A new timing attack has been disclosed that could de-anonymize Google users under particular conditions.
Google acknowledged the issue to researcher Andrew Cantino, the vice president of engineering at Mavenlink, but told him it would not address the issue because the risk is low.
“I agree that this could be hard to fix, but it also could be used for very creepy purposes against targeted individuals,” said Cantino, who three times before had been awarded a bug bounty from Google. “It goes to show how difficult it is to stay anonymous online.”
Cantino describes his attack in a blogpost posted last week. He said an attacker targeting a particular victim or organization could share a Google document with an address, unchecking the option whereby Google sends the recipient a notification. Using Cantino’s exploit technique, an attacker could learn when someone logged into a shared address visits the attacker’s site. Cantino said an attacker could turn this around in spearphishing campaigns or even uncover Tor users if they’re logged in to Google while using the Tor browser.
“What this sort of timing attack can allow is de-anonymizing of specifically targeted Google users as they browse the web. If you control a website and want to know when a specific user with a specific Gmail address visits your site, you could use this technique to identify them, even without setting a cookie,” Cantino said. “Imagine you want to build a page that behaves differently when a certain Google user views it, either because you’re conducting a spear phishing attack to gain their trust, or simply because you want to conclusively log that they visited your site. You could silently share a document with this user, then determine when they visit a website you control.”
Cantino said that if the Google document is viewable by the visitor, it will take longer to load than if the document isn’t viewable.
“Since the result isn’t an image, the onerror callback of the image is triggered in both cases, but we can record how long it takes from image instantiation to triggering of the onerror. This time will be greater when the document is accessible,” he wrote. “In my experiments, loading took an average of 891ms when the document was available, but 573ms when it was not.”
An attacker could build a phishing page that looks like it’s logged into the victim’s account, in order to gain trust and steal credentials in order to access the victim’s network, he said. Also, this type of targeting could help identify a user who’s behind Tor if they’re logged into their Google account, or allow an attacker to identify a target and get them to view malicious content.
“The risk here is mostly with very targeted attacks. This is not a broad attack,” he said.