When you sign up to a membership group on a social networking site you may be revealing more than you bargained for.
An experimental website has managed to identify the names of people who visit it, by harvesting information about the groups they belong to. It's a trick marketing teams and scammers would love to copy.
The snooping site exploits the fact that your web browser keeps track of which web addresses you have visited. Website owners can glean this information by hiding a list of web addresses in the code for their web page. When someone accesses this page, their browser will tell the website owner which of the hidden addresses they have already visited.
Membership groups within social networks have distinct web addresses: the New Scientist group on Facebook, for example, is accessed via www.facebook.com/newscientist. What's more, the names of group members are publicly available.
Gilbert Wondracek at the Vienna University of Technology in Austria and his colleagues collected data on 6500 groups, containing 1.8 million users, on Xing, a business-oriented social network based in Hamburg, Germany. After analysing the overlap between membership lists they estimated that 42 per cent of users could be uniquely identified by the groups they visit.
The researchers then built a website that read visitors' history of browsing Xing addresses. When they asked 26 friends and colleagues who use Xing to try it, they were able to identify 15 of them. Wondracek's paper showing how this was done was presented at the IEEE Symposium on Security and Privacy in Oakland, California, this week.
Since Wondracek's experiment, Xing has started adding random numbers to the addresses used to access its membership groups. The Xing server ignores the extra numbers, but they confuse attacks by a site like Wondracek's.
Arvind Narayanan, a computer scientist at Stanford University in California, fears that this may not be enough to fend off similar attacks, especially if they use multiple social networks and other websites that host membership groups. It is unlikely that all such sites will use random characters to mask addresses, he points out.
More complete protection may come in the next round of browser updates. The developers of Firefox, Chrome and Safari are working on fixes that will prevent browsing history being relayed back to website owners. Microsoft declined to say whether it is working on a something similar for Internet Explorer, the web's most popular browser.
Jim Giles tweets at twitter.com/jimgiles
If you would like