Flaws in Single Sign-on(SSO) services left Google,paypal,facebook vulnerable

Researchers from Microsoft and Indian University discovered security flaws in web-based single sign-on(SSO) services run by Google,Facebook,paypal and some other sites.

Researchers found 8 serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, JanRain, Freelancer, FarmVille, Sears.com, etc.
Single Sign-on(SSO) service:
Single sign-on (SSO) is mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords.
Imagine that you visit Sears.com, a leading shopping website, or using Smartsheet.com, a popular project management web app, and try to get in your accounts there.  Sears allows you to sign in using your Facebook account, and Smartsheet lets the login go through Google. This way of authentication is known as single sign-on (SSO).

"Every flaw allows an attacker to sign in as the victim user." The report(PDF) reads, "This study shows that the overall security quality of SSO deployments seems worrisome.We hope that the SSO community conducts a study similar to ours, but in a larger scale, to better understand to what extentSSO is insecurely deployed and how to respond to the situation"

According to their report, they have shared their findings with the affected companies , who have acknowledged and thanked them for their contribution. All the reported flaws, except those discovered very recently, have been fixed.
Category: / /

Share this with Your friends: