Heuristic evaluation of user interfaces
CHI '90 Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
On the Robustness of Applications Based on the SSL and TLS Security Protocols
EuroPKI '07 Proceedings of the 4th European PKI workshop: Theory and Practice on Public Key Infrastructure: Theory and Practice
Electing a university president using open-audit voting: analysis of real-world use of Helios
EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Session Management Vulnerabilities in Today's Web
IEEE Security and Privacy
Feedlack detects missing feedback in web applications
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
The Design of Everyday Things
On the security of public key protocols
IEEE Transactions on Information Theory
IEEE Security and Privacy
| Hi-index | 0.00 |
We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.