Researcher uncovers timing attack to decloak Google users

By

But web giant isn't interested in remediating it.

A newly discovered timing attack could be used to identify Google users, in order to prove that they've visited a specific site, or even to serve up tailored content to targeted individuals.

Researcher uncovers timing attack to decloak Google users

The exploit could be used in so-called spearphishing campaigns and also to pinpoint users of the anonymising The Onion Router (TOR) software, if they are logged on to Google at the same time.

Andrew Cantino, vice president of engineering for business management software company Mavenlink, discovered the timing attack. He explained to iTnews that it is more targeted than theoretical.

"It wouldn't be hard to deploy against a small set of real users, but would be hard to use against many people at once," Cantino said.

A succesful timing attack to decloak a Google user has several steps, but is straightforward to execute Cantino wrote on his blog.

By recording the difference in loading times for a maliciously crafted page that repeatedly instantiates an image with a source that points to the URL of a Google Drive document, it is possible to identify when a specific targeted user such as a government official accesses it.

Sample code for Cantino's timing attack

"An attacker knows someone's Gmail address, makes a new Google Drive document and shares it only with this address, but un-checks the option that causes a share notification to be sent," Cantino said, describing the flow of the exploit.

"Now, when the targeted person visits a site controlled by the attacker, the attacker can identify the user based on this timing attack against the document," he said.

The attack has been disclosed to Google ahead of publication.

However, Cantino said Google has decided not to fix the problem as it deemed the risk being fairly low as well as the attack being difficult to exploit against large amounts of users.

"... and we don't have an effective solution," Google told Cantino.

Cantino was awarded two prizes in 2011 by Google's Vulnerability Reward Program, for finding three bugs in Gmail, and is in the web service provider's Security Hall of Fame.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
gmailgooglesecurityspearphishing

Sponsored Whitepapers

Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
Service Over Signatures: The Truth About No Lock-In IT
Service Over Signatures: The Truth About No Lock-In IT
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.

Events

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments
Qantas contacted by "potential cyber criminal"

Qantas contacted by "potential cyber criminal"
SA Power Networks tackles IAM, cloud security under five-year strategy

SA Power Networks tackles IAM, cloud security under five-year strategy
Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?