"Who Let The Dogs Out?"
advertisement
![](http://s2.studylib.net/store/data/015070872_1-569b24769c5355cdf267e8139f557191-768x994.png ""Who Let The Dogs Out?"")
"Who Let The Dogs Out?" Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services Presented by Vincent Zhang What the hell is Single-Sign-On? Interactions among: 1. the user (a browser) 1. the ID provider (a.k.a, Facebook) 1. the relying party (a.k.a, Sears) Challenges and Motivations Wait...how is this challenging? - No prior research, well, basically - Nobody gives a ****, thought it worked - Dirtier and more painful than gcc debugging Then why do you (the actual researchers) care? - Because we can? - Answer the question: just how secure is it? - Actually, it's a big deal, and you should care Basic Workflow But thankfully, it's "Browser-centric"! Browser-Relayed Messages Something like this: src=a.com dst=Facebook.com/a/foo.php Set-cookies: sessionID=6734259 Arguments: x=123 & user=alice Cookies: fbs=a1b2c3 & foo=43da2c2a ... Threats and Adversary Models Case Study: Google ID Signed token passed at BRM3 (openid.sig); At BRM1, everything is exposed and writable (↓); At BRM3, data from BRM1 will be queried and filled (email, firstname, etc...). Case Study: Google ID Flaw and exploit: "Does RP check whether the email element in BRM3 is protected by IdP's signature, even though the protection has been required by BRM1?" Case Study: Facebook Login BRM1 RP (NYTimes) declares its identity to IdP; BRM2 secret token "result" comes from API call; BRM3 carries secret token from BRM2; Finally, access granted by Facebook. Case Study: Facebook Login Flaw and exploit: - Same issue: BRM1 writable - Simple approach, failed first due to S.O.P. - Second try: Bob as Bob.com - Flash's cross-domain mode - Unpredictable Domain Communication Case Study: JanRain Unique wrapper as IdP, more complex; BRM1: informs IdP with settings; BRM2~4: seen before; BRM5~7: pass secret, retrieving profile data. Case Study: JanRain Flaw and exploit: - JanRain's whitelist for token_url, check twice - Our idea: steal loc at BRM5 - Register Bob_App.rpxnow.com - Create own whitelist, add Bob himself - Mask data after Alice visits Bob.com - Pass BRM 5~7 Case Study: Freelancer.com Register individual account, but later it's linked to Facebook. Linking process explained. Flaw and exploit? Commonalities in Investigations 1. Understand 2 essential problems a. either a secret token sent to Bob b. or an authentic token forged by Bob 1. Locate the token in BRM / signature process 1. Apply adversary scenarios to break in (Recall Bob's 3 Ninja strategies!) What can be learned? 1. Detailed analysis is necessary, currently with human creativity and domain knowledge, hopefully with automation tools in future. 1. RP developers should be the final gatekeepers, but usually they do not realize. 1. API designs are abstract; but security relies in complex details and operational semantics. Design and utilize them with Done. Thank you!
