This post is also available in: heעברית (Hebrew)

Researchers From the New Jersey Institute of Technology have discovered a way to use basic functions of the internet to identify who visits a certain website, with the user being able to detect that they are being hacked. This is a huge warning against a novel technique that attackers could use to de-anonymize website visitors and gain information regarding the personal and digital lives of the visitors. 

The findings show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

Wired.com explains that when you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus, the attacks work against every major browser, including the anonymity-focused Tor Browser.

Reza Curtmola, one of the study authors and a computer science professor at the New Jersey Institute of Technology elaborates that “If you’re an average internet user, you may not think too much about your privacy when you visit a random website, but there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they’re very stealthy. You just visit the website, and you have no idea that you’ve been exposed.” Curtmola goes on to say that this form of an attack can aid law enforcement in identifying the users of underground extremists or activists, even if these users use pseudonyms. 

This poses a real privacy concern for active online users and exposes one of the vulnerabilities of the digital world that goes deep into the design of hardware, which makes changes and improvements much more elaborate and difficult.