MicroID considered harmful (to privacy)

Technical report CS-08-09

Abstract

MicroID is a deployed Internet standard designed for use as a lightweight decentralized identity primitive for social web applications. This study presents the standard's specification and deployment, and analyzes the security and privacy of MicroID, describing attacks that can be used to compromise the privacy of its users. Although it has been described by its designers as privacy-preserving, in practice the deployment of MicroID has put the private information of many of its millions of unwitting users at risk of compromise. We provide recommendations for changes to the standard and its deployment which prevent these attacks.

Please read the paper for more details on MicroID, privacy, and the evaluation: PDF, HTML

Results

These results were compiled from randomly-chosen users of three online services that published MicroID tokens at the time of the study. Username and full name profile information were used to mount dictionary attacks on the email address inside each token. The evaluation was able to successfully guess a user's email address between one-fifth to one-third of the time, using only the name information shown on a user's public profile.

Digg ClaimID Last.fm
Total users examined 56,775 917 784
Users supplying full names 17,339 637 708
Total addresses guessed 14,294 312 149
Percentage of total 25% 34% 19%
Successful guesses based on:
Solely username 12,413 171 105
Permuted username 383 24 3
Permuted full name 1,498 117 41
Top 5 email domains 12,627 300 139

Table 1, on guessing the email addresses of users of three
popular websites publishing MicroID tokens (§6, Evaluation)

FAQ

Timeline

Advice for MicroID publishers:

Advice for users of sites publishing MicroID:

Links

Chris Erway, Brown CS