[talk] Cyber False Login

John Weintraub johnweintraub at gmail.com
Wed Dec 27 23:43:24 EST 2017


Hi Sujit;

I'd think that the site A or B or both have some auto-logoff feature, where
after not very long, if no activity is detected, the user is logged out.
This could be, say three to five minutes of inactivity. I know that would
create some vulnerability, but that's a pretty narrow window in which to
hack a website. And for my money, I think it would be site A that would
have the auto-logoff feature, which might be as simple as a script telling
site B to log out the inactive user.

Cheers JJW

On Wed, Dec 27, 2017 at 8:24 PM, Sujit K M <kmsujit at gmail.com> wrote:

> Hi All,
>
> I have recently been working in my free time on an security flaw which
> might have not been reported thus far or major sites don't test.
>
> Say there is an site A dependent on site B for login. Now say a person
> P log's into A and doesn't logout. Say now some else gets access to the
> machine and deploys locally his own site which is dependent on site B
> for login. He can get information regarding Person P.
>
> I checked with some of the popular sites but this doesn't seem to be
> possible, what could be the reason.
>
> Regards,
> Sujit K M
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>



-- 
John Weintraub
#333-7451 Moffatt Rd.
Richmond BC Canada
V6Y 3W3
604-813-9830
johnweintraub at gmail.com
www.johnweintraub.online
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20171227/0cb4eb1b/attachment.html>


More information about the talk mailing list