Jump to content
Nytro

Signing Me onto Your Accounts through Facebook and Google:

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided

Security Study of Commercially Deployed Single-Sign-On Web Services

Rui Wang

Indiana University Bloomington

Bloomington, IN, USA

wang63 @indiana.edu

Shuo Chen

Microsoft Research

Redmond, WA, USA

shuochen @microsoft.com

XiaoFeng Wang

Indiana University Bloomington

Bloomington, IN, USA

xw7 @indiana.edu

Abstract— With the boom of software-as-a-service and social

networking, web-based single sign-on (SSO) schemes are being

deployed by more and more commercial websites to safeguard

many web resources. Despite prior research in formal

verification, little has been done to analyze the security quality

of SSO schemes that are commercially deployed in the real

world. Such an analysis faces unique technical challenges,

including lack of access to well-documented protocols and code,

and the complexity brought in by the rich browser elements

(script, Flash, etc.). In this paper, we report the first “field

study” on popular web SSO systems. In every studied case, we

focused on the actual web traffic going through the browser,

and used an algorithm to recover important semantic

information and identify potential exploit opportunities. Such

opportunities guided us to the discoveries of real flaws. In this

study, we discovered 8 serious logic flaws in high-profile ID

providers and relying party websites, such as OpenID

(including Google ID and PayPal Access), Facebook, JanRain,

Freelancer, FarmVille, Sears.com, etc. Every flaw allows an

attacker to sign in as the victim user. We reported our findings

to affected companies, and received their acknowledgements in

various ways. All the reported flaws, except those discovered

very recently, have been fixed. This study shows that the

overall security quality of SSO deployments seems worrisome.

We hope that the SSO community conducts a study similar to

ours, but in a larger scale, to better understand to what extent

SSO is insecurely deployed and how to respond to the situation.

Keywords— Single-Sign-O

Download:

http://research.microsoft.com/pubs/160659/websso-final.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...