Leaky Images: Targeted Privacy Attacks in the Web

Sharing files with specific users is a popular service provided by various widely used websites, e.g., Facebook, Twitter, Google, and Dropbox. A common way to ensure that a shared file can only be accessed by a specific user is to authenticate the user upon a request for the file. This paper shows a novel way of abusing shared image files for targeted privacy attacks. In our attack, called leaky images, an image shared with a particular user reveals whether the user is visiting a specific website. The basic idea is simple yet effective: an attacker-controlled website requests a privately shared image, which will succeed only for the targeted user whose browser is logged into the website through which the image was shared. In addition to targeted privacy attacks aimed at single users, we discuss variants of the attack that allow an attacker to track a group of users and to link user identities across different sites. Leaky images require neither JavaScript nor CSS, exposing even privacy-aware users, who disable scripts in their browser, to the leak. Studying the most popular websites shows that the privacy leak affects at least eight of the 30 most popular websites that allow sharing of images between users, including the three most popular of all sites. We disclosed the problem to the affected sites, and most of them have been fixing the privacy leak in reaction to our reports. In particular, the two most popular affected sites, Facebook and Twitter, have already fixed the leaky images problem. To avoid leaky images, we discuss potential mitigation techniques that address the problem at the level of the browser and of the image sharing website. no 4 youtube.com no 5 instagram.com no 6 linkedin.com no 8 pinterest.com no 9 wikipedia.org no 10 wordpress.com yes no no no 15 tumblr.com no 18 vimeo.com no 19 flickr.com no 25 vk.com no 26 reddit.com no 33 blogger.com no 35 github.com yes no no no 39 myspace.com no 54 stumbleupon.com no 65 dropbox.com yes yes planned yes 71 msn.com no 72 slideshare.net no 91 typepad.com no 126 live.com yes yes planned no 152 spotify.com no 160 goodreads.com no 161 scribd.com no 163 imgur.com no 166 photobucket.com no 170 deviantart.com no 217 skype.com yes yes planned no