July 9, 2019
Avinash Sudhodanan
In this talk, I will introduce you to Cross-Origin State Inference (COSI) attacks. In a COSI attack, an attacker convinces a victim into visiting an attack web page, which leverages the cross-origin interaction features of the victim’s web browser to infer the victim’s state at a target web site. COSI attacks can be leveraged to mount several privacy attacks on web users including determining whether the victim has an account or is the administrator of a prohibited web site, determining if the victim owns sensitive content hosted at a target web site, and identifying whether the victim is the owner of a specific account. While COSI attacks are not new, they have previously been considered as sparse attacks under different names. We systematically study COSI attacks as a comprehensive category, identify different classes of them, and propose an approach for detecting them. Although I will not get into the details of our detection approach (saving for another occasion), I will present the COSI attacks we found on popular live web sites including linkedin.com, blogger.com and drive.google.com. Finally, I will present the defenses for COSI attacks.