IMDEA Software

Iniciativa IMDEA

Inicio > Eventos > Software Seminar Series > 2019 > Cross-Origin State Inference (COSI) Attacks: Your Browser is Leaking Your State
Esta página aún no ha sido traducida. A continuación se muestra la página en inglés.

Avinash Sudhodanan

martes 9 de julio de 2019

10:45am Lecture hall 3, level B

Avinash Sudhodanan, Post-doctoral Researcher, IMDEA Software Institute

Cross-Origin State Inference (COSI) Attacks: Your Browser is Leaking Your State

Abstract:

In this talk, I will introduce you to Cross-Origin State Inference (COSI) attacks. In a COSI attack, an attacker convinces a victim into visiting an attack web page, which leverages the cross-origin interaction features of the victim’s web browser to infer the victim’s state at a target web site. COSI attacks can be leveraged to mount several privacy attacks on web users including determining whether the victim has an account or is the administrator of a prohibited web site, determining if the victim owns sensitive content hosted at a target web site, and identifying whether the victim is the owner of a specific account. While COSI attacks are not new, they have previously been considered as sparse attacks under different names. We systematically study COSI attacks as a comprehensive category, identify different classes of them, and propose an approach for detecting them. Although I will not get into the details of our detection approach (saving for another occasion), I will present the COSI attacks we found on popular live web sites including linkedin.com, blogger.com and drive.google.com. Finally, I will present the defenses for COSI attacks.