Researchers from Indiana University Bloomington and Microsoft Research have demonstrated weaknesses in the single sign-on (SSO) systems that allow individuals to sign onto a wide variety of websites using their Google or Facebook accounts, which could enable attackers to hijack user accounts.
In a paper (PDF) to be presented at the IEEE Symposium on Security and Privacy in May the researchers demonstrated eight exploits affecting the OpenID system used by Google and Paypal as well as Facebook Connect.
The study focused on client websites including FarmVille’s Facebook portal, The New York Times’ website, web application Smartsheet, US retailer Sears and Yahoo, but researchers said the attacks were likely to work across a large number of sites.
They argued the results should arouse concern because SSOs are growing in popularity precisely as a way of protecting web resources, though with little analysis of SSO schemes that have been deployed in the real world.
The paper is the result of a 10-month study carried out by Rui Wang and XiaoFeng Wang of Indiana University Bloomington and Shuo Chen of Microsoft Research. They emphasised that the flaws uncovered have all been reported to the providers and fixed.
However, the results of the study need to be taken on board by SSO providers, the study argued. For instance, the exploits generally relied on idiosyncratic ways of implementing the SSO and the lack of rigorous guidelines for such implementations, the study found.
“The way that today’s web SSO systems are constructed is largely through integrating web APIs, SDKs and sample code offered by the IdPs (Identity Providers),” the paper said. “During this process, a protocol serves merely as a loose guideline, which individual RPs often bend for the convenience of integrating SSO into their systems.”
The researchers noted that some SSO providers do not make use of rigorous protocols. “For example, popular IdPs like Facebook and Google, and their RPs (relying parties) either customise published protocols like OpenID or have no well-specified protocols at all,” the paper stated.
As a result, the researchers were able to intercept authentication messages passed between the client website and the SSO provider, modify those messages and obtain authentication from the SSO provider, even without supplying the user’s password.
In other cases third-party components created security issues, the study found.
“Vulnerabilities that do not show up on the protocol level could be brought in by what the system actually allows each SSO party to do: an example we discovered is that Adobe Flash’s cross-domain capability totally crippled Facebook SSO security,” the paper said.
The researchers said theirs is the first “field study” of popular SSO implementations, and urged SSO providers to take on board the real-world implications of their findings.
“Given the fact that more and more high-value personal and organisational data, computation tasks and even the whole business operations within organisations are moving into the cloud, authentication flaws can completely expose such information assets to the whole world,” they wrote.
Are you a patent expert? Take our quiz!
CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation
Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…