Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services

Rui Wang, Shuo Chen, XiaoFeng Wang
2012 2012 IEEE Symposium on Security and Privacy  
With the boom of software-as-a-service and social networking, web-based single sign-on (SSO) schemes are being deployed by more and more commercial websites to safeguard diverse web resources, ranging from emails and social contents to business documents. Although prior research shows that formal verification of SSO protocols can detect protocol-level flaws, little has been done to analyze the security quality of these commercially deployed systems, which faces unique technical challenges,
more » ... ding lack of access to welldocumented protocols and code, and the complexity brought in by the rich browser elements (script, Flash, etc.). In this paper, we report the first "field study" on popular web SSO systems. Our approach is to mechanically analyze the actual web traffic going through the browser to recover its semantic information and identify potential exploit opportunities. Such opportunities were further evaluated by human analysts to find real flaws. Using this approach, we discovered 8 serious flaws in highprofile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, JanRain, Freelancer, FarmVille,, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways. All the reported flaws, except those discovered very recently, have been fixed. This study shows that the overall security quality of current SSO deployments seems worrisome. We hope that the SSO community conducts a study similar to ours, but in a larger scale, to better understand to what extent SSO schemes are insecurely deployed and how to respond to the situation.
doi:10.1109/sp.2012.30 dblp:conf/sp/WangCW12 fatcat:f2pjztogybbyjffexvu6sblvae