Online citations, reference lists, and bibliographies.

Signing Me Onto Your Accounts Through Facebook And Google: A Traffic-Guided Security Study Of Commercially Deployed Single-Sign-On Web Services

R. Wang, Shuo Chen, X. Wang
Published 2012 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
With the boom of software-as-a-service and social networking, web-based single sign-on (SSO) schemes are being deployed by more and more commercial websites to safeguard many web resources. Despite prior research in formal verification, little has been done to analyze the security quality of SSO schemes that are commercially deployed in the real world. Such an analysis faces unique technical challenges, including lack of access to well-documented protocols and code, and the complexity brought in by the rich browser elements (script, Flash, etc.). In this paper, we report the first "field study" on popular web SSO systems. In every studied case, we focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic information and identify potential exploit opportunities. Such opportunities guided us to the discoveries of real flaws. In this study, we discovered 8 serious logic flaws in high-profile ID providers and relying party websites, such as Open ID (including Google ID and Pay Pal Access), Face book, Jan Rain, Freelancer, Farm Ville, Sears.com, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways. All the reported flaws, except those discovered very recently, have been fixed. This study shows that the overall security quality of SSO deployments seems worrisome. We hope that the SSO community conducts a study similar to ours, but in a larger scale, to better understand to what extent SSO is insecurely deployed and how to respond to the situation.
This paper references
10.1145/1368310.1368330
Verified implementations of the information card federated identity-management protocol
K. Bhargavan (2008)
“ How to Shop for Free Online – Security Analysis of Cashier - asa - Service Based Web Stores , ” IEEE Symposium on Security and Privacy , 2011 [ 35 ] Wikipedia , " Secure Electronic Transaction
Rui Wang
Analysis of a Privacy Vulnerability in the OpenID Authentication Protocol
Manuel Urueña (2010)
10.1145/1866307.1866375
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
P. Bisht (2010)
Assertions and Protocols for the OASIS Security Assertion Markup Language ( SAML ) V 2 . 0 , 2005 . [ 29 ] OpenID Wiki . " OpenID Phishing Brainstorm
Birgit Pfitzmann (1995)
Discoverer: Automatic Protocol Reverse Engineering from Network Traces
W. Cui (2007)
Google Code . " Federated Login for Google Account Users
Jayanthkumar Kannan (1990)
1] Actual references to be provided in a non-anonymized version
10.1109/CSFW.1996.503690
Language generation and verification in the NRL protocol analyzer
C. Meadows (1996)
10.1038/nbt1090-913
The Year in Review
M. Ratner (1990)
Supplementary materials for this submission with our identity removed
10.1109/SECPRI.1995.398937
The Interrogator model
J. Millen (1995)
10.1145/644527.644533
Privacy in browser-based attribute exchange
B. Pfitzmann (2002)
http://getfirebug.com
Firebug
Federated Login for Google Account Users
Google Code
10.1145/1456396.1456397
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
OAuth Dialog
Facebook
Security Hall of Fame
Google
White hats
Facebook
The Sims Social bests FarmVille as the second- largest Facebook game http://latimesblogs.latimes.com/ entertainmentnewsbuzz/2011/09/sims-social-surpasses-farmville-as- second-largest-facebook-game
Angeles Los
Consumer Perceptions of Online Registration and Social Sign-In," http://janrain.com/consumer-research-social-signin
Blue Research
Setuid demystified," USENIX Security Symposium
Hao Chen (2002)
10.1145/1045405.1045409
Using static analysis to validate the SAML single sign-on protocol
Steffen M. Hansen (2005)
Origin Cookies : Session Integrity for Web Applications
A. Bortz (2011)
10.1109/SP.2011.26
How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores
Rui Wang (2011)
10.1109/CSAC.2003.1254334
Security analysis of the SAML single sign-on browser/artifact profile
T. Groß (2003)
10.1109/CSF.2010.27
Towards a Formal Foundation of Web Security
Devdatta Akhawe (2010)
10.1145/2078827.2078833
What makes users refuse web single sign-on?: an empirical investigation of OpenID
San-Tsai Sun (2011)
LocalConnection
NoTamper: Automatically Detecting Parameter Tampering Vulnerabilities in Web Applications
Prithvi Bisht (2010)
OpenID Phishing Brainstorm
Openid Wiki
Google Code . " Federated Login for Google Account Users
Weidong Cui
The Sims Social bests FarmVille as the secondlargest Facebook game
Los Angeles Times (2011)
Consumer Perceptions of Online Registration and Social Sign-In
Blue Research
INFO: Internet Explorer Does Not Send Referer Header in Unsecured Situations
Microsoft (1780)
10.1109/MIC.2003.1250582
Analysis of Liberty Single-Sign-on with Enabled Clients
B. Pfitzmann (2003)
On Secure Electronic Transaction
Zheng Qiuxia (2006)
10.1007/978-3-642-21424-0_6
From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?
A. Armando (2011)
10.1145/74850.74852
A logic of authentication
M. Burrows (1989)
OASIS Standard. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
(2005)
Google Code . " Federated Login for Google Account Users
Thomas Groß
10.1145/1455770.1455782
Robust defenses for cross-site request forgery
A. Barth (2008)
OpenID 2009 Year in Review
Brian Kissel (2009)
Legacy Canvas Auth
Facebook Developers
Setuid Demystified
H. Chen (2002)



This paper is referenced by
10.3929/ETHZ-A-009790675
Advancing automated security protocol verification
Simon Meier (2013)
10.1145/3133956.3133959
Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs
G. Pellegrino (2017)
10.1109/CSF.2012.27
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
Shepherd: Enabling Automatic and Large-Scale Login Security Studies
Hugo L. Jonker (2018)
A Framework for Testing Web Applications for Cross-Origin State Inference (COSI) Attacks
Soheil Khodayari (2019)
Vetting Single Sign-On SDK Implementations via Symbolic Reasoning
R. Yang (2018)
10.1007/978-3-319-04918-2_15
Third-Party Identity Management Usage on the Web
Anna Vapen (2014)
10.1007/978-3-319-55783-0_16
A Survey of Security Analysis in Federated Identity Management
Sean Simpson (2016)
On cross-site scripting, fallback authentication and privacy im web applications
Ashar Javed (2016)
10.1109/ICD47981.2019.9105752
A Smart Security System for Accessing Web Services
Tayeb Basta (2019)
10.1145/2382196.2382238
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
Protecting Client Browsers with a Principal-based Approach
Yinzhi Cao (2014)
10.1007/978-3-319-24174-6_3
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
Daniel Fett (2015)
10.1109/TIFS.2016.2561909
Formal Verification of the xDAuth Protocol
Quratulain Alam (2016)
10.1007/978-3-319-18467-8_12
Information Sharing and User Privacy in the Third-Party Identity Management Landscape
Anna Vapen (2015)
10.31598/jurnalresistor.v1i1.265
Integrasi Sistem Single Sign On Pada Sistem Informasi Akademik, Web Information System Dan Learning Management System Berbasis Central Authentication Service
I Putu Agus Eka Darma Udayana (2018)
10.1145/3334480.3383074
Will You Log into Tinder using your Facebook Account? Adoption of Single Sign-On for Privacy-Sensitive Apps
E. Cho (2020)
10.1145/2660267.2660323
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
10.1109/ISIAS.2013.6947733
How to grant less permissions to facebook applications
Gianpiero Costantino (2013)
10.1007/978-1-4614-9278-8_12
Computational Decoys for Cloud Security
Georgios Kontaxis (2014)
10.1145/2699026.2699131
Information Sharing and User Privacy in the Third-party Identity Management Landscape
Anna Vapen (2015)
WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring
Stefano Calzavara (2018)
10.1109/ISSRE.2018.00033
You Are Where You App: An Assessment on Location Privacy of Social Applications
Fanghua Zhao (2018)
Design av en synkroniserad databas till en mobil spelapplikation med hjälp av Firebase
Karl Arvid Karlsson (2017)
Rethinking Operating System Interfaces to Support Robust Network Applications
W. Michael Petullo (2013)
10.1109/IC2E.2014.91
Cloud Password Manager Using Privacy-Preserved Biometrics
Bian Yang (2014)
10.21236/ada614474
The Emperor's New Password Manager: Security Analysis of Web-based Password Managers
Z. Li (2014)
10.1109/CTC.2014.12
Privacy Threats from Social Networking Service Aggregators
Omar Jaafor (2014)
10.1109/ICECCS.2015.20
Formal Analysis of a Single Sign-On Protocol Implementation for Android
Quanqi Ye (2015)
Vulnerability exploration and data protection in end-user applications
Rui Zhao (2018)
10.1287/MNSC.2017.3012
Winners, Losers, and Facebook: The Role of Social Logins in the Online Advertising Ecosystem
Jan Krämer (2019)
10.14722/ndss.2020.24278
Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks
Avinash Sudhodanan (2020)
See more
Semantic Scholar Logo Some data provided by SemanticScholar