Why Snoopy Loves Online Services: An Analysis of (Lack of) Privacy in Online Services

Vittoria Cozza, Zisis Tsiatsikas, Mauro Conti, Georgios Kambourakis

2017

Abstract

Over the last decade online services have penetrated the market and for many of us became an integral part of our software portfolio. On the one hand online services offer flexibility in every sector of the social web, but on the other hand these pros do not come without a cost in terms of privacy. This work focuses on online services, and in particular on the possible inherent design errors which make these services an easy target for privacy invaders. We demonstrate the previous fact using a handful of real-world cases pertaining to popular online web services. More specifically, we show that despite the progress made in raising security/privacy awareness amongst all the stakeholders (developers, admins, users) and the existence of mature security/privacy standards and practices, there still exist a plethora of poor implementations that may put user’s privacy at risk. We particularly concentrate on cases where a breach can happen even if the aggressor has limited knowledge about their target and/or the attack can be completed with limited resources. In this context, the main contribution of the paper at hand revolves around the demonstration of effortlessly exploiting privacy leaks existing in widely-known online services due to software development errors.

References

  1. Barlow, J. B., Warkentin, M., Ormond, D., and Dennis, A. R. (2013). Don't make excuses! discouraging neutralization to reduce it policy violation. Comp. Sec., pages 145-159.
  2. Burattin, A., Cascavilla, G., and Conti, M. (2014). Socialspy: Browsing (supposedly) hidden information in online social networks. In Lopez, J., Ray, I., and Crispo, B., editors, CRiSIS 2014, pages 83-99, Cham. Springer International Publishing.
  3. Calder, A. and Watkins, S. G. (2010). Information Security Risk Management for ISO27001 / ISO27002. It Governance Ltd.
  4. Conti, M., Guarisco, C., and Spolaor, R. (2016). Captchastar! a novel captcha based on interactive shape discovery. In ACNS, pages 611-628.
  5. Council of European Union (2016). EU General Data Protection Regulation 679/2016. goo.gl/Klj2kL.
  6. European-Union (2010). A digital agenda for europe; brussels, 26.8.2010 com(2010) 245 final/2 (41 pages). goo.gl/acfDjs.
  7. Facebook beta (Accessed Feb 3, 2016). beta.facebook.com.
  8. Floreˆncio, D., Herley, C., and Van Oorschot, P. C. (2014). An administrator's guide to internet password research. LISA'14, pages 35-52.
  9. Gejibo, S., Mancini, F., Mughal, K. A., Valvik, R., and Klungsyr, J. (2012). Secure data storage for mobile data collection systems. In MEDES, pages 131-144. ACM.
  10. Gmail - Free Storage and Email from Google (Accessed Feb 3, 2016). https://mail.google.com/mail/u/0/#inbox.
  11. Hang, A., Luca, A. D., Smith, M., Richter, M., and Hussmann, H. (2015). Where have you been? using location-based security questions for fallback authentication. In SOUPS 2015, pages 169-183.
  12. Kambourakis, G. (2014). Anonymity and closely related terms in the cyberspace: An analysis by example. JISA, pages 2-17.
  13. Kraemer, S., Carayon, P., and Clem, J. (2009). Human and organizational factors in computer and information security: Pathways to vulnerabilities. Comp.Sec., pages 509-520.
  14. Liginlal, D., Sim, I., and Khansa, L. (2009). How significant is human error as a cause of privacy breaches? an empirical study and a framework for error management. Comp.Sec., pages 215-228.
  15. Mark, C. (Accessed April 14, 2016). Owasp top ten project. goo.gl/MyTG7S.
  16. Monkey, S. (2016). padvisor, expedia, https://goo.gl/T9Xa37.
  17. Ohata, S., Matsuda, T., and Matsuura, K. (2016). Provably secure password reset protocol: Model, definition, and generic construction. IACR Cryptology ePrint Archive, page 345.
  18. Orfeas: Student Exam Results (Accessed Feb 3, 2016). http://results.hau.gr/.
  19. Paybyphone: Manage your account (Accessed Feb 3, 2016). https://www.paybyphone.com/account.
  20. Phoneandpay: Customer Account Login (Accessed Feb 3, 2016). https://www.phoneandpay.co.uk/login.asp.
  21. PortSwigger (Accessed Feb 3, 2016). Burp suite the leading toolkit for web application security testing. https://portswigger.net/burp/.
  22. Prakash, A. (Accessed Feb 3, 2016). How i could have hacked all facebook accounts. goo.gl/Q3dnsH.
  23. (Accessed 2016).
  24. Ryanair: Manage Your Booking (Accessed Feb 3, 2016). goo.gl/cKGhi2.
  25. Technavio (2016). Report: Global it spending by online service and application market to reach $23 billion by 2020. http://goo.gl/vs4Bsi.
  26. Thepaypers (2015). Us internet users still concerned about data privacy. goo.gl/5XCglf.
  27. Tiwari, N. (2014). Simple ways to add security to web development. Linux J., 2014(238).
  28. Trunde, H. and Weippl, E. (2015). Wordpress security: An analysis based on publicly available exploits. In 17th IIWAS, pages 81:1-81:7. ACM.
  29. Wind: Login to My Account (Accessed Feb 3, 2016). goo.gl/W695oW.
  30. Xie, J., Lipford, H., and Chu, B. (2011). Why do programmers make security errors? In VL/HCC, pages 161- 164.
Download


Paper Citation


in Harvard Style

Cozza V., Tsiatsikas Z., Conti M. and Kambourakis G. (2017). Why Snoopy Loves Online Services: An Analysis of (Lack of) Privacy in Online Services . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 431-438. DOI: 10.5220/0006207204310438


in Bibtex Style

@conference{icissp17,
author={Vittoria Cozza and Zisis Tsiatsikas and Mauro Conti and Georgios Kambourakis},
title={Why Snoopy Loves Online Services: An Analysis of (Lack of) Privacy in Online Services},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={431-438},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006207204310438},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Why Snoopy Loves Online Services: An Analysis of (Lack of) Privacy in Online Services
SN - 978-989-758-209-7
AU - Cozza V.
AU - Tsiatsikas Z.
AU - Conti M.
AU - Kambourakis G.
PY - 2017
SP - 431
EP - 438
DO - 10.5220/0006207204310438