Hacker News new | comments | ask | show | jobs | submit login

I've been tracking security holes that leak your identity for a while.

Via a bug in Firefox's Error object: http://33bits.org/2010/06/01/yet-another-identity-stealing-b...

Via a bug in Google spreadsheets: http://33bits.org/2010/02/22/google-docs-leaks-identity/ (I found this one :-)

Via history stealing: http://33bits.org/2010/02/18/cookies-supercookies-and-uberco...

More sophisticated, but hypothetical version of previous: http://33bits.org/2010/02/19/ubercookies-history-stealing-so...

XSS bugs and other problems with Instant personalization partner sites: http://33bits.org/2010/09/28/instant-personalization-privacy...

I've also been predicting that this will eventually become the new normal -- both because the bugs are coming too fast to fix (and exploits in the wild will become more common) and because Facebook is pushing to change people's expectations with Instant Personalization.

The other day I attended a talk about one-click frauds. I realized that that's the perfect black-hat use-case for this class of attacks (although current 1-click fraudsters are apparently rather low tech). Stay tuned.

Bugs that allow remote attackers to take over your computer when you hit an evil web page are also coming almost too fast to fix. They aren't the new normal, so I see no reason to back down on these kinds of problems either.

(You don't hear about most of these bugs, because the people who find them don't usually publish before the patch hits, but ask anyone who's reported a bunch of browser bugs how long they waited for fixes.)

That's a very good point. Sorry if I was unclear earlier -- I don't think we should give up on trying to find/fix these bugs. I was thinking more along the lines of (1) improving user education (2) improving private browsing mode to deal with these attacks even at the expense of compromising some functionality. Mozilla has already been thinking along these lines: https://wiki.mozilla.org/Security/Anonymous_Browsing#Anonymo...

As for whether it will become the new normal, that remains to be seen, but I think there are a couple of differences compared to regular privilege-escalation exploits: (1) everyone agrees that taking over your computer is malicious, whereas the perception of identity leaks is malleable (2) identity leaks are harder to deal with: even after the relevant bug is fixed, the attacker still has the mapping of your identity to your IP/browser fingerprint.

But thanks for the comparison and I will keep an open mind about this :-)

Nice compilation. It is good that Google has taken this seriously and are working to fix it quickly. We will probably see a few more like this as things like Google, Facebook Connect, Twitter become federated Identity Providers to many sites on the net.

I must say though personally if it is only harvesting my email address I don't really have a major issue with it, I use my email address everywhere and signup for lots of services, Gmail is very good at spam filtering and with unsubscribe.com and prioritized inbox I don't have a problem maintaining a zero inbox. Doesn't mean it is not a bug that they shouldn't fix, I'm just saying that perhaps the impact is not as large as the votes that got this to the frontpage of Hacker news implies.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact