Testing for existence of 2nd channel notification for modifications to account settings

With ever increasing account compromise via stealth Phishing attack or other means,  it is always a norm that at some point, user accounts may get compromised.

When that happens,  users do not have any ideas when their accounts were accessed in unauthorised manner, which settings were changed (such as change of password/email, disabling of notification), which transactions (pertaining to shopping card/payment sites), login from unusual countries/browsers,mobile devices, ...etc

Thus, it is highly desirable that at least all Internet facing applications should have 2nd channel notifications for the above unintended unauthorised access so as to minimize damage made to user accounts. 


Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

The important "expires" attribute of Set-Cookie

HttpOnly Session ID in URL and Page Body | Cross Site Scripting