TY - GEN
T1 - A Study of the Multiple Sign-in Feature in Web Applications
AU - Albahar, Marwan
AU - Gao, Xing
AU - Dagher, Gaby
AU - Liu, Daiping
AU - Zhang, Fengwei
AU - Xiao, Jidong
N1 - Publisher Copyright:
© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019.
PY - 2019
Y1 - 2019
N2 - Nowadays, more and more web applications start to offer the multiple sign-in feature, allowing users to sign into multiple accounts simultaneously from the same browser. This feature significantly improves user experience. Unfortunately, if such a feature is not designed and implemented properly, it could lead to security, privacy, or usability issues. In this paper, we perform the first comprehensive study of the multiple sign-in feature among various web applications, including Google, Dropbox. Our results show that the problem is quite worrisome. All analyzed products that provide the multiple sign-in feature either suffer from potential security/privacy threats or are sacrificing usability to some extent. We present all issues found in these applications, and analyze the root cause by identifying four different implementation models. Finally, based on our analysis results, we design a client-side proof-of-concept solution, called G-Remember, to mitigate these issues. Our experiments show that G-Remember can successfully provide adequate context information for web servers to recognize users’ intended accounts, and thus effectively address the presented multiple sign-in threat.
AB - Nowadays, more and more web applications start to offer the multiple sign-in feature, allowing users to sign into multiple accounts simultaneously from the same browser. This feature significantly improves user experience. Unfortunately, if such a feature is not designed and implemented properly, it could lead to security, privacy, or usability issues. In this paper, we perform the first comprehensive study of the multiple sign-in feature among various web applications, including Google, Dropbox. Our results show that the problem is quite worrisome. All analyzed products that provide the multiple sign-in feature either suffer from potential security/privacy threats or are sacrificing usability to some extent. We present all issues found in these applications, and analyze the root cause by identifying four different implementation models. Finally, based on our analysis results, we design a client-side proof-of-concept solution, called G-Remember, to mitigate these issues. Our experiments show that G-Remember can successfully provide adequate context information for web servers to recognize users’ intended accounts, and thus effectively address the presented multiple sign-in threat.
KW - Cookies
KW - Multiple sign-in feature
KW - Web security
UR - https://www.scopus.com/pages/publications/85076904468
U2 - 10.1007/978-3-030-37231-6_26
DO - 10.1007/978-3-030-37231-6_26
M3 - Conference contribution
SN - 9783030372309
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 440
EP - 453
BT - Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings
A2 - Chen, Songqing
A2 - Choo, Kim-Kwang Raymond
A2 - Fu, Xinwen
A2 - Lou, Wenjing
A2 - Mohaisen, Aziz
T2 - 15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019
Y2 - 23 October 2019 through 25 October 2019
ER -