Access control enforcement delegation for information-centric networking architectures
Proceedings of the second edition of the ICN workshop on Information-centric networking
On breaking SAML: be whoever you want to be
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Security analysis of smartphone point-of-sale systems
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Access control enforcement delegation for information-centric networking architectures
ACM SIGCOMM Computer Communication Review - Special october issue SIGCOMM '12
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
Proceedings of the 2012 ACM conference on Computer and communications security
Embassies: radically refactoring the web
nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
SAuth: protecting user accounts from password database leaks
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Explicating SDKs: uncovering assumptions underlying secure authentication and authorization
SEC'13 Proceedings of the 22nd USENIX conference on Security
Language-based defenses against untrusted browser origins
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
With the boom of software-as-a-service and social networking, web-based single sign-on (SSO) schemes are being deployed by more and more commercial websites to safeguard many web resources. Despite prior research in formal verification, little has been done to analyze the security quality of SSO schemes that are commercially deployed in the real world. Such an analysis faces unique technical challenges, including lack of access to well-documented protocols and code, and the complexity brought in by the rich browser elements (script, Flash, etc.). In this paper, we report the first "field study" on popular web SSO systems. In every studied case, we focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic information and identify potential exploit opportunities. Such opportunities guided us to the discoveries of real flaws. In this study, we discovered 8 serious logic flaws in high-profile ID providers and relying party websites, such as Open ID (including Google ID and Pay Pal Access), Face book, Jan Rain, Freelancer, Farm Ville, Sears.com, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways. All the reported flaws, except those discovered very recently, have been fixed. This study shows that the overall security quality of SSO deployments seems worrisome. We hope that the SSO community conducts a study similar to ours, but in a larger scale, to better understand to what extent SSO is insecurely deployed and how to respond to the situation.