NTT prevents massive social media privacy breaches by working with Twitter, Microsoft, and Mozilla.

As social media becomes an integral part of our personal lives, protecting privacy in social media is an increasingly important concern across the globe. Not only to be compliant to the General Data Protection Regulation (GDPR) and the following new regulations, such as even tougher California Consumer Privacy Act, treating privacy rights is essential to earn trust from customers and build sustainable business.

For one, NTT strives to respect and protect customers’ privacy. As part of our continuous effort for privacy protection, researchers at NTT Secure Platform Laboratories have discovered “Silhouette”, a new type of privacy threats that can reveal users' social media identities without their recognition or permission. The privacy threats could affect as many as two billion users of the world's largest social media services. NTT researchers have successfully prevented the attacks by working together with Twitter, Mozilla (for Firefox browser), Microsoft (for Internet Explorer browser) and other major players on the internet.

With a little prep work and a trap site, “Silhouette” attackers could have been able to identify the social media accounts of visitors to the trap site. Similar attacks had been discovered but this one could cause serious damage because it is relatively easy to launch and can target tens of millions of social media accounts for identification. Once the attackers have identified the accounts, they could track victims' activities on social media and make use of the knowledge in many ways, for example, for blackmailing and/or as basis of aggressive social engineering attacks. Your privacy on social media would be at the mercy of the attackers.

Ironically, the attacks use social media’s privacy protection feature, i.e. user blocking. More precisely, the attacks use round trip time (RTT) of normal and blocked accesses. RTT of each type is statistically distinguishable. Thus, based on the RTT, one can tell if an access is blocked or not. Further by setting up dummy “signaling” social accounts and assigning a unique combination of normal and block statuses of those accounts to a visitor (or victim), one can pretty much distinguish the visitor by the unique combination of RTT – remember that a unique combination of account statuses (block or not) can be associated with the unique combination of RTT. All in all, what an attacker can achieve with this is to tell which one of social media accounts (gained somewhere else) is owned by a visitor to a trap site that the attacker set up. 

The attack goes through the following steps:

Step 1: Target enumeration and preparation: An attacker gathers social media accounts of target victims, creates signaling accounts to measure RTT on the social media, and set up a trap site.

Step 2: Bit assignment: The attacker assigns a unique combination of normal and blocked signaling accounts on social media to each of victim targets so that they can identify target victims by measuring RTT.

Step 3: Target blocking: According to the assignment, the attacker sets block statuses to corresponding signaling accounts for each of victims.

Step 4: Target identification: The attacker has each of the target victims visit a trap site, sends and executes a script on her/his browser to measure RTT, and identifies her/his social media account.  

The "Silhouette" attack is a type of side channel attack, which does not attack something directly, but breaks the confidentiality and/or integrity of the target by inferring information via indirect side-channels (or information sources), such as cache accesses and time to carry out specific tasks. The latter one is called timing attack and the "Silhouette" attack is of this type. Once again the original privacy feature is meant for privacy protection and there was no apparent vulnerability on its own. As systems become increasingly and overwhelmingly complex, a new feature with good intentions may produce unexpected side effects that ever sophisticating attackers can leverage.  

To outsmart attackers, NTT is pushing the frontier of privacy and security for society at large besides protecting its customers from current and immediate threats. This result was accepted and presented at IEEE Euro S&P 2018, a prestigious international technical conference. Working with the community of experts from academia and industry around the world, NTT R&D keeps contributing for the advancement of cybersecuritytechnology and knowledge. Further technical details can be found here.

Reference

T. Watanabe, E. Shioji, M. Akiyama, K. Sasaoka, T. Yagi, and T. Mori: "User Blocking Considered Harmful? An Attacker-controllable Side Channel to Identify Social Accounts," Proceedings of the 3rd IEEE European Symposium on Security and Privacy (Euro S&P 2018), April 2018