Security Analysis for Single-Sign-On (SSO) Websites

What is web SSO?

Most likely you have already been using SSO all the time. Many websites, such as NYTimes.com, Sears.com, Renren.com, allow you to authenticate through Windows Live ID, Google ID, Facebook, Twitter, etc. Here is a slightly longer description about SSO.

Why do we set up this web service?

We studied a wide range of SSO websites, and found numerous logic bugs. Each bug allows us to get into other people's online accounts. We will present the study in the Oakland Conference in May 2012. Here is the paper. Because these bugs are in websites' integrations of SSO APIs, as oppose to the APIs themselves, we believe that the scope of the vulnerable websites is much bigger than what we have studied. We want the community to help expand the investigation effort.

This web service consists of an online tool, which we used in our study, and a discussion forum to track investigation cases. More information is provided in the rest of this page.

You can certainly contribute, if ...

  1. You know about any website using SSO;
  2. You are a website developer or a security investigator who wants to know if the SSO scheme on a particular website is vulnerable;
  3. You are a geek of web/browser technologies (but not necessarily web SSO). There may be critical unsolved questions waiting for you.
  4. You are a student/professor interested in using our website for your course projects. See more info.

Here is how you contribute.

  1. Let us know any website using SSO by replying to this thread (use your Windows LiveID to login first);
  2. You can create an SSO case by collecting raw traffic traces and submitting them to our analyzer. The instruction is described here. The analyzer will output abstract traces and label their elements.
  3. You can investigate SSO cases created by others.
  4. Web geeks, please read this thread. Answering these technical questions may lead to discoveries of critical vulnerabilities.

An example

Here is an example. It is the integration of Google ID on smartsheet.com. Open the case page by clicking this link. The top section of the post contains four labeled traces, including one for the benign scenario and three for adversarial scenarios. You can click any of the four links to see the corresponding trace. To understand the notations in the traces, please read Sections 2 and 3 of the paper mentioned above. A mouseover on an element shows the propagation chain of the element. A click on an element brings out a dialog box for editing its attributes. You job is to enhance the abstract traces and/or raise insightful questions about the security assumptions of the investigated website.

Support

We are committed to maintain this web service and to support your contributions and investigations. For any question, please feel free to email us: Rui Wang (ruiwanATmicrosoftDOTcom), Shuo Chen (shuochenATmicrosoftDOTcom) and XiaoFeng Wang (xw7ATindianaDOTedu), or write a comment for this post, or post a new discussion. We are moderating the forum.

Contact Us Terms of Use Trademarks Privacy Statement © 2012 Microsoft Corporation. All rights reserved.Microsoft