Researchers say they have found bugs in Web-based single sign-on services run by Facebook, Google, Twitter, PayPal and others that allow a hacker to hijack the authentication process.
"These bugs allow an unauthorized party to log into legitimate users' accounts ... thereby completely defeating their authentication protection," said Rui Wang, a researcher with Microsoft Research, who was an Indiana University PhD. student when the research was conducted in early 2011.
The 15-page report defined Web single sign-on (SSO) as a service that has three distinct parts: a user with a browser, a service that provided the user an identity, and a party that relies on that service to validate the ID and the user.
The report cited poor integration by web site developers of the application programming interfaces (APIs) made available by the identity providers, and the lack of end-to-end security checks.
Rui Wang worked with Shuo Chen of Microsoft Research and Xiao Feng Wang of Indiana University to discover eight serious flaws in high-profile ID providers and the websites that rely on those identity providers.
The study looked at popular SSO services on the Web, including Facebook, Google, JanRain and PayPal and SSO systems of high-profile websites/services, including FarmVille, Freelancer, Nasdaq.com and Sears.com.
The researchers say all the sites have acknowledged the vulnerabilities and corrected them. But the trio concluded in their report that the overall security quality of single sign-on (SSO) deployments seems "worrisome."
Rui Wang said in an email interview that the lack of end-to-end security checks is a major issue.
"The main concern we have is not about the infrastructure, but about the programming practice of API integration," he said. "The current practice is that ID-providers only provide APIs and corresponding specs, and it is website developers' responsibility to securely integrate these APIs to their systems. This practice can easily introduce misunderstanding between these parties, which can potentially be exploited by the attacker. We believe that it is important to do an end-to-end security analysis to see if a concrete integration is secure."
Rui Wang said each of the eight flaws uncovered was very different and the report details each one and says those flaws affected many websites.
The report, however, generally concluded that "Our success [in validating the vulnerabilities] indicates that the developers of today's web SSO systems often fail to fully understand the security implications during token exchange, particularly, how to ensure that the token is well protected and correctly verified, and what the adversary is capable of doing in the process."
In part, the trio's research validated the reason why Web sites most often become identity providers, those that create IDs, rather than relying parties, those that rely on those IDs to validate users. It is generally believed that is more difficult to architect an authentication system as a relying party than as an identity provider. But for a distributed identity system to succeed it needs a plethora of relying parties.
The OpenID Foundation announced the vulnerability discovery on its web site and said its board members worked to identify other affected web sites and alerted them to the fix.
OpenID, however, was only one of many identity schemes the report focused on, said Rui Wang.
The Foundation recommended a review of the researcher's report for web sites that do not use an OpenID relying party implementation from one of the OpenID Foundation vendors.
The research trio has been invited to present their 15-page report at the IEEE Symposium on Security and Privacy May 20-23 in San Francisco. Each year the symposium convenes a forum for presenting developments in computer security and electronic privacy.
- Hackers, standards and non-profits: A trinty to rescue Internet Identity?
- Gartner: Identity a lever of control; six trends for 2012
- Zappos breach highlights fragile password, personal data security
- Sony Playstation network hacked again; 93,000 accounts compromised
- Gawker hacked: Just the latest sign the Web is going Wild West
- BrowserID testing waters, but missing pieces weaken story
- Google, Web security and privacy in spotlight at CeBit 2012