The researchers, from the Technical University of Vienna, the Institute Eurecom, Sophia Antipolis and the University of California, Santa Barbara, used information about the memberships that social networking members had to social network groups. "This is often sufficient to uniquely idenfity this user," they said. "When unique identification is not possible, then the attack might still significantly reduce the size of the set of candidates that the victim belongs to."
The researchers' technique uses websites with sparse data sets – that is, websites where information about each individual user represents only a small fraction of the overall attributes. This applies to social networking sites because even the most active user is only a member of a small fraction of all groups, which means that the group membership serves as a fingerprint, they said in a paper to be published at the 31st IEEE Symposium on Privacy and Security.
This fingerprint information is gathered using a technique called 'history stealing', in which a user's browser history is probed to see where they have been surfing. Such URLs can reveal information about which social networking groups they have joined, said the paper.
"By combining this information with previously collected group membership data from the social network, it is possible to de-anonymize any user (of this social network) who visits the attacker's website," the paper continued.
The researchers targeted the Xing social network for their proof-of-concept attack, which contains roughly eight million registered users, to prove their point. It also targeted Facebook and LinkedIn, which have far greater user bases. It found that 42% of Xing's users could be vulnerable to attack, and that both Facebook and LinkedIn are also potentially vulnerable.
Amazon and eBay could also be vulnerable to a de-anonymization attack, said the paper.