De-anonymize Google users is the goal of different studies and a new research conducted by Andew Cantino, the vice president of engineering at Mavenlink, demonstrates that it is possible to demasking Google users with a Timing Attack under particular conditions. In the past Cantino had been awarded a bug bounty from Google three times.
Google has confirmed the attack scenario, but told to Andrew Cantino it would not address the issue because the risk of exposure is ranked as low.
“the risk here is fairly low, both in terms of impact and difficulty of exploiting this against a large population, and we don’t have an effective solution”. said Google.
“I agree that this could be hard to fix, but it also could be used for very creepy purposes against targeted individuals,” “It goes to show how difficult it is to stay anonymous online.” commented Cantino.
Cantino provided the details of the attack in a blogpost, an attacker can target a user or an organization share a Google document with one or more email addresses, but taking care to uncheck the option whereby Google sends the recipient a notification.
“Now the attacking site can figure out when someone logged into any of the shared addresses visits their site.This is mostly useful for very targeted attacks, where an attacking site needs to behave differently based on who is viewing. This could be used for spear phishing, identification of government officials, demasking users of TOR, industrial mischief, etc.” said Cantino.
Using the technique explained by Cantino, a threat actor could track victims when they logged into a shared address visits the attacker’s site, the experts remarked that the techniques could be adopted in spear phishing attack or to de-anonymize Tor users if they’re logged in to Google while using the Tor browser.
The attacker can set up a malicious page that repeatedly instantiates an image whose source points at the URL of a Google Drive document. The time necessary to load the page will be greater if the document is not viewable. The
onerror callback of the image is triggered in both cases, viewable or not viewable, because the result isn’t an image, but the attacker can record the time from the image instantiation to triggering of the onerror.
Cantino revealed that during its tests the loading process took an average of 891ms when the document was available, meanwhile the loading time was 573ms when it was not. Of course, the time depends on the speed of the connection used, for this reason it makes sense to simultaneously test against a document that is always known to be inaccessible, then compare times with the probe document.
A bad actor could use the attack to try to identify a user who’s on Tor if it is logged into his Google account, or anyway to allow the attacker to target the attack on specific users view malicious content.
“What this sort of timing attack can allow is de-anonymizing of specifically targeted Google users as they browse the web. If you control a website and want to know when a specific user with a specific Gmail address visits your site, you could use this technique to identify them, even without setting a cookie,” “Imagine you want to build a page that behaves differently when a certain Google user views it, either because you’re conducting a spear phishing attack to gain their trust, or simply because you want to conclusively log that they visited your site. You could silently share a document with this user, then determine when they visit a website you control.”Cantino said.
(Security Affairs – Google users, Tor)