Accessible Unlicensed Requires Authentication Published by De Gruyter Oldenbourg March 15, 2017

On the misuse of graphical user interface elements to implement security controls

Collin Mulliner, William Robertson and Engin Kirda


GUIs are the predominant means by which users interact with modern programs. GUIs contain a number of common visual elements widgets such as buttons, textfields, and lists, and GUIs typically provide the ability to change attributes on these widgets to control their visibility and behavior. While these attributes are extremely useful to provide visual cues to users to guide them through an application's GUI, they can also be misused for purposes they were not intended. In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes may be misused as a mechanism for enforcing access control policies. This work presents a method to detect misuse of user interface elements to implement access control, it is based on our earlier work[1] that introduced the vulnerability class the we refer to as GEMs, or instances of GUI element misuse. Using our GEM detection method we discovered unknown vulnerabilities in several applications.

Received: 2016-8-1
Revised: 2016-11-30
Accepted: 2016-12-14
Published Online: 2017-3-15
Published in Print: 2017-4-20

©2017 Walter de Gruyter Berlin/Boston