[talk] Cyber False Login
Pete Wright
pete at nomadlogic.org
Thu Dec 28 12:34:21 EST 2017
On 12/27/2017 20:24, Sujit K M wrote:
> Hi All,
>
> I have recently been working in my free time on an security flaw which
> might have not been reported thus far or major sites don't test.
>
> Say there is an site A dependent on site B for login. Now say a person
> P log's into A and doesn't logout. Say now some else gets access to the
> machine and deploys locally his own site which is dependent on site B
> for login. He can get information regarding Person P.
>
> I checked with some of the popular sites but this doesn't seem to be
> possible, what could be the reason.
the devil is in the details, but i think i understand where you are
going with this. i've worked at a couple shops now that make heavy use
of Auth tokens in a similar way you are describing. For your scenario
above it sounds like a good use-case of JWT:
https://en.wikipedia.org/wiki/JSON_Web_Token
That should give the developer enough flexibility to define how a given
token can be used potentially mitigating token hijacking issues.
-p
--
Pete Wright
pete at nomadlogic.org
@nomadlogicLA
More information about the talk
mailing list