SERAPH Web Application

A crowdsourcing web application for gathering information about accessing online accounts

Context of the project

Nowadays, people own multiple online accounts on many websites or applications and for many purposes. All those accounts have security concerns and this project focuses on vulnerabilities linked to ways to access an account. We distinguish two types of access methods: authentication methods (usual way to connect to one's account) and recovery methods (secondary way to connect to one's account generally used when the authentication method can't be used). For example, retrieving access to account when the password is lost using a mail address and the associated mailbox password (to have access) is a secondary method. Such links between accounts and credentials form rich account ecosystem.

Problem

Recovery methods can be sometimes more vulnerable than authentication methods. For instance, attacking an account and it's password by brute force or using rainbow tables can be a tough task and finding access to a recovery mail address is sometimes much simpler. Such methods therefore require further investigation to identifiy vulnerabilities in account ecosystem.

Vulnerabilities and access graph

To evaluate the security of an account ecosystem we need to understand how they are built. M. Radomirović, researcher in information security at University of Surrey (UK) and client of the project, leads a study on the topic and elaborated a tool with collaborators : access graphs.

It's a graphical formalism used to represent and analyze account ecosystems. It's composed of authentication factors and platforms (websites or application using account system, for example Facebook) as vertices that are linked with colored edges (a platform can be used as authentication factor).

For a given platform, incident plain edges represent authentication methods and indident dashed edges are recovery methods. To read a method, every authentication factor linked to an incident edge of the same color must be combined.

Access graph example
This graph represent an ecosystem that suffered from an attack. Coinbase (a cryptocurrency wallet) is accessed by two methods : by password or with acces to the linked mailbox and coinbase support (password reset request). The attacker managed to gather information about the user (e.g. address) and using the associated phone support he managed to get the SIM of the user and then break through the Coinbase account.

SERAPH in a nutshell

To achieve this study on accessing accounts, a large amount of data is required. Since inventorying methods and particularly recovery ones is hard, SERAPH is made to gather every known acces methods. SERAPH is a crowdsourcing web application where users can share their known methods of accessing accounts.

It is a MVC single-page app running on Angular with particular attention to UX design. Back-end is running on NodeJS using ExpressJS and communicating with a NoSQL database. Simplicity of use above all, SERAPH is an app that is due to be used on a large scale with multiple user interactions.

Discover SERAPH

Browse SERAPH's features below.

main catalog screen

Complete browsing
SERAPH allows consulting gathered data in read-only or edit mode. Platforms in database populate a catalog interface that allows any user to consult methods available for the selected platform. Information are refreshed with new entries in database and users can decide whether they want to contribute to enrich the database or not. A search bar is available for finding a precise platform and platforms can be added.
completion screen

Intuitive contribution
Any logged user can provide information about access methods. Every action of completion is implemented with graphic features. Add a new method by simply clicking a combination of credentials. Approve already provided methods with a simple a click and report a problem, for instance a wrong method or a typo, within a simple form.

Crowdsourced data
In order to strengthen data's quality, SERAPH is using a system based on likes and reports. Likes are used to give credits on method when reports can be submitted for any element (platform, access method, credential). This permits to have a complete monitoring over the database.
Access graph example

Account environment
An account system is implemented to control dataflow and to support the user while browsing SERAPH. The methods provided by the logged user are acessible and discernable from other user's to have visibility on his completion. Also, a user can follow the state of the submitted reports in their processing.

Privacy and security
No personal data is collected. The password used to access one's account is a one time password sended by mail on each connection. This is the only way to connect to SERAPH and thus deny vulnerabilities from recovery methods. Only hashed mail address is stored in database to associate data to a user.

SERAPH's team

Our team is composed of 6 students in the 4th year of the computer science specialization at INSA Rennes. The project was conducted througout the year 2022-2023.

Inés ANDRADE-PASCAL

Project manager

Fanny COUTELLER

Communication manager

Bastien LEGRAND

Reports manager

Elouan MOQUET

Management project leader

Le Hoang NGUYEN

Cases study and tools manager

Martin GOUBET

Server manager

Supervisors

Saša RADOMIROVIĆ

Researcher at University of Surrey (UK), project initiator

Barbara FILA

Researcher at IRISA, our teacher at INSA Rennes