摘要: We present the malicious CAPTCHA attack, allowing a rogue website to trick users into unknowingly disclosing their private information. The site displays information user in obfuscated manner, as if it is challenge; unaware that solving CAPTCHA, results This circumvents Same Origin Policy (SOP), whose goal prevent access by sites information, exploiting fact many websites allow display of (to user), upon requests from any (even rogue) website. Information so disclosed includes name, phone number, email and physical addresses, search history, preferences, partial credit card numbers, more. vulnerability common attack works for popular sites, including nine out ten most websites. evaluated using IRB-approved, ethical experiments.
acm.org
sci-hub.se 参考文章(17)
Sebastian Lekies, Mario Heiderich, Martin Johns, Thorsten Holz, Dennis Appelt, On the fragility and limitations of current browser-provided clickjacking protection schemes WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies. pp. 6- 6 ,(2012)
Lin-Shung Huang, Alex Moshchuk, Helen J Wang, Stuart Schecter, Collin Jackson, None, Clickjacking: attacks and defenses usenix security symposium. pp. 22- 22 ,(2012)
Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, Calton Pu, Reverse social engineering attacks in online social networks international conference on detection of intrusions and malware and vulnerability assessment. pp. 55- 74 ,(2011) , 10.1007/978-3-642-22424-9_4
Tom Van Goethem, Wouter Joosen, Nick Nikiforakis, The Clock is Still Ticking: Timing Attacks in the Modern Web computer and communications security. pp. 1382- 1393 ,(2015) , 10.1145/2810103.2813632
Zachary Weinberg, Eric Y. Chen, Pavithra Ramesh Jayaraman, Collin Jackson, I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks ieee symposium on security and privacy. pp. 147- 161 ,(2011) , 10.1109/SP.2011.23
Luis von Ahn, Benjamin Maurer, Colin McMillen, David Abraham, Manuel Blum, reCAPTCHA: Human-Based Character Recognition via Web Security Measures Science. ,vol. 321, pp. 1465- 1468 ,(2008) , 10.1126/SCIENCE.1160379
Nethanel Gelernter, Amir Herzberg, Cross-Site Search Attacks computer and communications security. pp. 1394- 1405 ,(2015) , 10.1145/2810103.2813688
Ero Balsa, Carmela Troncoso, Claudia Diaz, OB-PWS: Obfuscation-Based Private Web Search ieee symposium on security and privacy. pp. 491- 505 ,(2012) , 10.1109/SP.2012.36
Davide Balzarotti, Christopher Kruegel, Marco Balduzzi, Manuel Egele, Engin Kirda, A solution for the automated detection of clickjacking attacks computer and communications security. pp. 135- 144 ,(2010) , 10.1145/1755688.1755706
Manuel Egele, Leyla Bilge, Engin Kirda, Christopher Kruegel, CAPTCHA smuggling Proceedings of the 2010 ACM Symposium on Applied Computing - SAC '10. pp. 1865- 1870 ,(2010) , 10.1145/1774088.1774483