Explore a conference talk from USENIX Security '19 that unveils a novel privacy attack called "leaky images." Discover how shared image files can be exploited to reveal whether specific users are visiting particular websites, even without the use of JavaScript or CSS. Learn about the basic mechanics of the attack, its variants for tracking user groups and linking identities across sites, and its impact on popular image-sharing platforms. Examine the four conditions necessary for leaky images attacks, understand their practical implications, and review potential mitigation techniques at both browser and website levels. Gain insights into the responsible disclosure process and the responses from affected sites, including Facebook and Twitter's efforts to address the issue.
Overview
Syllabus
Intro
Has John Visited My Site?
This Talk: Leaky Images
Basic Idea of Leaky Images Attack
Example of Attack
Image Sharing in the Web
Four Conditions for Leaky Images
Attacking a Group of Users
Pseudonym Linking Attack
Scriptless Version of the Attack
Leaky Images in Practice
Vulnerable Sites
Responsible Disclosure
Example: Twitter
Mitigations
Conclusion
Taught by
USENIX
