Vulnerabilities Uncovered in Google, Facebook Single Sign-On

Researchers from Indiana University Bloomington and Microsoft Research have demonstrated weaknesses in the single sign-on (SSO) systems that allow individuals to sign onto a wide variety of websites using their Google or Facebook accounts, which could enable attackers to hijack user accounts.

In a paper (PDF) to be presented at the IEEE Symposium on Security and Privacy in May the researchers demonstrated eight exploits affecting the OpenID system used by Google and Paypal as well as Facebook Connect.

Real-world analysis

The study focused on client websites including FarmVille’s Facebook portal, The New York Times’ website, web application Smartsheet, US retailer Sears and Yahoo, but researchers said the attacks were likely to work across a large number of sites.

They argued the results should arouse concern because SSOs are growing in popularity precisely as a way of protecting web resources, though with little analysis of SSO schemes that have been deployed in the real world.

“This study shows that the overall security quality of SSO deployments seems worrisome,” the researchers stated in the paper. “In every studied case, we focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic information and identify potential exploit opportunities. Such opportunities guided us to the discoveries of real flaws.”

The paper is the result of a 10-month study carried out by Rui Wang and XiaoFeng Wang of Indiana University Bloomington and Shuo Chen of Microsoft Research. They emphasised that the flaws uncovered have all been reported to the providers and fixed.

However, the results of the study need to be taken on board by SSO providers, the study argued. For instance, the exploits generally relied on idiosyncratic ways of implementing the SSO and the lack of rigorous guidelines for such implementations, the study found.

‘Loose guidelines’

“The way that today’s web SSO systems are constructed is largely through integrating web APIs, SDKs and sample code offered by the IdPs (Identity Providers),” the paper said. “During this process, a protocol serves merely as a loose guideline, which individual RPs often bend for the convenience of integrating SSO into their systems.”

The researchers noted that some SSO providers do not make use of rigorous protocols. “For example, popular IdPs like Facebook and Google, and their RPs (relying parties) either customise published protocols like OpenID or have no well-specified protocols at all,” the paper stated.

As a result, the researchers were able to intercept authentication messages passed between the client website and the SSO provider, modify those messages and obtain authentication from the SSO provider, even without supplying the user’s password.

In other cases third-party components created security issues, the study found.

“Vulnerabilities that do not show up on the protocol level could be brought in by what the system actually allows each SSO party to do: an example we discovered is that Adobe Flash’s cross-domain capability totally crippled Facebook SSO security,” the paper said.

The researchers said theirs is the first “field study” of popular SSO implementations, and urged SSO providers to take on board the real-world implications of their findings.

“Given the fact that more and more high-value personal and organisational data, computation tasks and even the whole business operations within organisations are moving into the cloud, authentication flaws can completely expose such information assets to the whole world,” they wrote.

Are you a patent expert? Take our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

21 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

24 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

1 day ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

2 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

2 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

2 days ago