Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network.
The combination of memberships to different groups seems to be nearly as unique as a fingerprint. According to a paper they published (their server is overloaded at the moment, you may need to try again later), this kind of identification through pattern recognition works with most large social networks, like Xing, Linkedin, Facebook etc. They used a webcrawler to collect all those group membership information from the social network (they ran their proof of concept against Xing.com). Here is a link where you can find out wether this very simple browser history exploit works for you: http://www.iseclab.org/people/gilbert/experiment/.
Iseclab is the first entity to publish about such pattern recognition using browser history information. Let's hope, that it hasn't been secretly in use at other places, although I fear that exactly this is the case.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Subscribe to our Podcasts
How can we help you