Ars Technica reports on a new research paper, “Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services” (Microsoft pdf; archive pdf), that details privacy and security problems connected with account login services for some Internet applications:
Account login services that implement applications from Google, Facebook, and other commercial providers are prone to flaws that allow adversaries unauthorized access to private user profiles on the third-party Websites that use them, a team of computer scientists has concluded.
Their 10-month study found that many SSO, or single sign-on, services supplied by IdPs or ID Providers including Google, Facebook, and PayPal weren’t properly integrated into Websites that used the services. As a result, private data on RP, or relying party, sites belonging to Farmville, Freelancer, Nasdaq, Sears, JanRain, and other sites were all vulnerable to snoops.
“The result shows that these prominent web SSO systems contain serious logic flaws that make it completely realistic for an unauthorized party to log into their customers’ accounts,” the scientists wrote in a research paper (PDF) scheduled to be presented at the IEEE Symposium on Security and Privacy in May. “These flaws are also found to be diverse, distributed across the code of [third-party Websites] and [SSO providers], and at the stages of login and account linking.”
The researchers reported the vulnerabilities to parties responsible for the code and in the vast majority of cases, those parties have already implemented fixes. But in an email, XiaoFeng Wang, an associate professor of informatics and computer science at Indiana University and one of the report’s coauthors, wrote: “We strongly believe that given the complexity of web SSO service integration, particularly the coordination between RP and IdP, other web SSO systems can also be error-prone.” […]
SSOs typically work by offering programming interfaces that relay the visitor’s login information to the provider of the service. If the user credentials are valid, the provider usually returns some sort of certified token that instructs the third-party Website to give the user access to the requested account. The problem with this “proof-by-possession” scheme is that the data relayed from Website to provider is sent to the end user’s browser first, creating the opportunity for adversaries to manipulate the credentials that are sent to and from the provider. As a result, an attacker can obtain a token granting him access to an account without supplying the user name and password that are normally required for authorization. […]
In an e-mail, a Facebook spokesman thanked the researchers for privately reporting the bug. “It was fixed shortly after it was reported and we are not aware of any cases in which it was used maliciously. Developers can find our documentation on Authentication using Facebook Platform here. A Google spokesman declined to comment for this article.