Top 5 Stories


Researchers discover flaws in SSO that leave websites vulnerable

20 March 2012

Indiana University and Microsoft researchers have uncovered flaws in Web-based single sign-on (SSO) services run by Google, Paypal, Facebook, Twitter, and others that allow hackers to get access to users’ accounts.

A report prepared by the researchers cited poor integration by website developers of the application programming interfaces and a lack of end-to-end security checks as the reasons for the flaws.

“In this study, we discovered eight serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, JanRain, Freelancer, FarmVille,, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways”, the researchers wrote in their report.

Although the flaws have been fixed by the affected companies, “this study shows that the overall security quality of SSO deployments seems worrisome”, they noted.

Commenting on the report, Steve Watts, cofounder of two-factor authentication (2FA) provider SecurEnvoy, said that the fact the security flaws were discovered in social networking sites such as Facebook and Twitter should raise alarm.

“The problem with SSO-based security is that it only authenticates the user when they actually log into the system concerned. And with nasties such as man-in-the-browser and plain text cookie intercepts becoming commonplace on both wireline and – in particular – wireless Internet connections, there is clearly a need for 2FA technology,” he said.

This article is featured in:
Application Security  •  Identity and Access Management  •  Internet and Network Security  •  Wireless and Mobile Security



Russell Loarridge says:

27 March 2012
Janrain takes protecting the security and integrity of our solutions and customer implementations very seriously. We have a long record of contributing to and following industry best practices and standards, particularly in the field of identity and authentication. Last year we were informed by the researchers of their discovery, which in itself is a textbook example of how such flaws should be identified and resolved. Of the eight identified logic flaws, only two applied to the Janrain solution and both issues were fixed immediately and prior to the flaws being made public. At that time there were no known examples of attacks using the techniques described by the researchers.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×