Signing Me onto Your Accounts through Facebook and Google - A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services

Explore a critical security study on commercially deployed single sign-on (SSO) web services, focusing on Facebook and Google implementations. Analyze the findings from the 2012 IEEE Symposium on Security & Privacy presentation, which uncovered 8 serious logic flaws in high-profile ID providers and relying party websites. Examine the unique technical challenges faced in analyzing real-world SSO schemes, including lack of access to well-documented protocols and the complexity of rich browser elements. Learn about the traffic-guided approach used to recover semantic information and identify potential exploit opportunities. Understand the implications of these security flaws, which allowed attackers to sign in as victim users, and the subsequent acknowledgments and fixes implemented by affected companies. Gain insights into the worrisome state of SSO deployment security and consider the need for larger-scale studies to improve the overall security of SSO implementations.