Online citations, reference lists, and bibliographies.

Signing Me Onto Your Accounts Through Facebook And Google: A Traffic-Guided Security Study Of Commercially Deployed Single-Sign-On Web Services

R. Wang, Shuo Chen, X. Wang
Published 2012 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
With the boom of software-as-a-service and social networking, web-based single sign-on (SSO) schemes are being deployed by more and more commercial websites to safeguard many web resources. Despite prior research in formal verification, little has been done to analyze the security quality of SSO schemes that are commercially deployed in the real world. Such an analysis faces unique technical challenges, including lack of access to well-documented protocols and code, and the complexity brought in by the rich browser elements (script, Flash, etc.). In this paper, we report the first "field study" on popular web SSO systems. In every studied case, we focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic information and identify potential exploit opportunities. Such opportunities guided us to the discoveries of real flaws. In this study, we discovered 8 serious logic flaws in high-profile ID providers and relying party websites, such as Open ID (including Google ID and Pay Pal Access), Face book, Jan Rain, Freelancer, Farm Ville,, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways. All the reported flaws, except those discovered very recently, have been fixed. This study shows that the overall security quality of SSO deployments seems worrisome. We hope that the SSO community conducts a study similar to ours, but in a larger scale, to better understand to what extent SSO is insecurely deployed and how to respond to the situation.
This paper references
Verified implementations of the information card federated identity-management protocol
K. Bhargavan (2008)
“ How to Shop for Free Online – Security Analysis of Cashier - asa - Service Based Web Stores , ” IEEE Symposium on Security and Privacy , 2011 [ 35 ] Wikipedia , " Secure Electronic Transaction
Rui Wang
Analysis of a Privacy Vulnerability in the OpenID Authentication Protocol
Manuel Urueña (2010)
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
P. Bisht (2010)
Assertions and Protocols for the OASIS Security Assertion Markup Language ( SAML ) V 2 . 0 , 2005 . [ 29 ] OpenID Wiki . " OpenID Phishing Brainstorm
Birgit Pfitzmann (1995)
Discoverer: Automatic Protocol Reverse Engineering from Network Traces
W. Cui (2007)
Google Code . " Federated Login for Google Account Users
Jayanthkumar Kannan (1990)
1] Actual references to be provided in a non-anonymized version
Language generation and verification in the NRL protocol analyzer
C. Meadows (1996)
The Year in Review
M. Ratner (1990)
Supplementary materials for this submission with our identity removed
The Interrogator model
J. Millen (1995)
Privacy in browser-based attribute exchange
B. Pfitzmann (2002)
Federated Login for Google Account Users
Google Code
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
OAuth Dialog
Security Hall of Fame
White hats
The Sims Social bests FarmVille as the second- largest Facebook game entertainmentnewsbuzz/2011/09/sims-social-surpasses-farmville-as- second-largest-facebook-game
Angeles Los
Consumer Perceptions of Online Registration and Social Sign-In,"
Blue Research
Setuid demystified," USENIX Security Symposium
Hao Chen (2002)
Using static analysis to validate the SAML single sign-on protocol
Steffen M. Hansen (2005)
Origin Cookies : Session Integrity for Web Applications
A. Bortz (2011)
How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores
Rui Wang (2011)
Security analysis of the SAML single sign-on browser/artifact profile
T. Groß (2003)
Towards a Formal Foundation of Web Security
Devdatta Akhawe (2010)
What makes users refuse web single sign-on?: an empirical investigation of OpenID
San-Tsai Sun (2011)
NoTamper: Automatically Detecting Parameter Tampering Vulnerabilities in Web Applications
Prithvi Bisht (2010)
OpenID Phishing Brainstorm
Openid Wiki
Google Code . " Federated Login for Google Account Users
Weidong Cui
The Sims Social bests FarmVille as the secondlargest Facebook game
Los Angeles Times (2011)
Consumer Perceptions of Online Registration and Social Sign-In
Blue Research
INFO: Internet Explorer Does Not Send Referer Header in Unsecured Situations
Microsoft (1780)
Analysis of Liberty Single-Sign-on with Enabled Clients
B. Pfitzmann (2003)
On Secure Electronic Transaction
Zheng Qiuxia (2006)
From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?
A. Armando (2011)
A logic of authentication
M. Burrows (1989)
OASIS Standard. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
Google Code . " Federated Login for Google Account Users
Thomas Groß
Robust defenses for cross-site request forgery
A. Barth (2008)
OpenID 2009 Year in Review
Brian Kissel (2009)
Legacy Canvas Auth
Facebook Developers
Setuid Demystified
H. Chen (2002)

This paper is referenced by
Advancing automated security protocol verification
Simon Meier (2013)
Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs
G. Pellegrino (2017)
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
Shepherd: Enabling Automatic and Large-Scale Login Security Studies
Hugo L. Jonker (2018)
A Framework for Testing Web Applications for Cross-Origin State Inference (COSI) Attacks
Soheil Khodayari (2019)
Vetting Single Sign-On SDK Implementations via Symbolic Reasoning
R. Yang (2018)
Third-Party Identity Management Usage on the Web
Anna Vapen (2014)
A Survey of Security Analysis in Federated Identity Management
Sean Simpson (2016)
On cross-site scripting, fallback authentication and privacy im web applications
Ashar Javed (2016)
A Smart Security System for Accessing Web Services
Tayeb Basta (2019)
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
Protecting Client Browsers with a Principal-based Approach
Yinzhi Cao (2014)
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
Daniel Fett (2015)
Formal Verification of the xDAuth Protocol
Quratulain Alam (2016)
Information Sharing and User Privacy in the Third-Party Identity Management Landscape
Anna Vapen (2015)
Integrasi Sistem Single Sign On Pada Sistem Informasi Akademik, Web Information System Dan Learning Management System Berbasis Central Authentication Service
I Putu Agus Eka Darma Udayana (2018)
Will You Log into Tinder using your Facebook Account? Adoption of Single Sign-On for Privacy-Sensitive Apps
E. Cho (2020)
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
How to grant less permissions to facebook applications
Gianpiero Costantino (2013)
Computational Decoys for Cloud Security
Georgios Kontaxis (2014)
Information Sharing and User Privacy in the Third-party Identity Management Landscape
Anna Vapen (2015)
WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring
Stefano Calzavara (2018)
You Are Where You App: An Assessment on Location Privacy of Social Applications
Fanghua Zhao (2018)
Design av en synkroniserad databas till en mobil spelapplikation med hjälp av Firebase
Karl Arvid Karlsson (2017)
Rethinking Operating System Interfaces to Support Robust Network Applications
W. Michael Petullo (2013)
Cloud Password Manager Using Privacy-Preserved Biometrics
Bian Yang (2014)
The Emperor's New Password Manager: Security Analysis of Web-based Password Managers
Z. Li (2014)
Privacy Threats from Social Networking Service Aggregators
Omar Jaafor (2014)
Formal Analysis of a Single Sign-On Protocol Implementation for Android
Quanqi Ye (2015)
Vulnerability exploration and data protection in end-user applications
Rui Zhao (2018)
Winners, Losers, and Facebook: The Role of Social Logins in the Online Advertising Ecosystem
Jan Krämer (2019)
Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks
Avinash Sudhodanan (2020)
See more
Semantic Scholar Logo Some data provided by SemanticScholar