Though each flaw had its own unique characteristics, all eight detailed in the report (PDF) had one trait in common.
"All these flaws allow the attacker to sign in as the victim to her accounts on the websites using SSO services even without knowing the victim’s password," says Dr. XiaoFeng Wang, associate professor of computer science at Indiana University at Bloomington and co-author of the report with Rui Wang and Shuo Chen.
Wang and his team hope the report is a wake-up call for both the developers of websites using the SSO services and those providing the services, between whom there seems to be a disconnect as to who is responsible for hardening the SSO application. Further obscuring the matter is the fact that the SSO is going through browsers, whose behaviors are very complicated, Wang says. "IT decision-makers should realize the security risk that comes with the convenience of SSO. Most problems we discovered actually can be fixed through correct integration on the website part. In other words, if the developer of these websites incorporate such SSO services carefully, SSO can be more secure," Wang says. "To make this happen, however, we also expect the help from the service provider side. They need to offer good integration supports, including well-specified documentation, verified secure code template, and other [support] to guide their customers during the integration process, which according to our findings, is very easy to get wrong."
According to the report, many of the problems associated with spotting flaws in Web services SSO implementations are a result of individual developer's idiosyncratic methods of integrating the APIs, SDKs, and sample code offered up by identity providers. In particular, the report noted that developers of today's Web SSO systems fail to fully lock down the process of token exchange in order to protect and verify the token from malicious adversaries.
Protocols currently stand as "a loose guideline," and organizations that leverage the providers' APIs tend to bend the protocol at their whim "for the convenience of integrating SSO into their systems," the report said. The findings highlight the need for API best practices as one of the key issues in Web architecture today, says Nishant Kaushik, chief architect at Identropy.
"It isn't enough for a service to publish an API and a how-to guide and take no responsibility for how it is used or abused," Kaushik says. "And with the role that identity providers are going to play in the security landscape, they have a bigger obligation to ensure that they are protecting the identities and credentials of the users that have entrusted them this responsibility, even if it purely as an ecosystem play, like in the case of Facebook."
As more of these SSO systems are used for websites that engage in retail and other monetary transactions, the security stakes will continue to be ratcheted up. While Web SSO may be convenient, there are big risks taken until these services are fully vetted.
"Federation and SSO are designed to make the user's life easier, not improve or even maintain the security of their transactions. Logon convenience has its costs, and with free authentication services, you get what you pay for," says Phil Lieberman of Lieberman Software. "These systems were not initially designed and hardened for financial transactions. Further, there has been precious little to no oversight over the security of their implementation. The lesson to be learned here is that many cloud-based solutions for authentication and security should be treated as unproven and insecure in most cases."
The flaws outlined in the Microsoft Research report have all been addressed by the affected service providers. But the research team believes that due to the unique vulnerabilities caused by poor implementation by individual site operators, the security community needs to do more testing industry-wide. In order to help organizations in the process, the researchers are launching a website that will offer free testing tools to review their implementations.
At the same time, Wang says he hopes service providers can take the report's findings and build off them.
"Some SSO providers already published security advisories based on our finding to let the community be aware of the issues," he says. "Most importantly, we hope that the providers better understand the security challenges their customers face when integrating their services and offer more technical support and detailed documentation to help them use their services securely."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.