Prompting Collaboration with Twitter, Microsoft, and Mozilla to Improve Security Mechanisms of Major Global Services and Browsers
Nippon Telegraph and Telephone Corporation – NTT – has discovered a novel privacy threat in social web services (SWSs) and developed a technique for evaluating this threat.
This threat arises when a user of a SWS visits a third-party website with malicious intent. It has the potential of identifying the name of that user’s SWS account from that third-party site and exploiting that account name for various types of attacks involving the abuse of personal information, online fraud, etc. This “Silhouette” threat can be evaluated by a technique that we developed, and using this technique, we have already discovered SWSs that are vulnerable to this threat.
NTT is sharing information with service providers, browser vendors, and other parties that could be affected by this threat prior to the occurrence of any damage and is cooperating with them in implementing countermeasures in actual services and web browsers including Twitter, Microsoft Edge, Internet Explorer, and Mozilla Firefox using this evaluation technique.
In this way, NTT is preventing SWS account names from being identified by third parties through this threat and making it safer for all users to use and enjoy SWSs.
Details of this privacy threat and evaluation technique were presented at 3rd IEEE European Symposium on Security and Privacy (Euro S&P 2018), a distinguished academic conference in cyber security held by IEEE in April 2018 in the United Kingdom.
Background and History
In recent years, a wide variety of SWSs have come into existence on the Internet as typified by social networking services (SNSs) and video sharing sites. One survey reported that each user has at least five SWS accounts on average.
Privacy problems in SWSs include the leaking of registration details or private information in posts, but it is also known that simply using a SWS poses the risk of account-name identification from a third-party website accessed by the user.
The privacy threat announced here relates to an account identification problem that we have recently discovered. At present, many SWSs have yet to implement any countermeasures against this threat.
Overview of the threat
If a user of a SWS happens to visit a malicious third-party website, this threat has the potential of identifying the name of the user’s SWS account from that third-party site. For example, search results, advertisements commonly included on websites, and links included in e-mail can provide access to a malicious site completely unrelated to that user’s SWS. The malicious site can then secretly communicate with the SWS that the user is apparently using and identify the name of the user’s SWS account.
Here, the condition for such account identification to take place is that a user who is currently logged into a SWS vulnerable to this threat visits a malicious third-party website while on a computer or mobile-device web browser.
A typical SWS includes a mechanism for automatically maintaining a logged-in state until the browser’s cookie is deleted by some operation such as an explicit logout. As a consequence, a user who has used a SWS targeted by this threat even only once sometime in the past may become a target for account identification.
As part of its R&D initiatives in cyber security, NTT will continue to develop techniques for evaluating new threats to web services as reflected by the risk evaluation technique reported here. At the same time, NTT is committed to collaborating with related institutions whenever a new problem is discovered to continuously raise the safety of the Internet. Going forward, NTT will strive to provide robust services while promoting secure web services and web browsers in society and the safe and secure use of the Internet.