The sorry state of web-based single sign-on services
Web-based single sign-on services are becoming increasingly popular, as they offer a better and simpler user experience. But are they secure? The question was asked by team of researchers from Indiana University and Microsoft, and unfortunately, the answer is no.
“In this paper, we report the first ‘field study’ on popular web SSO systems,” the researchers shared. “In every studied case, we focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic information and identify potential exploit opportunities.
“Such opportunities guided us to the discoveries of real flaws. In this study, we discovered 8 serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, JanRain, Freelancer, FarmVille, Sears.com, etc.”
According to the researchers, their results indicate that the developers of web SSO systems don’t have a good grasp on the security implications regarding the process of token exchange required for the schemes to function.
They point out they have managed to unearth flaws through a “simple and rather mechanical procedure at the high level,” i.e. by finding out whether the SSO is based on a secret token or an authentic token, by locating the toke in browser relayed messages, and by applying one of three scenarios that see the attacker posing as another client, as the relying party, or as a page in the victim’s client.
All these flaws are easily discoverable without the need for an attacker to have access to source code or other insider knowledge of these systems, say the researchers, and every singe one of them allows an attacker to sign in as the victim user.
The researchers have shared their knowledge with the affected companies, who have acknowledged and thanked them for their contribution. Most of the reported flaws have already been fixed, but the team still continues to discover new ones.
“This suggests the seriousness of the overall situation. Clearly the scale of the problem is beyond what we can cover as a single research team, so we wish this paper can be a call for a collaborative effort of the SSO community,” they concluded and announced a service that will help developers and security analysts to conduct investigations similar to theirs.