[talk] Cyber False Login

Pete Wright pete at nomadlogic.org
Thu Dec 28 12:34:21 EST 2017



On 12/27/2017 20:24, Sujit K M wrote:
> Hi All,
>
> I have recently been working in my free time on an security flaw which
> might have not been reported thus far or major sites don't test.
>
> Say there is an site A dependent on site B for login. Now say a person
> P log's into A and doesn't logout. Say now some else gets access to the
> machine and deploys locally his own site which is dependent on site B
> for login. He can get information regarding Person P.
>
> I checked with some of the popular sites but this doesn't seem to be
> possible, what could be the reason.

the devil is in the details, but i think i understand where you are 
going with this.  i've worked at a couple shops now that make heavy use 
of Auth tokens in a similar way you are describing.  For your scenario 
above it sounds like a good use-case of JWT:

https://en.wikipedia.org/wiki/JSON_Web_Token

That should give the developer enough flexibility to define how a given 
token can be used potentially mitigating token hijacking issues.

-p


-- 
Pete Wright
pete at nomadlogic.org
@nomadlogicLA




More information about the talk mailing list