> Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.
It's not a hack, it's called Single-Sign-On :)
And it's been known for years.
Interestingly, BadWolf is effectively immune, new tabs have a separated ephemeral session.
The advertised case is about 5 *permanent* containers, maybe few ephemeral ones, IIRC that's with an extension.
Meanwhile where, the number on the tab easily goes beyond 52 after few days, together with also often cleaning tabs as there is virtually no latency in doing so.
I don't think anyone could do this on firefox without redoing the interface or keybindings, which is probably a pain in the ass.
And if they're anything close to me, their memory usage would be going to the roof because I never clean tabs in firefox except via just creating a new window and closing the old one.
@lanodan @p No, of course they don't isolate each tab, that would be trouble. You can assign which container the tab uses manually. This way if you log in to Facebook in the Facebook container, cookies and persistent data can't get outside. It's like using a different profile, but all within one browser instance. That is why it should be immune only if used properly. If all your tabs use the default container — it's not.
Are you not aware of things like shadow-accounts? Facebook has been doing this for absolute ages. (Those people probably hate me :D)
And fingerprinting apparently got good enough that some are advertising it as an authentication method, and it probably works well enough.
@lanodan @p Exactly! For each thing I have to use and I don't trust.
Well, I do a lot more than that. I have Forget Me Not to clean up cookies and persistent data on leaving the domain. I only keep cookies for a few things I need actually.
And I don't have and never had Facebook, Instagram or WhatsApp accounts in the first place. So I think I'm fine 😄
🔜fosdem
@lanodan@queer.hacktivis.me
Hosting XMPP? Painless, it's essentially just installing prosody and enabling few plugins in the config, few more things if you care about VoIP and IPv4.
Hosting mumble? Pretty easy.
Hosting IRC? Easy until you have bots.
Hosting email? Also works well, the ones yelling about Google/Microsoft/… online are probably mailing-list hosters, not the same kind of deal at all. And I wouldn't host mailing-lists except very small ones, subscription management is hell, there is better protocols.
> And I don't have and never had Facebook, Instagram or WhatsApp accounts in the first place.
https://en.wikipedia.org/wiki/Shadow_profile
