Contributions to Proceedings:
G. Wondracek, T. Holz, E. Kirda, C. Krügel:
"A Practical Attack to De-Anonymize Social Network Users";
in: "Proceedings of the 2010 IEEE Symposium on Security and Privacy",
issued by: IEEE;
IEEE Computer Society,
Social networking sites such as Facebook,
LinkedIn, and Xing have been reporting exponential growth
rates and have millions of registered users.
In this paper, we introduce a novel de-anonymization attack
that exploits group membership information that is available
on social networking sites. More precisely, we show that
information about the group memberships of a user (i.e., the
groups of a social network to which a user belongs) is sufﬁcient
to uniquely identify this person, or, at least, to signiﬁcantly
reduce the set of possible candidates. That is, rather than
tracking a userīs browser as with cookies, it is possible to
track a person. To determine the group membership of a user,
we leverage well-known web browser history stealing attacks.
Thus, whenever a social network user visits a malicious website,
this website can launch our de-anonymization attack and learn
the identity of its visitors.
The implications of our attack are manifold, since it requires
a low effort and has the potential to affect millions of social
networking users. We perform both a theoretical analysis and
empirical measurements to demonstrate the feasibility of our
attack against Xing, a medium-sized social network with more
than eight million members that is mainly used for business
relationships. Furthermore, we explored other, larger social
networks and performed experiments that suggest that users
of Facebook and LinkedIn are equally vulnerable.
"Official" electronic version of the publication (accessed through its Digital Object Identifier - DOI)
Electronic version of the publication:
Project Head Paolo Milani Comparetti:
Worldwide Observatory of Malicious Behaviors and Attack Threats
Created from the Publication Database of the Vienna University of Technology.