Showing papers by "Chris J. Mitchell published in 2018"

Beyond Cookie Monster Amnesia: Real World Persistent Online Tracking

Abstract: Browser fingerprinting is a relatively new method of uniquely identifying browsers that can be used to track web users. In some ways it is more privacy-threatening than tracking via cookies, as users have no direct control over it. A number of authors have considered the wide variety of techniques that can be used to fingerprint browsers; however, relatively little information is available on how widespread browser fingerprinting is, and what information is collected to create these fingerprints in the real world. To help address this gap, we crawled the 10,000 most popular websites; this gave insights into the number of websites that are using the technique, which websites are collecting fingerprinting information, and exactly what information is being retrieved. We found that approximately 69% of websites are, potentially, involved in first-party or third-party browser fingerprinting. We further found that third-party browser fingerprinting, which is potentially more privacy-damaging, appears to be predominant in practice. We also describe FingerprintAlert, a freely available browser add-on we developed that detects and, optionally, blocks fingerprinting attempts by visited websites.

Intention insertion: Activating an action's perceptual consequences is sufficient to induce non-willed motor behavior.

Abstract: It feels intuitive that our actions are intentional, but there is considerable debate about whether (and how) humans control their motor behavior. Recent ideomotor theories of action argue that action intentions are fundamentally perceptual, that actions are not only controlled by anticipating-imagining-their intended perceptual consequences, but are also initiated when this action effect activation is strong. Here, the authors report a study (plus a replication) that provides direct evidence for this proposal, showing that even nonintended actions are executed when their effects are activated strongly enough. Participants mentally rehearsed a movement sequence and were unexpectedly presented with salient visual cues that were either compatible or incompatible with their currently imagined action. As predicted by ideomotor theories, the combined activation through imagery and perception was sufficient to trigger involuntary actions, even when participants were forewarned and asked to withhold them. Ideomotor cues, therefore, do not only influence preplanned responses but can effectively insert intentions to act, creating behavior de novo, as predicted from ideomotor theories of action control. (PsycINFO Database Record

Mitigating CSRF attacks on OAuth 2.0 Systems

Abstract: Many millions of users routinely use Google, Facebook and Microsoft to log in to websites supporting OAuth 2.0 and/or OpenID Connect. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance. Unfortunately, as previous studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to crosssite request forgery (CSRF) attacks. In this paper we propose a new and practical technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect. Index Terms—OAuth 2.0, OpenID Connect, CSRF

Web Password Recovery: A Necessary Evil?

Abstract: Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted.

Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations

Abstract: Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks.

Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect.

Abstract: Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect.

Email-based Password Recovery - Risking or Rescuing Users?

Abstract: Secret passwords are very widely used for user authentication to websites, despite their known shortcomings. Most websites using passwords also implement password recovery to allow users to re-establish a shared secret if the existing value is forgotten; many such systems involve sending a password recovery email to the user, e.g. containing a secret link. The security of password recovery, and hence the entire user-website relationship, depends on the email being acted upon correctly; unfortunately, as we show, such emails are not always designed to maximise security and can introduce vulnerabilities into recovery. To understand better this serious practical security problem, we surveyed password recovery emails for 50 of the top English language websites. We investigated a range of security and usability issues for such emails, covering their design, structure and content (including the nature of the user instructions), the techniques used to recover the password, and variations in email content from one web service to another. Many well-known web services, including Facebook, Dropbox, and Microsoft, suffer from recovery email design, structure and content issues. This is, to our knowledge, the first study of its type reported in the literature. This study has enabled us to formulate a set of recommendations for the design of such emails.

The Hsu-Harn-Mu-Zhang-Zhu group key establishment protocol is insecure

Abstract: A significant security vulnerability in a recently published group key establishment protocol is described. This vulnerability allows a malicious insider to fraudulently establish a group key with an innocent victim, with the key chosen by the attacker. This shortcoming is sufficiently serious that the protocol should not be used.

Extinguishing cue-controlled reward choice: Effects of Pavlovian extinction on outcome-selective Pavlovian-instrumental transfer.

Abstract: Outcome-selective Pavlovian-instrumental transfer (PIT) refers to the finding that presenting Pavlovian predictors of outcomes can enhance the vigor of instrumental responding for those same outcomes. Three experiments examined the sensitivity of outcome-selective PIT to Pavlovian (stimulus-outcome) extinction. In Experiment 1, participants first learnt to perform different instrumental responses to earn different outcomes. In a separate Pavlovian training phase, certain stimuli were established as Pavlovian signals of the different outcomes. Some of these Pavlovian stimuli were then extinguished (they were presented alone, without any outcome), while others were not. A final transfer test measured the extent to which these Pavlovian cues biased instrumental response choice. Consistent with previous work, the observed PIT effects were immune to Pavlovian extinction; the non-extinguished and extinguished cues produced PIT effects that did not significantly differ in size. In Experiment 2, response choice was tested in the presence of compound stimuli that included both extinguished and non-extinguished cues. Response choice was highly sensitive to the extinction manipulation under these circumstances. Experiment 3 tested whether this sensitivity to Pavlovian extinction was a direct effect of the associative strength of the Pavlovian cues present, or an indirect effect of cue salience. The results provide unique evidence to suggest that PIT is a direct consequence of the strength of the Pavlovian associations. (PsycINFO Database Record

Testing for Depressive Realism in a Clinically Depressed Sample

Abstract: The depressive-realism effect refers to a phenomenon in which depressed individuals are more realistic at assessing the relationship between two events than non-depressed individuals. Recent evidence suggests that the depressive realism hypothesis is weaker than first thought. Thus, we sought evidence for depressive-realism under conditions that we hypothesised would maximise the effect. We tested a clinically depressed sample of participants who were administered a rumination induction. Twenty-eight clinically depressed and 39 non-depressed participants were randomly allocated to either a rumination condition (focused on the causes, consequences, and meaning of their mood) or a distraction condition (focused on external objects/events such as a classroom). Participants then completed a contingency task in which there was no relationship between their responses and an outcome, and they were asked to make a judgment of how much control they had over an outcome. Both groups and conditions did not differ in their judgments of control; participants in all conditions showed a non-normative judgment of control. The depressive-realism effect was not observed in this study, even when depressed participants were encouraged to ruminate. Rather, the present study clearly demonstrates the robustness of the illusion of control.

Security issues in a group key establishment protocol

Abstract: Major shortcomings in a recently published group key establishment protocol are described. These shortcomings are sufficiently serious that the protocol should not be used.

Web password recovery --- a necessary evil?

Abstract: Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted.