Vulnerabilities Uncovered in Google, Facebook Single Sign-On

Research from Microsoft and Indiana Universtiy Bloomington finds a range of ways to hijack the single sign-on systems used across the web by Google, Facebook and others

Researchers from Indiana University Bloomington and Microsoft Research have demonstrated weaknesses in the single sign-on (SSO) systems that allow individuals to sign onto a wide variety of websites using their Google or Facebook accounts, which could enable attackers to hijack user accounts.

In a paper (PDF) to be presented at the IEEE Symposium on Security and Privacy in May the researchers demonstrated eight exploits affecting the OpenID system used by Google and Paypal as well as Facebook Connect.

Real-world analysis

The study focused on client websites including FarmVille’s Facebook portal, The New York Times’ website, web application Smartsheet, US retailer Sears and Yahoo, but researchers said the attacks were likely to work across a large number of sites.

They argued the results should arouse concern because SSOs are growing in popularity precisely as a way of protecting web resources, though with little analysis of SSO schemes that have been deployed in the real world.

“This study shows that the overall security quality of SSO deployments seems worrisome,” the researchers stated in the paper. “In every studied case, we focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic information and identify potential exploit opportunities. Such opportunities guided us to the discoveries of real flaws.”

The paper is the result of a 10-month study carried out by Rui Wang and XiaoFeng Wang of Indiana University Bloomington and Shuo Chen of Microsoft Research. They emphasised that the flaws uncovered have all been reported to the providers and fixed.

However, the results of the study need to be taken on board by SSO providers, the study argued. For instance, the exploits generally relied on idiosyncratic ways of implementing the SSO and the lack of rigorous guidelines for such implementations, the study found.

‘Loose guidelines’

“The way that today’s web SSO systems are constructed is largely through integrating web APIs, SDKs and sample code offered by the IdPs (Identity Providers),” the paper said. “During this process, a protocol serves merely as a loose guideline, which individual RPs often bend for the convenience of integrating SSO into their systems.”

The researchers noted that some SSO providers do not make use of rigorous protocols. “For example, popular IdPs like Facebook and Google, and their RPs (relying parties) either customise published protocols like OpenID or have no well-specified protocols at all,” the paper stated.

As a result, the researchers were able to intercept authentication messages passed between the client website and the SSO provider, modify those messages and obtain authentication from the SSO provider, even without supplying the user’s password.

In other cases third-party components created security issues, the study found.

“Vulnerabilities that do not show up on the protocol level could be brought in by what the system actually allows each SSO party to do: an example we discovered is that Adobe Flash’s cross-domain capability totally crippled Facebook SSO security,” the paper said.

The researchers said theirs is the first “field study” of popular SSO implementations, and urged SSO providers to take on board the real-world implications of their findings.

“Given the fact that more and more high-value personal and organisational data, computation tasks and even the whole business operations within organisations are moving into the cloud, authentication flaws can completely expose such information assets to the whole world,” they wrote.

Are you a patent expert? Take our quiz!