poster

One Thing Leads to Another: Credential Based Privilege Escalation

Authors:
Peter Snyder

University of Illinois at Chicago, Chicago, IL, USA

University of Illinois at Chicago, Chicago, IL, USA
View Profile

,
Chris Kanich

University of Illinois at Chicago, Chicago, IL, USA

University of Illinois at Chicago, Chicago, IL, USA
View Profile

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and PrivacyMarch 2015Pages 135–137https://doi.org/10.1145/2699026.2699127

Published:02 March 2015Publication History

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Pages 135–137

ABSTRACT

A user's primary email account, in addition to being an easy point of contact in our online world, is increasingly being used as a single point of failure for all web security. Features like unlimited message storage, numerous weak password reset features and economically enticing spoils (in the form of financial accounts or personal photos) all add up to an environment where overthrowing someone's life via their primary email account is increasingly likely and damaging. We describe an attack we call credential based privilege escalation, and a methodology to evaluate this attack's potential for user harm at web scale. In a study of over 9,000 users we find that, unsurprisingly, access to a vast number of online accounts can be gained by breaking into a user's primary email account (even without knowing the email account's password), but even then the monetizable value in a typical account is relatively low. We also describe future directions in understanding both the technical and human aspects of credential based privilege escalation.

References

Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M., Levi, M., Moore, T., and Savage, S. Measuring the cost of cybercrime. In WEIS (2012).Google Scholar
Danchev, D. Hacked origin, uplay, hulu plus, netix, spotify, skype, twitter, instagram, tumblr, freelancer accounts offered for sale. http://www.webroot.com/blog/2013/06/07/hacked-origin-uplay-hulu-plus-netflix-spotify-skype-twitter-instagram-tumblr-freelancer-accounts-offered-for-sale/, 2013.Google Scholar
Federal Bureau of Investigation. International cooperation disrupts multi-country cyber theft ring. http://www.fbi.gov/news/pressrel/press-releases/international-cooperation-disrupts-multi-country-cyber-theft-ring, October 2010.Google Scholar
Florencio, D., and Herley, C. Is everything we know about password stealing wrong? Security & Privacy, IEEE 10, 6 (2012), 63--69. Google ScholarDigital Library
Franklin, J., Perrig, A., Paxson, V., and Savage, S. An inquiry into the nature and causes of the wealth of internet miscreants. In ACM conference on Computer and communications security (2007), pp. 375--388. Google ScholarDigital Library
Holz, T., Engelberth, M., and Freiling, F. Learning more about the underground economy: A case-study of keyloggers and dropzones. Springer, 2009.Google Scholar
Honan, M. How apple and amazon security aws led to my epic hacking. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/, Aug 2012.Google Scholar
Krebs, B. The scrap value of a hacked pc. http://voices.washingtonpost.com/securityfix/ 2009/05/the_scrap_value_of_a_hacked_pc.html, May 2009.Google Scholar
Moore, T., and Clayton, R. Examining the impact of website take-down on phishing. In Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit (2007), ACM, pp. 1--13. Google ScholarDigital Library
van Kloeten, O., and Tabachnik, I. Plain text offenders. http://plaintextoffenders.com/, 2012Google Scholar

Index Terms

One Thing Leads to Another: Credential Based Privilege Escalation

Recommendations

MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

We explore the problem of identifying unauthorized privilege escalation instances in a web application. These vulnerabilities are typically caused by missing or incorrect authorizations in the server side code of a web application. The problem of ...
Read More
Using one-time passwords to prevent password phishing attacks

Phishing is now a serious threat to the security of Internet users' confidential information. Basically, an attacker (phisher) tricks people into divulging sensitive information by sending fake messages to a large number of users at random. Unsuspecting ...
Read More
A phishing analysis of web based systems
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & Security

Phishing is form of identity theft that uses the social engineering techniques and sophisticated attack vectors to harvest financial information from unsuspecting consumers. It is a kind of attack in which phishers use spoofed emails and fraudulent web ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy
March 2015
362 pages
ISBN:9781450331913
DOI:10.1145/2699026
General Chair:
Jaehong Park
University of Texas at San Antonio, USA
,
Program Chair:
Anna Squicciarini
The Pennsylvania State University, USA
Copyright © 2015 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 March 2015
Check for updates
Author Tags
web privacy
web security
Qualifiers
- poster
Conference

Acceptance Rates
CODASPY '15 Paper Acceptance Rate19of91submissions,21%Overall Acceptance Rate149of789submissions,19%
More
Upcoming Conference
CODASPY '24

Sponsor:

sigsac

Fourteenth ACM Conference on Data and Application Security and Privacy

June 19 - 21, 2024

Porto , Portugal
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 2
  Total Citations
  View Citations
- 195
  Total Downloads
- Downloads (Last 12 months)5
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

One Thing Leads to Another: Credential Based Privilege Escalation

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications

Using one-time passwords to prevent password phishing attacks

A phishing analysis of web based systems

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

One Thing Leads to Another: Credential Based Privilege Escalation

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications

Using one-time passwords to prevent password phishing attacks

A phishing analysis of web based systems

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media