonymization attacks on major sites, including Google, Twitter, LinkedIn, TikTok, Facebook, Instagram and Reddit. The attack runs in less than 3 seconds in most cases, and can be scaled to target a large number of users.

Edited by Ghost User