Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Etsy The Security of Etsy

Published bySilvester Cameron Modified over 6 years ago

Similar presentations

Presentation on theme: "Auditing Etsy The Security of Etsy"— Presentation transcript:

1 Auditing Etsy The Security of Etsy
Etsy employs good security practices. After visiting 50+ Etsy pages, we have found that Etsy: 1. Always uses HTTPS, never sending any information in the clear. No mixed content. 2. Offers two-factor authentication. 3. Offers users the option of being notified whenever a login from a new device occurs. 4. Enables users to view a history of past logins, including IP address and user agent. 5. Protects against CSRF attacks using nonces. (contained in the HTML itself, not in a cookie) 6. Protects against XSS attacks by using HTTP headers. 7. Has no external ads. 8. Images in private messages are accompanied by a MAC. 9. Sanitizes most input data, such as image meta-data. (However, it should be noted that the image content is not sanitized - see potential exploit (A).) 10. Blocks many throwaway s, preventing some spam. How Etsy tracks its users: Cookies: used to store the necessary user personal information. Clear gifs, web beacons and web plugins: no user personal information stored. Flash cookies and other locally stored objects: solely for fraud prevention. No user personal information stored. Potential Vulnerabilities / Exploits (B) Text Bomb An automated script could be written to repeatedly send text messages to a given number. This could: 1. Result in potentially high expenses for the victim, who may have a pay-per-message plan 2. Result in a denial of service attack if the messages arrive at such a frequency that the victim cannot use his phone for other tasks (C) Click Fraud A user can have his merchandise advertised in response to a given search query, and must pay per click generated by that store. An automated script could be written to generate large numbers of clicks, resulting in potentially high expenses for the victim. (D) Side Channels The “search” field (as well as username registration and zip code fields) issues HTTP requests for every letter typed; an analysis of the frequency of such requests can reveal the search keyword! Auditing Etsy Wil Koch, Nikolaj Volgushev, Sophia Yakoubov #1! Etsy privacy policy: The Etsy privacy policy states that Etsy will not share user data with external organizations without explicitly getting the user’s permission. However, it appears that an exception to this is complying with legal requirements. Potential Vulnerabilities / Exploits (A) Malicious Payloads While image meta-data is sanitized, image content is not. Since images are public and never deleted, this can be exploited to store malicious payloads. For instance, consider the following image: It actually has a message embedded!

Download ppt "Auditing Etsy The Security of Etsy"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Google Docs is a free, web-based office suite offered by Google within its Google Drive service. It was formerly a storage service as well, but has since.

Google Docs is a free, web-based office suite offered by Google within its Google Drive service. It was formerly a storage service as well, but has since.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Robust Defenses for Cross-Site Request Forgery CS6V81 - 005 Presented by Saravana M Subramanian.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
®® Microsoft Windows 7 Windows Tutorial 5 Protecting Your Computer.

®® Microsoft Windows 7 Windows Tutorial 5 Protecting Your Computer.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Similar presentations

Ads by Google