Researchers discover "worrisome" authentication flaws in many online services, sites

Bugs discovered in Web-based single sign-on services and sites run by the likes of Facebook, Google, Twitter and PayPal can allow hackers to gain access to a user's account, researchers have discovered.
Written by John Fontana, Contributor

Researchers say they have found bugs in Web-based single sign-on services run by Facebook, Google, Twitter, PayPal and others that allow a hacker to hijack the authentication process.

"These bugs allow an unauthorized party to log into legitimate users' accounts ... thereby completely defeating their authentication protection," said Rui Wang, a researcher with Microsoft Research, who was an Indiana University PhD. student when the research was conducted in early 2011.

The 15-page report defined Web single sign-on (SSO) as a service that has three distinct parts: a user with a browser, a service that provided the user an identity, and a party that relies on that service to validate the ID and the user.

The report cited poor integration by web site developers of the application programming interfaces (APIs) made available by the identity providers, and the lack of end-to-end security checks.

Rui Wang worked with Shuo Chen of Microsoft Research and Xiao Feng Wang of Indiana University to discovereight serious flaws in high-profile ID providers and the websites that rely on those identity providers.

The study looked at popular SSO services on the Web, includingFacebook, Google, JanRain and PayPal and SSO systems of high-profile websites/services, including FarmVille, Freelancer, Nasdaq.com and Sears.com.

The researchers say all the sites have acknowledged the vulnerabilities and corrected them. But the trio concluded in their report that the overall security quality of single sign-on (SSO) deployments seems "worrisome."

Rui Wang said in an email interview that the lack of end-to-end security checks is a major issue.

"Themain concern we have is not about the infrastructure, but about the programming practice of API integration," he said. "The current practice is that ID-providers only provide APIs and corresponding specs, and it is website developers' responsibility to securely integrate these APIs to their systems. This practice can easily introduce misunderstanding between these parties, which can potentially be exploited by the attacker. We believe that it is important to do an end-to-end security analysis to see if a concrete integration is secure."

Rui Wang said each of the eight flaws uncovered was very different and the report details each one and says those flaws affected many websites.

The report, however, generally concluded that "Our success [in validating the vulnerabilities] indicates that the developers of today's web SSO systems often fail to fully understand the security implications during token exchange, particularly, how to ensure that the token is well protected and correctly verified, and what the adversary is capable of doing in the process."

In part, the trio's research validated the reason why Web sites most often become identity providers, those that create IDs, rather than relying parties, those that rely on those IDs to validate users. It is generally believed that is more difficult to architect an authentication system as a relying party than as an identity provider. But for a distributed identity system to succeed it needs a plethora of relying parties.

The OpenID Foundation announced the vulnerability discovery on its web site and said its board members worked to identify other affected web sites and alerted them to the fix.

OpenID, however, was only one of many identity schemes the report focused on, said Rui Wang.

The Foundation recommended a review of the researcher's report for web sites that do not use an OpenID relying party implementation from one of the OpenID Foundation vendors.

The research trio has been invited to present their 15-page report at the IEEE Symposium on Security and Privacy May 20-23 in San Francisco. Each year the symposium convenes a forum for presenting developments in computer security and electronic privacy.

See also:

Editorial standards