TY - GEN
T1 - Tell me about yourself
T2 - 25th International World Wide Web Conference, WWW 2016
AU - Gelernter, Nethanel
AU - Herzberg, Amir
PY - 2016
Y1 - 2016
N2 - We present the malicious CAPTCHA attack, allowing a rogue website to trick users into unknowingly disclosing their private information. The rogue site displays the private in-formation to the user in obfuscated manner, as if it is a CAPTCHA challenge; the user is unaware that solving the CAPTCHA, results in disclosing private information. This circumvents the Same Origin Policy (SOP), whose goal is to prevent access by rogue sites to private information, by exploiting the fact that many websites allow display of pri-vate information (to the user), upon requests from any (even rogue) website. Information so disclosed includes name, phone number, email and physical addresses, search history, preferences, partial credit card numbers, and more. The vulnerability is common and the attack works for many popular sites, including nine out of the ten most pop-ular websites. We evaluated the attack using IRB-Approved, ethical user experiments.
AB - We present the malicious CAPTCHA attack, allowing a rogue website to trick users into unknowingly disclosing their private information. The rogue site displays the private in-formation to the user in obfuscated manner, as if it is a CAPTCHA challenge; the user is unaware that solving the CAPTCHA, results in disclosing private information. This circumvents the Same Origin Policy (SOP), whose goal is to prevent access by rogue sites to private information, by exploiting the fact that many websites allow display of pri-vate information (to the user), upon requests from any (even rogue) website. Information so disclosed includes name, phone number, email and physical addresses, search history, preferences, partial credit card numbers, and more. The vulnerability is common and the attack works for many popular sites, including nine out of the ten most pop-ular websites. We evaluated the attack using IRB-Approved, ethical user experiments.
UR - http://www.scopus.com/inward/record.url?scp=85024497587&partnerID=8YFLogxK
U2 - 10.1145/2872427.2883005
DO - 10.1145/2872427.2883005
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85024497587
T3 - 25th International World Wide Web Conference, WWW 2016
SP - 999
EP - 1008
BT - 25th International World Wide Web Conference, WWW 2016
PB - International World Wide Web Conferences Steering Committee
Y2 - 11 April 2016 through 15 April 2016
ER -