Search results

The purpose of the paper is to assess the precautionary measures adopted by the popular websites in India, and, thus, find out how vulnerable the Indian Web users are to this form of attack. Today almost all work is done through the Internet, including monetary transactions. This holds true even for developing countries like India, thus making secure browsing a necessity. However, an attack called “clickjacking” can help Internet scammers to carry out fraudulent tasks. Even though researchers had proposed different techniques to face this threat, it remains a question on how effectively they are deployed in practice.

To carry out the study, top 100 Indian and global websites in India were identified and were divided into static and dynamic websites based on the level of interaction they offer to the users. These websites were checked to see whether they offer any basic protection against clickjacking and, if so, which defence technique is used. A comparison between Indian websites and global websites is done to see where India stands in terms of providing security.

The results show that 86 per cent of Indian websites offer no protection against clickjacking, in contrast to 51 per cent of global websites. It is also observed that in the case of dynamic websites, only 18 per cent of Indian websites offer some form of protection, when compared to 63 per cent of global websites. This is quite alarming, as dynamic websites such as social networking and banking websites are the likely candidates for clickjacking, resulting in serious consequences such as identity and monetary theft.

In this paper, vulnerability of Indian websites to clickjacking is presented, which was not addressed before. This will help in creating awareness among the Indian Web developers as well as the general public, so that precautionary measures can be adopted.

This study attempts to develop an efficient concept to mitigate the risks of social engineering in the era of social networks. For instance friend requests on Facebook are often accepted blindly, thus granting unknown people access to profile details. These problems fuel requirements for an application, developed in this study, that raises awareness of security issues in Facebook.

The “Theory of Planned Behaviour” (TPB), a model from psychology to predict behaviour, is used as a theoretical foundation for the application. Attitudes, perceived behavioural control and social norms are the main variables of this model. Social norms can be massively affected by the Facebook friends and therefore an application is developed which uses this in order to raise awareness.

The application propagated itself virally. Out of 117 users of the application, 15 took action to change the public‐search option visibility from public to private. The use of the application took on average 10.5 minutes.

Applications that scan a Facebook profile for fishy content already exist. However, at the time of writing this paper, no application specifically written against social engineering was known to the author.

The interoperability of cloud data between web applications and mobile devices has vastly improved over recent years. The popularity of social media, smartphones and cloud-based web services have contributed to the level of integration that can be achieved between applications. This paper investigates the potential security issues of OAuth, an authorisation framework for granting third-party applications revocable access to user data. OAuth has rapidly become an interim de facto standard for protecting access to web API data. Vendors have implemented OAuth before the open standard was officially published. To evaluate whether the OAuth 2.0 specification is truly ready for industry application, an entire OAuth client server environment was developed and validated against the speciation threat model. The research also included the analysis of the security features of several popular OAuth integrated websites and comparing those to the threat model. High-impacting exploits leading to account hijacking were identified with a number of major online publications. It is hypothesised that the OAuth 2.0 specification can be a secure authorisation mechanism when implemented correctly.

To analyse the security of OAuth implementations in industry a list of the 50 most popular websites in Ireland was retrieved from the statistical website Alexa (Noureddine and Bashroush, 2011). Each site was analysed to identify if it utilised OAuth. Out of the 50 sites, 21 were identified with OAuth support. Each vulnerability in the threat model was then tested against each OAuth-enabled site. To test the robustness of the OAuth framework, an entire OAuth environment was required. The proposed solution would compose of three parts: a client application, an authorisation server and a resource server. The client application needed to consume OAuth-enabled services. The authorisation server had to manage access to the resource server. The resource server had to expose data from the database based on the authorisation the user would be given from the authorisation server. It was decided that the client application would consume emails from Google’s Gmail API. The authorisation and resource server were modelled around a basic task-tracking web application. The client application would also consume task data from the developed resource server. The client application would also support Single Sign On for Google and Facebook, as well as a developed identity provider “MyTasks”. The authorisation server delegated authorisation to the client application and stored cryptography information for each access grant. The resource server validated the supplied access token via public cryptography and returned the requested data.

Two sites out of the 21 were found to be susceptible to some form of attack, meaning that 10.5 per cent were vulnerable. In total, 18 per cent of the world’s 50 most popular sites were in the list of 21 OAuth-enabled sites. The OAuth 2.0 specification is still very much in its infancy, but when implemented correctly, it can provide a relatively secure and interoperable authentication delegation mechanism. The IETF are currently addressing issues and expansions in their working drafts. Once a strict level of conformity is achieved between vendors and vulnerabilities are mitigated, it is likely that the framework will change the way we access data on the web and other devices.

OAuth is flexible, in that it offers extensions to support varying situations and existing technologies. A disadvantage of this flexibility is that new extensions typically bring new security exploits. Members of the IETF OAuth Working Group are constantly refining the draft specifications and are identifying new threats to the expanding functionality. OAuth provides a flexible authentication mechanism to protect and delegate access to APIs. It solves the password re-use across multiple accounts problem and stops the user from having to disclose their credentials to third parties. Filtering access to information by scope and giving the user the option to revoke access at any point gives the user control of their data. OAuth does raise security concerns, such as defying phishing education, but there are always going to be security issues with any authentication technology. Although several high impacting vulnerabilities were identified in industry, the developed solution proves the predicted hypothesis that a secure OAuth environment can be built when implemented correctly. Developers must conform to the defined specification and are responsible for validating their implementation against the given threat model. OAuth is an evolving authorisation framework. It is still in its infancy, and much work needs to be done in the specification to achieve stricter validation and vendor conformity. Vendor implementations need to become better aligned in order to provider a rich and truly interoperable authorisation mechanism. Once these issues are resolved, OAuth will be on track for becoming the definitive authentication standard on the web.