[talk] Cyber False Login
John Weintraub
johnweintraub at gmail.com
Wed Dec 27 23:43:24 EST 2017
Hi Sujit;
I'd think that the site A or B or both have some auto-logoff feature, where
after not very long, if no activity is detected, the user is logged out.
This could be, say three to five minutes of inactivity. I know that would
create some vulnerability, but that's a pretty narrow window in which to
hack a website. And for my money, I think it would be site A that would
have the auto-logoff feature, which might be as simple as a script telling
site B to log out the inactive user.
Cheers JJW
On Wed, Dec 27, 2017 at 8:24 PM, Sujit K M <kmsujit at gmail.com> wrote:
> Hi All,
>
> I have recently been working in my free time on an security flaw which
> might have not been reported thus far or major sites don't test.
>
> Say there is an site A dependent on site B for login. Now say a person
> P log's into A and doesn't logout. Say now some else gets access to the
> machine and deploys locally his own site which is dependent on site B
> for login. He can get information regarding Person P.
>
> I checked with some of the popular sites but this doesn't seem to be
> possible, what could be the reason.
>
> Regards,
> Sujit K M
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>
--
John Weintraub
#333-7451 Moffatt Rd.
Richmond BC Canada
V6Y 3W3
604-813-9830
johnweintraub at gmail.com
www.johnweintraub.online
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20171227/0cb4eb1b/attachment.htm>
More information about the talk
mailing list