Researchers Remotely Hijack Facebook single sign-on

0
0

Single Sign-On is becoming the first way used to allow users logging into several web resources. This technology may include several vulnerabilities and here as any technology will have some advantages and disadvantages. Advantages for SSO are:

  1. Application will not store authentication records such as user’s sensitive information.
  2. User will have one credentials to access multiple resources.
  3. Credentials will be used once to access the main system next it will be possible to access all required system.

On the other hand, the disadvantage of the SSO are:

  1. Attacker needs to compromise one account to gain access to several resources.
  2. SSO provider is a single third party that should be trusted but no one know how these credentials are stored or transmitted.
  3. Additional system used for authentication which mean an additional vulnerability source to the authentication global picture.

New research has been published recently by University of Illinois at Chicago that shows that most prevalent attacks and threats to SSO are phishing and sniffing/cookie hijacking which is the common problem when the user is transmitting session cookies over HTTP connections and here the document list the static content (through the like or share button) exposed session cookies on staticxx.facebook.com Facebook.

Single Sign-On access revocation attack

Single Sign-On access revocation attack

 

The paper include a high severity vulnerability that affect SSO provider the SSO cookies issue were disclosed to Facebook which applied a fix to resolve this vulnerability. there are also some limitation for single sign off attack where the victim will be signed out the SSO and this is an indication of suspicious activity.

You can find the published paper with several attacks on SSO over this link: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-ghasemisharif_0.pdf

Share