A report prepared by the researchers cited poor integration by website developers of the application programming interfaces and a lack of end-to-end security checks as the reasons for the flaws.
“In this study, we discovered eight serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, JanRain, Freelancer, FarmVille, Sears.com, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways”, the researchers wrote in their report.
Although the flaws have been fixed by the affected companies, “this study shows that the overall security quality of SSO deployments seems worrisome”, they noted.
Commenting on the report, Steve Watts, cofounder of two-factor authentication (2FA) provider SecurEnvoy, said that the fact the security flaws were discovered in social networking sites such as Facebook and Twitter should raise alarm.
“The problem with SSO-based security is that it only authenticates the user when they actually log into the system concerned. And with nasties such as man-in-the-browser and plain text cookie intercepts becoming commonplace on both wireline and – in particular – wireless Internet connections, there is clearly a need for 2FA technology,” he said.
Russell Loarridge says:
27 March 2012
Janrain takes protecting the security and integrity of our solutions and customer implementations very seriously. We have a long record of contributing to and following industry best practices and standards, particularly in the field of identity and authentication. Last year we were informed by the researchers of their discovery, which in itself is a textbook example of how such flaws should be identified and resolved. Of the eight identified logic flaws, only two applied to the Janrain solution and both issues were fixed immediately and prior to the flaws being made public. At that time there were no known examples of attacks using the techniques described by the researchers.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.