[Rephrasing] Phish in Sheep’s Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting

💡This is a reader's perspective on the paper written by Xu Lin (from the University of Illinois at Chicago) and published at the USENIX Security Symposium 2022.

Brief Description

The authors provide a great idea of how user fingerprints can be captured by an attacker and replicated systematically to avoid two-factor authentication (2FA), given that the attacker already has the correct username and password. Interestingly, they deeply study how many benign websites can be attacked as such, and verify if phishing websites are interested in the fingerprints that can be used to avoid 2FA.

Observations

One of the things that I kept in mind while reading the paper is the idea that they used Javascript function hooks to log the used functions by the Browser Extension, which might not be a very nice idea. However, they claim to use VisibleV8 as an auxiliary tool, which is very nice.

Another observation I like about the paper is the description that their crawler might have been evaded by cloaking techniques since they did not approach this defense in any way. In the same direction, I like how they explain the methodology of the experiments.

Initial Questions

The main questions I had in the beginning were about how the tools they created work to capture. Of course, they do not share the tool because it might help attackers. Unfortunately, while they are scientifically correct in the description of the tool, it might not be enough to easily reproduce their work (which is very sad).

Where do the experiment ideas come from?

I sense that the paper was a follow-up from the idea, instead of the data capturing tool (which might be uncommon). But I like how the follow-up experiments are not far from other papers published in the same Symposium.

What are the interesting ideas/results?

Verifying the brands of the phishing websites and correlating them with the benign web pages' vulnerabilities to the attack is a very nice idea, following up the deep analysis of the vulnerabilities of the own benign web pages.

I also like how they propose mechanisms to prevent the attack, even though it might be strongly based on the IP information.

They also have a nice explanation of the advanced fingerprinting techniques that are widely used to verify authentication. 

I like the description for the automatic crawling algorithm to find login pages in URLs visited by their crawler.

In the end, they also claim an alternative to the problem with IP fingerprinting they had, instead of just saying "Well, this is out of scope". Following that, there is a very nice robustness test for the fingerprints used by 2FA in benign websites, in which they could really see what are the specific fingerprints used by the algorithm ("by a process of elimination").

Also like the evolution studies through time. Even more than the disclosure of the information to the companies.