User anonymity in web browsers could be bypassed based on a new study

July 25, 2022
User Anonymity Web Browsers Incognito Bypassed New Research Study

In a recent study, researchers have found a new technique that could allow anyone, such as hackers, to bypass a web browser’s user anonymity protections to know a website visitor’s unique identity. For instance, once a hacker has gained control of a website, they would be able to identify a user’s identity and unique online behaviour.

The identified technique favours those in the marketing and advertising sectors, hackers, state-backed groups, spyware vendors, or any entity that would benefit from knowing a user’s identity online.

Usually, a website visitor’s IP address is captured by the web page, although full user anonymity is still present. However, in this newly identified tactic, the hackers could utilise some subtle features from a web browser’s browsing behaviour that could help them determine a user’s activities, such as which online platforms are they logged into.

 

The researchers also stressed that even Tor, a browser that pledges strong user anonymity, could also be bypassed by the technique.

 

Moreover, because of the stealthiness of this newfound attack technique, it could compromise a user’s online identity without them knowing.

The initial requirements for the attack are that the hackers must gain control of a targeted website, access the targeted individual’s linked list of user accounts, and access the accounts’ contents. The threat actor needs to obtain the content from the user accounts since they would need to embed them on a malicious website and wait until someone visits it.

After some successful lures and the targeted victim visits the malicious site, the threat actor would analyse which users can view the content or cannot.

According to the researchers of this study, this attack works because of several factors like how major online platforms let their users host and embed media to a third-party site, and those users usually stay logged in to all the platforms they have accounts. This factor implies that a user’s online behaviour could expose them to risks without them knowing.

Also, as noted by the researchers, people with average internet usage behaviour should not worry about these potential risks to their user anonymity. However, high-risk organisations, such as journalists and protesters, are usually targeted by hackers, thus advised to be more cautious.

About the author