Personal Information Leakage During Password Recovery of Internet Services

In this paper we examine the standard password recovery process of large Internet services such as Gmail, Facebook, and Twitter. Although most of these services try to maintain user privacy, with regard to registration information and other personal information provided by the user, we demonstrate that personal information can still be obtained by unauthorized individuals or attackers. This information includes the full (or partial) email address, phone number, friends list, address, etc. We examine different scenarios and demonstrate how the details revealed in the password recovery process can be used to deduct more focused information about users.

[1]  Karsten P. Ulland,et al.  Vii. References , 2022 .

[3]  Phong Q. Nguyen,et al.  Noisy Polynomial Interpolation and Noisy Chinese Remaindering , 2000, EUROCRYPT.

[4]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[5]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[6]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, CHI.

[7]  Nathalie Dagorn Cooperative Intrusion Detection for Web Applications , 2006, CANS.

[8]  Calton Pu,et al.  Modeling Unintended Personal-Information Leakage from Multiple Online Social Networks , 2011, IEEE Internet Computing.

[9]  Bruce Schneier,et al.  Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..

[10]  Calton Pu,et al.  Large Online Social Footprints--An Emerging Threat , 2009, 2009 International Conference on Computational Science and Engineering.

[11]  Mauro Coccoli,et al.  Privacy problems with Web 2.0 , 2011 .

[12]  Esma Aimeur,et al.  The ultimate invasion of privacy: Identity theft , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[13]  R. Kumar Mitigating the authentication vulnerabilities in Web applications through security requirements , 2011, 2011 World Congress on Information and Communication Technologies.

[14]  Ilaria Torre,et al.  Escaping the Big Brother: An empirical study on factors influencing identification and information leakage on the Web , 2014, J. Inf. Sci..

[15]  Kent E. Seamons,et al.  Simple Authentication for the Web , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.