Abstract
Nowadays, more and more web applications start to offer the multiple sign-in feature, allowing users to sign into multiple accounts simultaneously from the same browser. This feature significantly improves user experience. Unfortunately, if such a feature is not designed and implemented properly, it could lead to security, privacy, or usability issues. In this paper, we perform the first comprehensive study of the multiple sign-in feature among various web applications, including Google, Dropbox. Our results show that the problem is quite worrisome. All analyzed products that provide the multiple sign-in feature either suffer from potential security/privacy threats or are sacrificing usability to some extent. We present all issues found in these applications, and analyze the root cause by identifying four different implementation models. Finally, based on our analysis results, we design a client-side proof-of-concept solution, called G-Remember, to mitigate these issues. Our experiments show that G-Remember can successfully provide adequate context information for web servers to recognize users’ intended accounts, and thus effectively address the presented multiple sign-in threat.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Access two gmail accounts at once in the same browser. https://gmail.googleblog.com/2010/08/access-two-gmail-accounts-at-once-in.html
File with 1.4 billion hacked and leaked passwords found on the dark web. https://www.forbes.com/sites/leemathews/2017/12/11/billion-hacked-passwords-dark-web/#1d2ef9ec21f2
Hold security recovers 272 million stolen credentials from a collector. https://holdsecurity.com/news/the_collector_breach/
Sessionbox. https://sessionbox.io/discover
Twitter advising all 330 million users to change passwords after bug exposed them in plain text. https://www.theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now
Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 674–689. ACM (2014)
Acar, G., et al.: FPDetective: dusting the web for fingerprinters. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 1129–1140. ACM (2013)
Cahn, A., Alfeld, S., Barford, P., Muthukrishnan, S.: An empirical study of web cookies. In: Proceedings of the 25th International Conference on World Wide Web, pp. 891–901. International World Wide Web Conferences Steering Committee (2016)
Castelluccia, C., De Cristofaro, E., Perito, D.: Private Information disclosure from web searches. In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 38–55. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_3
Englehardt, S., et al.: Cookies that give you away: the surveillance implications of web tracking. In: Proceedings of the 24th International Conference on World Wide Web (WWW) (2015)
Gonzalez, R., et al.: The cookie recipe: untangling the use of cookies in the wild. In: 2017 IEEE Network Traffic Measurement and Analysis Conference (2017)
Levy, H.M.: Capability-Based Computer Systems. Digital Press, Bedford (2014)
Mendoza, A., Chinprutthiwong, P., Gu, G.: Uncovering HTTP header inconsistencies and the impact on desktop/mobile websites. In: Proceedings of the 2018 World Wide Web Conference on World Wide Web (WWW) (2018)
Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation (NSDI) (2012)
Singh, K., Moshchuk, A., Wang, H.J., Lee, W.: On the incoherencies in web browser access control policies. In: 2010 IEEE Symposium on Security and Privacy (SP) (2010)
Sivakorn, S., Polakis, J., Keromytis. A.D.: Cookie hijacking in the wild: security and privacy implications. BlackHat (2016)
Zhou, Y., Evans, D.: Why aren’t http-only cookies more widely deployed. In: Proceedings of 4th Web 2.0 Security and Privacy (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Albahar, M., Gao, X., Dagher, G., Liu, D., Zhang, F., Xiao, J. (2019). A Study of the Multiple Sign-in Feature in Web Applications. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 305. Springer, Cham. https://doi.org/10.1007/978-3-030-37231-6_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-37231-6_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37230-9
Online ISBN: 978-3-030-37231-6
eBook Packages: Computer ScienceComputer Science (R0)