DeepAI AI Chat
Log In Sign Up

SSO-Monitor: Fully-Automatic Large-Scale Landscape, Security, and Privacy Analyses of Single Sign-On in the Wild

by   Maximilian Westers, et al.

Single Sign-On (SSO) shifts the crucial authentication process on a website to to the underlying SSO protocols and their correct implementation. To strengthen SSO security, organizations, such as IETF and W3C, maintain advisories to address known threats. One could assume that these security best practices are widely deployed on websites. We show that this assumption is a fallacy. We present SSO-MONITOR, an open-source fully-automatic large-scale SSO landscape, security, and privacy analysis tool. In contrast to all previous work, SSO-MONITOR uses a highly extensible, fully automated workflow with novel visual-based SSO detection techniques, enhanced security and privacy analyses, and continuously updated monitoring results. It receives a list of domains as input to discover the login pages, recognize the supported Identity Providers (IdPs), and execute the SSO. It further reveals the current security level of SSO in the wild compared to the security best practices on paper. With SSO-MONITOR, we automatically identified 1,632 websites with 3,020 Apple, Facebook, or Google logins within the Tranco 10k. Our continuous monitoring also revealed how quickly these numbers change over time. SSO-MONITOR can automatically login to each SSO website. It records the logins by tracing HTTP and in-browser communication to detect widespread security and privacy issues automatically. We introduce a novel deep-level inspection of HTTP parameters that we call SMARTPARMS. Using SMARTPARMS for security analyses, we uncovered URL parameters in 5 Client Application (Client) secret leakages and 337 cases with weak CSRF protection. We additionally identified 447 cases with no CSRF protection, 342 insecure SSO flows and 9 cases with nested URL parameters, leading to an open redirect in one case. SSO-MONITOR reveals privacy leakages that deanonymize users in 200 cases.


page 1

page 5

page 16


PREPRINT: Can the OpenSSF Scorecard be used to measure the security posture of npm and PyPI?

The OpenSSF Scorecard project is an automated tool to monitor the securi...

State of Security and Privacy Practices of Top Websites in the East African Community (EAC)

Growth in technology has resulted in the large-scale collection and proc...

Security and Privacy Analyses of Internet of Things Toys

This paper investigates the security and privacy of Internet-connected c...

Shepherd: Enabling Automatic and Large-Scale Login Security Studies

More and more parts of the internet are hidden behind a login field. Thi...

OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect

Millions of users routinely use Google to log in to websites supporting ...

Measuring HTTP/3: Adoption and Performance

The third version of the Hypertext Transfer Protocol (HTTP) is currently...

An Empirical Evaluation of the Implementation of the California Consumer Privacy Act (CCPA)

On January 1, 2020, California passed the California Consumer Privacy Ac...