{"id":"https://openalex.org/W2772422830","doi":"https://doi.org/10.1145/3134600.3134628","title":"Spinner","display_name":"Spinner","publication_year":2017,"publication_date":"2017-12-04","ids":{"openalex":"https://openalex.org/W2772422830","doi":"https://doi.org/10.1145/3134600.3134628","mag":"2772422830"},"language":"en","primary_location":{"id":"doi:10.1145/3134600.3134628","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3134600.3134628","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 33rd Annual Computer Security Applications Conference","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://research.birmingham.ac.uk/en/publications/1f7272ef-0133-458b-9fa7-9bcf9c5cae59","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5073849061","display_name":"Chris McMahon Stone","orcid":null},"institutions":[{"id":"https://openalex.org/I79619799","display_name":"University of Birmingham","ror":"https://ror.org/03angcq70","country_code":"GB","type":"education","lineage":["https://openalex.org/I79619799"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Chris McMahon Stone","raw_affiliation_strings":["University of Birmingham, Birmingham, UK"],"affiliations":[{"raw_affiliation_string":"University of Birmingham, Birmingham, UK","institution_ids":["https://openalex.org/I79619799"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5020004082","display_name":"Tom Chothia","orcid":"https://orcid.org/0000-0002-9381-1368"},"institutions":[{"id":"https://openalex.org/I79619799","display_name":"University of Birmingham","ror":"https://ror.org/03angcq70","country_code":"GB","type":"education","lineage":["https://openalex.org/I79619799"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Tom Chothia","raw_affiliation_strings":["University of Birmingham, Birmingham, UK"],"affiliations":[{"raw_affiliation_string":"University of Birmingham, Birmingham, UK","institution_ids":["https://openalex.org/I79619799"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5059943116","display_name":"Flavio D. Garcia","orcid":"https://orcid.org/0000-0001-8552-5962"},"institutions":[{"id":"https://openalex.org/I79619799","display_name":"University of Birmingham","ror":"https://ror.org/03angcq70","country_code":"GB","type":"education","lineage":["https://openalex.org/I79619799"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Flavio D. Garcia","raw_affiliation_strings":["University of Birmingham, Birmingham, UK"],"affiliations":[{"raw_affiliation_string":"University of Birmingham, Birmingham, UK","institution_ids":["https://openalex.org/I79619799"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5073849061"],"corresponding_institution_ids":["https://openalex.org/I79619799"],"apc_list":null,"apc_paid":null,"fwci":0.9246,"has_fulltext":false,"cited_by_count":9,"citation_normalized_percentile":{"value":0.76781895,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"176","last_page":"188"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/certificate","display_name":"Certificate","score":0.7678520679473877},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.7105259299278259},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.675512969493866},{"id":"https://openalex.org/keywords/man-in-the-middle-attack","display_name":"Man-in-the-middle attack","score":0.6271367073059082},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.5036479830741882},{"id":"https://openalex.org/keywords/public-key-certificate","display_name":"Public key certificate","score":0.4976692497730255},{"id":"https://openalex.org/keywords/android","display_name":"Android (operating system)","score":0.48246127367019653},{"id":"https://openalex.org/keywords/certificate-authority","display_name":"Certificate authority","score":0.44590485095977783},{"id":"https://openalex.org/keywords/issuer","display_name":"Issuer","score":0.443562775850296},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.43545228242874146},{"id":"https://openalex.org/keywords/public-key-cryptography","display_name":"Public-key cryptography","score":0.27752214670181274},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.12512874603271484},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.09458708763122559}],"concepts":[{"id":"https://openalex.org/C96865113","wikidata":"https://www.wikidata.org/wiki/Q2946816","display_name":"Certificate","level":2,"score":0.7678520679473877},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7105259299278259},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.675512969493866},{"id":"https://openalex.org/C196491621","wikidata":"https://www.wikidata.org/wiki/Q554830","display_name":"Man-in-the-middle attack","level":3,"score":0.6271367073059082},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.5036479830741882},{"id":"https://openalex.org/C167529545","wikidata":"https://www.wikidata.org/wiki/Q274758","display_name":"Public key certificate","level":4,"score":0.4976692497730255},{"id":"https://openalex.org/C557433098","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android (operating system)","level":2,"score":0.48246127367019653},{"id":"https://openalex.org/C93636275","wikidata":"https://www.wikidata.org/wiki/Q196776","display_name":"Certificate authority","level":4,"score":0.44590485095977783},{"id":"https://openalex.org/C138170105","wikidata":"https://www.wikidata.org/wiki/Q1337949","display_name":"Issuer","level":2,"score":0.443562775850296},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.43545228242874146},{"id":"https://openalex.org/C203062551","wikidata":"https://www.wikidata.org/wiki/Q201339","display_name":"Public-key cryptography","level":3,"score":0.27752214670181274},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.12512874603271484},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.09458708763122559},{"id":"https://openalex.org/C11413529","wikidata":"https://www.wikidata.org/wiki/Q8366","display_name":"Algorithm","level":1,"score":0.0},{"id":"https://openalex.org/C10138342","wikidata":"https://www.wikidata.org/wiki/Q43015","display_name":"Finance","level":1,"score":0.0}],"mesh":[],"locations_count":4,"locations":[{"id":"doi:10.1145/3134600.3134628","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3134600.3134628","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 33rd Annual Computer Security Applications Conference","raw_type":"proceedings-article"},{"id":"pmh:oai:pure.atira.dk:Publications/1f7272ef-0133-458b-9fa7-9bcf9c5cae59","is_oa":false,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4306402634","display_name":"University of Birmingham Research Portal (University of Birmingham)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79619799","host_organization_name":"University of Birmingham","host_organization_lineage":["https://openalex.org/I79619799"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":""},{"id":"pmh:oai:pure.atira.dk:openaire_cris_publications/1f7272ef-0133-458b-9fa7-9bcf9c5cae59","is_oa":true,"landing_page_url":"https://research.birmingham.ac.uk/en/publications/1f7272ef-0133-458b-9fa7-9bcf9c5cae59","pdf_url":null,"source":{"id":"https://openalex.org/S4306402634","display_name":"University of Birmingham Research Portal (University of Birmingham)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79619799","host_organization_name":"University of Birmingham","host_organization_lineage":["https://openalex.org/I79619799"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"McMahon Stone, C, Chothia, T & Garcia, F D 2017, Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable). in Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery , pp. 176-188, 33rd Annual Computer Security Applications Conference (ACSAC 2017), Orlando, Florida, United States, 4/12/17. https://doi.org/10.1145/3134600.3134628","raw_type":"contributionToPeriodical"},{"id":"pmh:oai:pure.atira.dk:publications/1f7272ef-0133-458b-9fa7-9bcf9c5cae59","is_oa":false,"landing_page_url":"https://research.birmingham.ac.uk/portal/en/publications/spinner-semiautomatic-detection-of-pinning-without-hostname-verification-or-why-10m-bank-users-were-vulnerable(1f7272ef-0133-458b-9fa7-9bcf9c5cae59).html","pdf_url":null,"source":{"id":"https://openalex.org/S4306402634","display_name":"University of Birmingham Research Portal (University of Birmingham)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79619799","host_organization_name":"University of Birmingham","host_organization_lineage":["https://openalex.org/I79619799"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":""}],"best_oa_location":{"id":"pmh:oai:pure.atira.dk:openaire_cris_publications/1f7272ef-0133-458b-9fa7-9bcf9c5cae59","is_oa":true,"landing_page_url":"https://research.birmingham.ac.uk/en/publications/1f7272ef-0133-458b-9fa7-9bcf9c5cae59","pdf_url":null,"source":{"id":"https://openalex.org/S4306402634","display_name":"University of Birmingham Research Portal (University of Birmingham)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79619799","host_organization_name":"University of Birmingham","host_organization_lineage":["https://openalex.org/I79619799"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"McMahon Stone, C, Chothia, T & Garcia, F D 2017, Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable). in Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery , pp. 176-188, 33rd Annual Computer Security Applications Conference (ACSAC 2017), Orlando, Florida, United States, 4/12/17. https://doi.org/10.1145/3134600.3134628","raw_type":"contributionToPeriodical"},"sustainable_development_goals":[{"score":0.41999998688697815,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[{"id":"https://openalex.org/G1208334278","display_name":null,"funder_award_id":"EP/L001802/1","funder_id":"https://openalex.org/F4320334627","funder_display_name":"Engineering and Physical Sciences Research Council"},{"id":"https://openalex.org/G8682795926","display_name":null,"funder_award_id":"EP/R007128/1","funder_id":"https://openalex.org/F4320334627","funder_display_name":"Engineering and Physical Sciences Research Council"}],"funders":[{"id":"https://openalex.org/F4320334627","display_name":"Engineering and Physical Sciences Research Council","ror":"https://ror.org/0439y7842"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":18,"referenced_works":["https://openalex.org/W177815939","https://openalex.org/W1464836909","https://openalex.org/W1495444061","https://openalex.org/W1769343819","https://openalex.org/W1975344666","https://openalex.org/W1976919795","https://openalex.org/W2001637908","https://openalex.org/W2045057497","https://openalex.org/W2103370348","https://openalex.org/W2115618531","https://openalex.org/W2125607372","https://openalex.org/W2145994642","https://openalex.org/W2180124721","https://openalex.org/W2189153846","https://openalex.org/W2296570230","https://openalex.org/W2672575173","https://openalex.org/W2779025568","https://openalex.org/W6677043194"],"related_works":["https://openalex.org/W1516114510","https://openalex.org/W4388829360","https://openalex.org/W4225555599","https://openalex.org/W1543100705","https://openalex.org/W1029437559","https://openalex.org/W4253144255","https://openalex.org/W4381195491","https://openalex.org/W4293194180","https://openalex.org/W2940998278","https://openalex.org/W2231252935"],"abstract_inverted_index":{"Certificate":[0],"verification":[1,26],"is":[2,20,31,43,147],"a":[3,10,80,103,208],"crucial":[4],"stage":[5],"in":[6,17,28,151,182],"the":[7,21,38,45,58,76,85,94,98,128,134,144,152,179,183,197],"establishment":[8],"of":[9,23,40,60,70,154,178,186,196,212,214,216],"TLS":[11,18],"connection.":[12],"A":[13],"common":[14],"security":[15,82],"flaw":[16],"implementations":[19],"lack":[22,59],"certificate":[24,41,51,83,155],"hostname":[25,62,145],"but,":[27],"general,":[29],"this":[30,71,110,174],"easy":[32],"to":[33,78,124,141,160],"detect.":[34],"In":[35],"security-sensitive":[36,163],"applications,":[37],"usage":[39],"pinning":[42,52],"on":[44],"rise.":[46],"This":[47],"paper":[48],"shows":[49],"that":[50,114,170,193],"can":[53],"(and":[54,88],"often":[55,89],"does)":[56],"hide":[57],"proper":[61],"verification,":[63],"enabling":[64],"MITM":[65],"attacks.":[66],"Dynamic":[67],"(black-box)":[68],"detection":[69],"vulnerability":[72,111],"would":[73],"typically":[74],"require":[75,117],"tester":[77],"own":[79],"high":[81],"from":[84],"same":[86,90],"issuer":[87],"intermediate":[91],"CA)":[92],"as":[93],"one":[95,195],"used":[96],"by":[97],"app.":[99],"We":[100,157,168,190],"present":[101],"Spinner,":[102],"new":[104],"tool":[105],"for":[106,109],"black-box":[107],"testing":[108],"at":[112],"scale":[113],"does":[115],"not":[116],"purchasing":[118],"any":[119],"certificates.":[120],"By":[121],"redirecting":[122],"traffic":[123,137],"websites":[125],"which":[126],"use":[127,158],"relevant":[129],"certificates":[130],"and":[131,165,188],"then":[132],"analysing":[133],"(encrypted)":[135],"network":[136],"we":[138],"are":[139],"able":[140],"determine":[142],"whether":[143],"check":[146],"correctly":[148],"done,":[149],"even":[150],"presence":[153],"pinning.":[156],"Spinner":[159],"analyse":[161],"400":[162],"Android":[164],"iPhone":[166],"apps.":[167],"found":[169,192],"9":[171],"apps":[172,201,206],"had":[173],"flaw,":[175],"including":[176],"two":[177],"largest":[180],"banks":[181],"world:":[184],"Bank":[185],"America":[187],"HSBC.":[189],"also":[191,203],"TunnelBear,":[194],"most":[198],"popular":[199],"VPN":[200],"was":[202],"vulnerable.":[204],"These":[205],"have":[207],"joint":[209],"user":[210],"base":[211],"tens":[213],"millions":[215],"users.":[217]},"counts_by_year":[{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":2},{"year":2021,"cited_by_count":1},{"year":2019,"cited_by_count":3},{"year":2018,"cited_by_count":2}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2017-12-22T00:00:00"}