SessionJuggler Secure Web Login from an Untrusted Terminal Using Session Hijacking

Elie Bursztein, Chinmay Soman, Dan Boneh, John C. Mitchell   @WWW 2012
0 reaction(s) | 0 downloads
We use modern features of web browsers to develop a secure login system from an untrusted terminal. The system, called Session Juggler, requires no server-side changes and no special software on the terminal beyond a modern web browser. This important property makes adoption much easier than with previous proposals. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal. We show that Session Juggler works on all the Alexa top 100 sites except eight. Of those eight, ?ve failures were due to the site enforcing IP session binding. We also show that Session Juggler works ?awlessly with Facebook connect. Beyond login, Session Juggler also provides a secure logout mechanism where the trusted phone is used to kill the session. To validate the session juggling concept we conducted a number of web site surveys that are of independent interest. First, we survey how web sites bind a session token to a speci?c device and show that most use fairly basic techniques that are easily defeated. Second, we survey how web sites handle logout and show that many popular sites surprisingly do not properly handle logout requests.
You might also like reading

clickjacking 2010

Busting Frame Busting a Study of Clickjacking Vulnerabilities on Popular Sites

web security 2010

Bad Memories

clickjacking 2010

Framing Attacks on Smartphones Dumb Routers and Social Sites Tap-jacking Geo-localization and Framing Leak Attacks

web security 2010

An Analysis of Private Browsing Modes in Modern Browsers

embedded devices 2009

XCS cross channel scripting and its impact on web applications

About me
Lead Google's anti-abuse research. Develop new ways to protect users and disrupt bad guys. Make Chrome safer and faster. Help keeping G+ and Gmail clean. Wear berets. Do magic tricks.
files: 0.00119996070862
headers: 0.00123000144958
related: 0.0235500335693
sidebar: 0.0628399848938
get publication: 0.140680074692
total: 0.229520082474