A new cryptographic system gives users the power to detect hacked accounts while keeping their devices private, offering stronger protection for journalists, activists, and others at risk of targeted attacks.
Image Credit: Miha Creative / Shutterstock
A new system developed by Cornell Tech researchers helps users detect when their online accounts have been compromised – without exposing their personal devices to invasive tracking by web services.
The researchers presented the system, called Client-Side Encrypted Access Logging (CSAL), at the USENIX Security Symposium. Its "privacy-first" method verifies whether a login came from a user's own device, addressing a flaw in how major platforms like Google and Facebook currently log account access.
Helping At-Risk Users Stay Secure
The new system could be especially useful for users at heightened risk of targeted cyberattacks, such as journalists, activists, and public figures, who need to verify account activity, the researchers said.
The research was led by Carolina Ortega Pérez and Alaa Daffalla, both Ph.D. candidates, and Thomas Ristenpart, professor of computer science. The team found that existing access logs rely on client-side data – such as device identifiers and IP addresses – that attackers can easily spoof. Even after an account is compromised, the logs may misleadingly suggest that the login came from a familiar device.
"For at-risk users, an incident of account compromise could be life-threatening. Tools such as CSAL empower these users to diagnose illicit accesses to their online accounts, which is crucial for their safety," said Daffalla.
How CSAL Works
CSAL offers a cryptographic alternative. Instead of sending service providers client-side data, the system encrypts it end-to-end using a key known only to the client devices. During login, the client device's operating system generates a cryptographic token containing device identifiers, which is encrypted end-to-end and stored by the service provider, ensuring that only the user can later decrypt and verify the login's origin.
This approach allows users to detect unauthorized access without revealing their identifying information to the platform they are using. It also avoids the need for platforms to collect and store detailed device fingerprints, which are often used for tracking, the team said.
Minimal Overhead, Broad Compatibility
The research shows how this system can be integrated into existing authentication workflows with minimal overhead. The system is also compatible with widely used security protocols, making it feasible for adoption by major platforms, the researchers said. By rethinking how access logs are generated and interpreted, the team said, CSAL offers a promising path forward for balancing security and privacy in digital account management.
The research was supported in part by a grant from the National Science Foundation and funding from Google.