[talk] Cyber False Login

Pete Wright pete at nomadlogic.org
Thu Dec 28 12:34:21 EST 2017

On 12/27/2017 20:24, Sujit K M wrote:
> Hi All,
> I have recently been working in my free time on an security flaw which
> might have not been reported thus far or major sites don't test.
> Say there is an site A dependent on site B for login. Now say a person
> P log's into A and doesn't logout. Say now some else gets access to the
> machine and deploys locally his own site which is dependent on site B
> for login. He can get information regarding Person P.
> I checked with some of the popular sites but this doesn't seem to be
> possible, what could be the reason.

the devil is in the details, but i think i understand where you are 
going with this.  i've worked at a couple shops now that make heavy use 
of Auth tokens in a similar way you are describing.  For your scenario 
above it sounds like a good use-case of JWT:


That should give the developer enough flexibility to define how a given 
token can be used potentially mitigating token hijacking issues.


Pete Wright
pete at nomadlogic.org

More information about the talk mailing list