Astounding news item, via ArsTechnica’s Dan Goodin, illuminating research report output from Rui Wang and XiaoFeng Wang [both computer scientists at Indiana University Bloomington], and Shuo Chen [a computer scientist at Microsoft Research] targeting the failure of both Google Inc.’s (NasdaqGS: GOOG) and Facebook Inc.’s web-based Single Sign-On services (or, as I like to call it: An Unbroken Litany of Authentication Development Incompetence).
You can download your own copy of the report, entitled ‘Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services’ via Microsoft Research [a unit of Microsoft Corporation (NasdaqGS: MSFT)], or via the Infosecurity.US Document Repository.
“…Abstract— With the boom of software-as-a-service and social networking, web-based single sign-on (SSO) schemes are being deployed by more and more commercial websites to safeguard many web resources. Despite prior research in formal verification, little has been done to analyze the security quality of SSO schemes that are commercially deployed in the real world. Such an analysis faces unique technical challenges, including lack of access to well-documented protocols and code, and the complexity brought in by the rich browser elements (script, Flash, etc.). In this paper, we report the first “field study” on popular web SSO systems. In every studied case, we focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic information and identify potential exploit opportunities. Such opportunities guided us to the discoveries of real flaws. In this study, we discovered 8 serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, JanRain, Freelancer, FarmVille, Sears.com, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways. All the reported flaws, except those discovered very recently, have been fixed. This study shows that the overall security quality of SSO deployments seems worrisome. We hope that the SSO community conducts a study similar to ours, but in a larger scale, to better understand to what extent SSO is insecurely deployed and how to respond to the situation..” via the white paper by Rui Wang and XiaoFeng Wang [both of Indiana University Bloomington], and Shuo Chen [Microsoft Research]to be published at IEEE Symposium on Security and Privacy