Why Log Off Your Accounts?

We all know that we must log off all our accounts before leaving a cybercafé. But is it necessary on our home PCs?

Turns out, you are better off logging out all accounts even at home.

I recently read somewhere that the Internet Explorer 8 is getting ready to protect users from clickjacking attacks. A little digging, and I found a lot of literature on this subtle attack called CSRF that is being dubbed “the sleeping giant” of web vulnerabilities.

Cross-site Request Forgery
Suppose Alice closed her bank page without logging out and that the session is still alive. Now she opens an apparently harmless webpage but with a tiny obscure image referring to a “post” page of bank. That is, the page that is executed after the confirmation, the page where the actual transaction takes place.

While Alice is going through that apparently harmless webpage, a transaction is being executed on her behalf.

This kind of attack where a part of one site cross-refers a different site is cross-site request forgery.

Now, the above explanation is a very simplified version. In reality, bank sessions are more secure, but the CSRF done is equivalently more subtle and cunning. It is a good thing that most banks expire sessions automatically after a few minutes of idleness.

Clickjacking
ClickJacking is a term which encompasses multiple techniques that can be used to trick the user into unwittingly clicking an obscured or hidden web element, usually resulting in an unwanted transaction.

Read more about Clickjacking, about what IE8 is doing to defend users against Clickjacking, and about the CSRF.

One way to be on guard is to use different browsers or browser profiles for normal browsing activity and activity where logins are necessary.