Forum Settings
Forums
Top
  >  
Forum
  >  
Suggestions
  >  
Abusing the Number of Shared A...
RecentWatchedIgnoredSearch Forum

Abusing the Number of Shared Anime and Affinity to Uncover Private Lists

New
Mar 7, 2021 2:01 PM
#1
vazae
Offline
Jan 2019
2
Suggestion: don't show the number of shared anime and affinity for private lists

An in-depth explantation (and code) can be found here:
https://github.com/stephen-huan/MAL-affinity-attack

The basic idea is that knowing the number of shared anime and the affinity
against a user with a private list leaks information about their list. For
example, one could systematically test whether an anime is in the private
list by creating a list with only that anime, and then check the number of
shared anime. If it's 1, then the anime is in the list, otherwise it isn't.
This seems very inefficient, but there's ways to make it better in practice
--- one doesn't need to go through all the 17,000+ anime in the MAL database,
they can take e.g. the top 1000 which is probably good enough. Also there's a
more efficient binary tree algorithm discussed in the above link that further
reduces the number of trials, especially for small lists.

The more dangerous attack is once the anime in the private list is known,
the ratings for each anime can be determined very efficiently: the number of
affinity checks it takes is just the number of anime in the private list.
This is extremely reasonable and can even be done by hand for small lists.

Thus, there exists a two-phase attack:
1. Determine the anime in a private list with the number of shared anime
2. Determine the ratings of each anime using the affinity
This completely determines a private list and can actually be
done in practice, see the code for a simulation of the situation.

One counter-argument: the statistics take a long time to update, on the
order of ~20 minutes. First, that is just a constant factor difference,
the asymptotic efficiency of the algorithm is linear (e.g. doubling the
private list size just doubles the time to find out all the ratings). All
the ratings in a private list of size 300 (roughly the average list size)
could still be found out in 300/3 = 100 hours, or about 4 days which is
not unreasonable. Second, the algorithm easily parallelizes, which means
each query can be done simultaneously and therefore the attacker only
needs to wait for 20 minutes total.

The ratings attack directly attacks the forum post
"Private ratings but a public list" which suggests implementing the
feature that anime is public but their ratings are private:
https://myanimelist.net/forum/?topicid=1530213
Because the ratings attack is far more efficient than the anime determination
attack, such a feature would be useless in the eyes of an attacker.

The most similar forum post to this one would probably be
"Private anime/manga lists not really private" which discusses how
showing 3 random picks from the private list leaks information:
https://myanimelist.net/forum/?topicid=1204325

This is a slight variation on the "coupon collector's problem":
https://en.wikipedia.org/wiki/Coupon_collector%27s_problem
Even for just 1 random anime shown it would take on average n log n refreshes,
so an expected 385 ln 385 ~= 2,300 refreshes. My ratings attack is n refreshes,
so it is even more efficient than this exploit in terms of refreshes.

Finally, the last forum post I could find that is similar would be
"Private lists are not really private" which describes a direct API exploit:
https://myanimelist.net/forum/?topicid=1525076

Lastly: I don't use private lists and I don't know anyone who does. I don't
have any personal investment in this, I just think that private lists should be
private. This is an extremely minor change and unlikely to affect anyone ---
I doubt anyone has taken advantage of this attack before. But I felt that if
I discovered the attack, I should publicize the fact such an attack exists.
Mar 7, 2021 3:58 PM
#2
hacker09

Offline
Dec 2019
3529
hmm, it seems to be to complex when it could be much easier to do this "attack", this doesn't even seem to be an attack actually, since the mal anime stats page is public and MAL doesn't hide who added/scored the anime in the stats page.

I think that some simple google dorks could be able to find a lot of animes that some user that has their list private, has in their list.

It's not a big deal anyways... Sadly I doubt that MAL will care about your "bug report"
Click here to see My Tampermonkey Scripts For MAL

If you like my work, please consider supporting it!
Cryptos / Patreon / Ko-Fi / BuyMeaCoffee https://cyber-sec0.github.io
Mar 7, 2021 5:24 PM
#3
vazae
Offline
Jan 2019
2
A clarification: when I say "statistics" I don't mean the anime's stats page,
like this one for Tamako Market:
https://myanimelist.net/anime/16417/Tamako_Market/stats?m=all#members
I don't think that shows private users' updates, I couldn't find the user
affinity-oracle (my private list test user) score's on that page.

I instead mean the number of shared anime and affinity when you view a user's
page, like this user: https://myanimelist.net/profile/affinity-oracle



I'm not sure how Google would find out the anime in a private
user's list, as far as I know Google only indexes publicly
available information since it scrapes the web with bots.
Mar 7, 2021 10:33 PM
#4
xLoop

Offline
Aug 2018
945
I knew this was possible but it always felt like a pain to test out so props to you OP for putting in the effort. Nice writeup as well - is this for a university project?

hacker09 said:
since the mal anime stats page is public and MAL doesn't hide who added/scored the anime in the stats page.

Only shows the latest 7500 user stats though

But yes MAL isn't super strict about private list as exemplified by the fact that you can see your friends status (watching, ptw,dropped) and score on a show at the stats page. Makes me skeptical of those users who mass sends thousands of friend requests.
<Something>
Mar 8, 2021 5:08 AM
#5
mhkr

Offline
Jun 2017
3183
Well just like hacker09 said it's not like the private lists are fully private. Especially you can add someone with a private list as your friends and see their scores and last time added in stats page. Also if you make someone as your "top friends" you always can see their 3 last anime updates in this page.

I think one of the reasons no one's stats is completely private was because in the past people reported "bot" and "troll" accounts but now this is outdated since MAL deals with them but other than this nothing comes to my mind of why it should be like this
Mar 8, 2021 5:39 AM
#6
hacker09

Offline
Dec 2019
3529
Once someone got scared of me just because I commented on their profile asking for and illegal anime link that the mal stats page said that they have completed.

I've once spammed a lot of people by opening a few mal stats pages and I was trying to find some animes that I wasn't able to find(btw I still can't find them). And this mal user that has/had his list private had his profile listed there on this anime mal page, so he was scared...

Then he asked me how I knew he completed that anime, I said I saw his profile listed on the anime stats, and I could easily make his whole list public and knew everything he watched. I would just use google for doing that...


Your project is nice and pretty complex,but maybe you could try doing what I said,it will probably work out the same way. I just didn't know that that page had a limit, but even though there are chances that google caches, stores and display the users of these pages that mal doesn't show anymore.

Maybe tools like malhistory (website made by a random user) can easily do what your complex tool does (but not from the past user list)
hacker09Mar 8, 2021 6:06 AM
Click here to see My Tampermonkey Scripts For MAL

If you like my work, please consider supporting it!
Cryptos / Patreon / Ko-Fi / BuyMeaCoffee https://cyber-sec0.github.io
Oct 10, 7:01 AM
#7
Serhiyko

Offline
Oct 2009
7742
This is still relevant; if one dedicated enough, they could theoretically write a script that, lets say, by using a fake account adds entries one by one and checks if the number of shared entries between lists has increased; if not, the entry is deleted; in this manner one could deduct the entire private list
See All Discussions

More topics from this board

» An option to see which users have favorited a series or characters

JKKH - Oct 7

2 by Shishio-kun »»
11 hours ago

» new list option - "Maybe"

dailydi - Oct 12

8 by Shishio-kun »»
Yesterday, 7:25 AM

» Yearly Wrapped like MyDramaList ?

ame - Sep 6

13 by ScaryOwl »»
Oct 11, 10:47 AM

» Separate rating lists by genre for more fair comparisons ( 1 2 )

Mathi786 - Oct 7

94 by CC »»
Oct 9, 8:42 PM

» Can there be a different completed status for rewatching a show?

Rally- - Oct 3

5 by Zekkenshin »»
Oct 9, 12:07 AM

MoreTop Anime

  1. 1 Sousou no Frieren
  2. 2 Fullmetal Alchemist: Brotherhood
  3. 3 Steins;Gate
  4. 4 Shingeki no Kyojin Season 3 Part 2
  5. 5 Gintama: The Final

MoreTop Airing Anime

  1. 1 Kingdom 6th Season
  2. 2 One Piece
  3. 3 Boku no Hero Academia: Final Season
  4. 4 Tian Guan Cifu Short Film
  5. 5 Doupo Cangqiong: Nian Fan

MoreMost Popular Characters

  1. 1 Lamperouge, Lelouch
  2. 2 Monkey D., Luffy
  3. 3 Levi
  4. 4 Lawliet, L
  5. 5 Roronoa, Zoro
It’s time to ditch the text file.
Keep track of your anime easily by creating your own list.
Sign Up Login