Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it.
Before we start I’d like to get a show of hands. Raise your hand if you think you’d notice if you were logged into someone else’s account. Okay, you can put ‘em down. Now raise your hand if a victim gaining unauthorized access to an attacker’s account sounds like someone got the definition of hacking backwards. Those are the primary assumptions that I hope to break with this presentation.
The main response when these attacks are brought up is “who cares?!” We’re going to spend some time answering that.
After all that, I’ll ask again. Can I get a show of hands for who thinks this is not hacking?
A primary functionality of a site like Facebook is to individualize your account. That’s not the case for most sites.
The URL token should not be the session token for logging and referer leakage reasons. It’s only to protect against potential extra session tokens.