[talk] Cyber False Login

John Weintraub johnweintraub at gmail.com
Thu Dec 28 03:24:08 EST 2017


unless C convinces B that it's A when in fact it's not A at all.

On Dec 28, 2017 12:17 AM, "Sujit K M" <kmsujit at gmail.com> wrote:

On Thu, Dec 28, 2017 at 10:13 AM, John Weintraub
<johnweintraub at gmail.com> wrote:
> Hi Sujit;
>
> I'd think that the site A or B or both have some auto-logoff feature,
where
> after not very long, if no activity is detected, the user is logged out.
> This could be, say three to five minutes of inactivity. I know that would
> create some vulnerability, but that's a pretty narrow window in which to
> hack a website. And for my money, I think it would be site A that would
have
> the auto-logoff feature, which might be as simple as a script telling
site B
> to log out the inactive user.
>

Another way to look at it is since A calls B and B knows A is the One
that is authenticated.
It doesn't let Another Site C To use the authentication owned by A.

_______________________________________________
talk mailing list
talk at lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20171228/bdd0e84b/attachment.htm>


More information about the talk mailing list