ABSTRACT
A user's primary email account, in addition to being an easy point of contact in our online world, is increasingly being used as a single point of failure for all web security. Features like unlimited message storage, numerous weak password reset features and economically enticing spoils (in the form of financial accounts or personal photos) all add up to an environment where overthrowing someone's life via their primary email account is increasingly likely and damaging. We describe an attack we call credential based privilege escalation, and a methodology to evaluate this attack's potential for user harm at web scale. In a study of over 9,000 users we find that, unsurprisingly, access to a vast number of online accounts can be gained by breaking into a user's primary email account (even without knowing the email account's password), but even then the monetizable value in a typical account is relatively low. We also describe future directions in understanding both the technical and human aspects of credential based privilege escalation.
- Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M., Levi, M., Moore, T., and Savage, S. Measuring the cost of cybercrime. In WEIS (2012).Google Scholar
- Danchev, D. Hacked origin, uplay, hulu plus, netix, spotify, skype, twitter, instagram, tumblr, freelancer accounts offered for sale. http://www.webroot.com/blog/2013/06/07/hacked-origin-uplay-hulu-plus-netflix-spotify-skype-twitter-instagram-tumblr-freelancer-accounts-offered-for-sale/, 2013.Google Scholar
- Federal Bureau of Investigation. International cooperation disrupts multi-country cyber theft ring. http://www.fbi.gov/news/pressrel/press-releases/international-cooperation-disrupts-multi-country-cyber-theft-ring, October 2010.Google Scholar
- Florencio, D., and Herley, C. Is everything we know about password stealing wrong? Security & Privacy, IEEE 10, 6 (2012), 63--69. Google ScholarDigital Library
- Franklin, J., Perrig, A., Paxson, V., and Savage, S. An inquiry into the nature and causes of the wealth of internet miscreants. In ACM conference on Computer and communications security (2007), pp. 375--388. Google ScholarDigital Library
- Holz, T., Engelberth, M., and Freiling, F. Learning more about the underground economy: A case-study of keyloggers and dropzones. Springer, 2009.Google Scholar
- Honan, M. How apple and amazon security aws led to my epic hacking. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/, Aug 2012.Google Scholar
- Krebs, B. The scrap value of a hacked pc. http://voices.washingtonpost.com/securityfix/ 2009/05/the_scrap_value_of_a_hacked_pc.html, May 2009.Google Scholar
- Moore, T., and Clayton, R. Examining the impact of website take-down on phishing. In Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit (2007), ACM, pp. 1--13. Google ScholarDigital Library
- van Kloeten, O., and Tabachnik, I. Plain text offenders. http://plaintextoffenders.com/, 2012Google Scholar
Index Terms
- One Thing Leads to Another: Credential Based Privilege Escalation
Recommendations
MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityWe explore the problem of identifying unauthorized privilege escalation instances in a web application. These vulnerabilities are typically caused by missing or incorrect authorizations in the server side code of a web application. The problem of ...
Using one-time passwords to prevent password phishing attacks
Phishing is now a serious threat to the security of Internet users' confidential information. Basically, an attacker (phisher) tricks people into divulging sensitive information by sending fake messages to a large number of users at random. Unsuspecting ...
A phishing analysis of web based systems
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & SecurityPhishing is form of identity theft that uses the social engineering techniques and sophisticated attack vectors to harvest financial information from unsuspecting consumers. It is a kind of attack in which phishers use spoofed emails and fraudulent web ...
Comments