
De-anonymizing website visitors via FB timing attacks - aysfrm11
https://quadhead.de/website-besucher-durch-timing-attacken-auf-facebook-deanonymisieren/
======
laumars
Site is in German. Google Translate has given me an idea as to the content of
article but I'm still a little confused about how the timing attack works. Is
someone able to explain this better please?

~~~
mcphage
The author created a number of "Promoted Posts" on Facebook, for different age
groups and relations. Then they send a series of requests to FB on behalf of
the visitor. FB rejects them, but because they amount of time they take varies
depending on whether they would see the promoted post or not, the site owner
can use the time that FB takes to determine if their visitor would have seen
the promoted post—and thus, whether they meet the demographic criteria for it.
In my case, the promoted post that the site owner created to show to 36-year-
olds took longer than the one for 35-year-olds and 37-year olds. Thus they
concluded (correctly) that I'm 36.

~~~
cloudjacker
Neat! What could I do with that?

