Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

3/19/2012
08:04 PM
50%
50%

Web Services Single Sign-On Contain Big Flaws

Microsoft Research report shows how risky single sign-on can be without solid integration and better support from Web service providers like Google and Facebook

As more and more organizations tap into single sign-on (SSO) schemes through Web services providers such as Google and Facebook, new research suggests that they must better plan how they implement SSO APIs lest they leave users open to attack. New findings by Microsoft Research found troubling logic flaws in SSO for Facebook, Google ID, PayPal, and other Web services that threaten a large number of users online.

Though each flaw had its own unique characteristics, all eight detailed in the report (PDF) had one trait in common.

"All these flaws allow the attacker to sign in as the victim to her accounts on the websites using SSO services even without knowing the victim’s password," says Dr. XiaoFeng Wang, associate professor of computer science at Indiana University at Bloomington and co-author of the report with Rui Wang and Shuo Chen.

Wang and his team hope the report is a wake-up call for both the developers of websites using the SSO services and those providing the services, between whom there seems to be a disconnect as to who is responsible for hardening the SSO application. Further obscuring the matter is the fact that the SSO is going through browsers, whose behaviors are very complicated, Wang says. "IT decision-makers should realize the security risk that comes with the convenience of SSO. Most problems we discovered actually can be fixed through correct integration on the website part. In other words, if the developer of these websites incorporate such SSO services carefully, SSO can be more secure," Wang says. "To make this happen, however, we also expect the help from the service provider side. They need to offer good integration supports, including well-specified documentation, verified secure code template, and other [support] to guide their customers during the integration process, which according to our findings, is very easy to get wrong."

According to the report, many of the problems associated with spotting flaws in Web services SSO implementations are a result of individual developer's idiosyncratic methods of integrating the APIs, SDKs, and sample code offered up by identity providers. In particular, the report noted that developers of today's Web SSO systems fail to fully lock down the process of token exchange in order to protect and verify the token from malicious adversaries.

Protocols currently stand as "a loose guideline," and organizations that leverage the providers' APIs tend to bend the protocol at their whim "for the convenience of integrating SSO into their systems," the report said. The findings highlight the need for API best practices as one of the key issues in Web architecture today, says Nishant Kaushik, chief architect at Identropy.

"It isn't enough for a service to publish an API and a how-to guide and take no responsibility for how it is used or abused," Kaushik says. "And with the role that identity providers are going to play in the security landscape, they have a bigger obligation to ensure that they are protecting the identities and credentials of the users that have entrusted them this responsibility, even if it purely as an ecosystem play, like in the case of Facebook."

As more of these SSO systems are used for websites that engage in retail and other monetary transactions, the security stakes will continue to be ratcheted up. While Web SSO may be convenient, there are big risks taken until these services are fully vetted.

"Federation and SSO are designed to make the user's life easier, not improve or even maintain the security of their transactions. Logon convenience has its costs, and with free authentication services, you get what you pay for," says Phil Lieberman of Lieberman Software. "These systems were not initially designed and hardened for financial transactions. Further, there has been precious little to no oversight over the security of their implementation. The lesson to be learned here is that many cloud-based solutions for authentication and security should be treated as unproven and insecure in most cases."

The flaws outlined in the Microsoft Research report have all been addressed by the affected service providers. But the research team believes that due to the unique vulnerabilities caused by poor implementation by individual site operators, the security community needs to do more testing industry-wide. In order to help organizations in the process, the researchers are launching a website that will offer free testing tools to review their implementations.

At the same time, Wang says he hopes service providers can take the report's findings and build off them.

"Some SSO providers already published security advisories based on our finding to let the community be aware of the issues," he says. "Most importantly, we hope that the providers better understand the security challenges their customers face when integrating their services and offer more technical support and detailed documentation to help them use their services securely."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11997
PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
CVE-2020-27266
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
CVE-2020-27268
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
CVE-2020-27269
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
CVE-2020-28707
PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...