Tell me about yourself: The malicious CAPTCHA Attack

Nethanel Gelernter, Amir Herzberg

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

10 Scopus citations

Abstract

We present the malicious CAPTCHA attack, allowing a rogue website to trick users into unknowingly disclosing their private information. The rogue site displays the private in-formation to the user in obfuscated manner, as if it is a CAPTCHA challenge; the user is unaware that solving the CAPTCHA, results in disclosing private information. This circumvents the Same Origin Policy (SOP), whose goal is to prevent access by rogue sites to private information, by exploiting the fact that many websites allow display of pri-vate information (to the user), upon requests from any (even rogue) website. Information so disclosed includes name, phone number, email and physical addresses, search history, preferences, partial credit card numbers, and more. The vulnerability is common and the attack works for many popular sites, including nine out of the ten most pop-ular websites. We evaluated the attack using IRB-Approved, ethical user experiments.

Original languageEnglish
Title of host publication25th International World Wide Web Conference, WWW 2016
PublisherInternational World Wide Web Conferences Steering Committee
Pages999-1008
Number of pages10
ISBN (Electronic)9781450341431
DOIs
StatePublished - 2016
Event25th International World Wide Web Conference, WWW 2016 - Montreal, Canada
Duration: 11 Apr 201615 Apr 2016

Publication series

Name25th International World Wide Web Conference, WWW 2016

Conference

Conference25th International World Wide Web Conference, WWW 2016
Country/TerritoryCanada
CityMontreal
Period11/04/1615/04/16

Fingerprint

Dive into the research topics of 'Tell me about yourself: The malicious CAPTCHA Attack'. Together they form a unique fingerprint.

Cite this