Security And Privacy Of Social Logins (I): Single Sign-On Protocols In The Wild

This post is the first out of three blog posts summarizing my (Louis Jannett) research on the design, security, and privacy of real-world Single Sign-On (SSO) implementations. It is based on my master's thesis that I wrote between April and October 2020 at the Chair for Network and Data Security.

We structured this blog post series into three parts according to the research questions of my master's thesis: Single Sign-On Protocols in the Wild, PostMessage Security in Single Sign-On, and Privacy in Single Sign-On Protocols.

Overview

Part I: Single Sign-On Protocols in the Wild

Although previous work uncovered various security flaws in SSO, it did not work out uniform protocol descriptions of real-world SSO implementations. We summarize our in-depth analyses of Apple, Google, and Facebook SSO. We also refer to the sections of the thesis that provide more detailed insights into the protocol flows and messages.
It turned out that the postMessage API is commonly used in real-world SSO implementations. We introduce the reasons for this and propose security best practices on how to implement postMessage in SSO. Further, we present vulnerabilities on top-visited websites that caused DOM-based XSS and account takeovers due to insecure use of postMessage in SSO.

Part III: Privacy in Single Sign-On Protocols (coming soon)

Identity Providers (IdPs) use "zero-click" authentication flows to automatically sign in the user on the Service Provider (SP) once it is logged in on the IdP and has consented. We show that these flows can harm user privacy and enable new targeted deanonymization attacks of the user's identity.

Single Sign-On Protocols in the Wild

We presume basic knowledge of the SSO protocols OAuth 2.0 and OpenID Connect 1.0
Also, you should be familiar with the postMessage API and the general concept of frames and popups in web browsers. Chapter 2 of the thesis introduces all basics.

To understand real-world SSO implementations, we selected three frequently used IdPs for detailed protocol analyses: Apple, Google, and Facebook. You can find an overview of all Authentication Request/Response and Token Request/Response messages in Appendix A.1 of the thesis.

Identity Provider: Apple

Sign in with Apple is intended for user authentication only, whereas the authorization part is reserved for future use. Besides native libraries for iOS, macOS, tvOS, and watchOS, REST endpoints provide SSO functionality to third-party native apps. Websites can integrate the JavaScript SDK that is based on these endpoints. Although the Authentication and Token Endpoints perform standard-compliant OpenID Connect Code and Hybrid flows (`response_type=code[&id_token]`, `response_mode=query|fragment|form_post|web_message`), there are some features in the authentication & consent part worth mentioning:
  • The native libraries are tightly integrated into the OS using the existing authentication on the device. Thus, biometric user authentication is possible.
  • Apple does not maintain an authenticated session at the IdP. Thus, each (web) SSO flow requires reauthentication.
  • The user authentication is protected with 2FA by default. If the 2FA succeeds, users can choose to trust the browser, which stores a cookie that supersedes future 2FA.
  • The scope is limited to the name, which can be modified, and email.
  • Users can choose to share their real email with the SP or request Apple to generate an anonymous random email that acts as a proxy between the SP and the user's email account.
More details are provided in Section 3.2 of the thesis.

Identity Provider: Google

The Google Identity Platform provides several identity tools, including:
  • Google OAuth 2.0 and OpenID Connect 1.0: Certified OpenID Connect endpoints enable user authentication and authorization for Google APIs (i.e., Calendar, Drive, and more).
  • Google Sign-In: Custom authentication SDK based on the OAuth 2.0 IDP-IFrame-based Implicit Flow and available for Android, iOS, and the web. The web SDK embeds a hidden proxy iframe on the SP website and uses the postMessage API to communicate between Google and the SP. Since the proxy iframe is same-origin with Google, it has access to the session, receives the Authentication Response, and forwards it to the SP utilizing the postMessage API.
  • Google One Tap Sign-In and Sign-Up: SDK for Android and the web that introduces the account creation process on websites with a single tap on a button. The web SDK presumes an active session on Google, embeds the consent page in an iframe on the SP website, and uses the Channel Messaging API for communication between the SP and Google. Therefore, the web SDK on the SP generates a new `MessageChannel` with two ports and transfers `port2` to the consent page iframe with postMessage. Henceforth, the consent page iframe sends messages (i.e., the `id_token`) to `port2` while the web SDK receives them on `port1` and vice versa.
Since the One Tap SDK is quite different from traditional SSO flows, we will briefly outline its unique use of new web APIs. The project initially launched as Google YOLO (You Only Login Once) and had a significant drawback: the consent page iframe was vulnerable to clickjacking. This issue was reported in early 2018 and fixed with restricted API access to trusted websites. Later, Google redesigned the SDK with the new Intersection Observer API v2 that it announced in February 2019:
Intersection Observer v2 introduces the concept of tracking the actual "visibility" of a target element as a human being would define it. [...] A true value for isVisible is a strong guarantee from the underlying implementation that the target element is completely unoccluded by other content and has no visual effects applied that would alter or distort its display on screen. In contrast, a false value means that the implementation cannot make that guarantee. 

This new API enables the consent page iframe to check whether it is visible on the SP website. If it is not visible, the iframe can block the consent or start alternative flows. Unlike the `X-Frame-Options` and `frame-ancestors` directives, Intersection Observer v2 does not prohibit iframe embedding. Still, it prevents clickjacking, which is helpful for the SSO consent page.

Sidenote 1: OAuth 2.0 Assisted Token describes a new flow that similarly embeds the consent page in an iframe but uses `X-Frame-Options`, `frame-ancestors`, or JavaScript frame busting as clickjacking mitigation. Since the IdP knows the SP to which it serves the consent page, it whitelists the SP origin within the framing directives, i.e., `X-Frame-Options: allow-from https://sp.com`:
Due to the use of an iframe to host the assisted token endpoint, the authorization server MUST take precautions to ensure that only trusted origins are allowed to frame it. The authorization server MUST prevent any origin from framing the assisted token endpoint except ones that an administrator has explicitly allowed. 

However, these anti-framing techniques do not prevent the trusted origins from executing a clickjacking attack to obtain consent by fraud. Thus, the IdP must take any measures deemed appropriate to ensure that the SP is trusted to not execute any clickjacking attacks. This limitation causes problems to public IdPs (i.e., Google and Facebook) as they certainly cannot ensure the trustworthiness of their self-registered SPs. If the SP cannot be trusted, the consent page must be protected against framing (i.e., using `X-Frame-Options: deny`) and alternative flows may be started.

We are confident that the Intersection Observer v2 API provides a promising concept for future "one-tap" SSO flows because it allows framing the consent page (and thus entire SSO flows in iframes) without the risk of clickjacking. Currently, only Chromium-based browsers are compatible with Intersection Observer v2, but this might change in the future.

Sidenote 2: If you analyze the security of postMessage on websites, you probably use a browser extension that logs all messages exchanged via the postMessage API. We developed a Chrome extension that logs all messages sent via the Channel Messaging API to the console. If you conduct postMessage security analyses, we highly recommend checking the Channel Messaging API as well.

More details are provided in Section 3.3 of the thesis.

Identity Provider: Facebook

Facebook Login implements the OAuth 2.0 protocol for data access authorization and user authentication. Although OpenID Connect 1.0 defines the signed `id_token`, Facebook issues an `access_token` for user authentication. The `access_token` provides authorized access to Facebook's Token Debugging Endpoint, which returns the `app_id` of the SP that this token is intended for (`aud` claim), the `user_id` of the user that owns this token (`sub` claim), the validity, the expiration, the associated scopes, and more.

Also, Facebook issues a `signed_request`, which is a base64url-encoded and symmetrically integrity protected token. It is not a JWT – instead, it prepends the HMAC to the claims as follows: `<hmac_bytes>.{"user_id": "[...]", "code": "[...]", "algorithm": "HMAC-SHA256", "issued_at": 1577836800}`. Although the `signed_request` does not include an audience (`aud`) claim, it implicitly provides audience restriction with its symmetric HMAC that is generated with the `app_secret` of the appropriate SP. If the SP successfully verifies the HMAC, it can assume that it was issued by Facebook for itself. The SP uses the `user_id` and `code` claims to authenticate the user, i.e., it retrieves the user entry matching the `user_id` from its database or redeems the `code` in exchange for an `access_token`, which is finally sent to the Token Debugging Endpoint.

Facebook does not issue `refresh_tokens` but instead distinguishes between short-lived (approx. 60 minutes) and long-lived (approx. 60 days) `access_tokens`. Short-lived tokens are converted into long-lived tokens with `grant_type=fb_exchange_token` at the Token Endpoint. If long-lived tokens expire, the SP needs to restart the login flow from scratch to receive new short-lived `access_tokens`.

More details are provided in Section 3.4 of the thesis.

Acknowledgments

My thesis was supervised by Christian Mainka, Vladislav Mladenov, and Jörg Schwenk. Huge "thank you" for your continuous support, advice, and dozens of helpful tips. 
Also, special thanks to Lauritz for his feedback on this post and valuable discussions during the research. Check out his blog post series on Real-life OIDC Security as well.

Authors of this Post

Louis Jannett

Read more


  1. Hacking Tools For Windows Free Download
  2. Hacking Tools 2020
  3. Hacking Tools
  4. Hacking Tools Pc
  5. Nsa Hacker Tools
  6. Hacking Tools Windows
  7. Tools 4 Hack
  8. Install Pentest Tools Ubuntu
  9. Hack Tools For Games
  10. Wifi Hacker Tools For Windows
  11. Pentest Tools For Android
  12. Hacking Tools For Kali Linux
  13. Hacking Tools Hardware
  14. Nsa Hacker Tools
  15. Hacker Tools Software
  16. Usb Pentest Tools
  17. Usb Pentest Tools
  18. Pentest Box Tools Download
  19. Hacking Tools For Windows Free Download
  20. Hacker Tools Free
  21. Pentest Box Tools Download
  22. Hacker Tools List
  23. Hacker Tools For Ios
  24. Free Pentest Tools For Windows
  25. Hacker Tools Apk Download
  26. Wifi Hacker Tools For Windows
  27. Pentest Tools Linux
  28. Hacking Apps
  29. Hack Tools Mac
  30. Hack Tools Mac
  31. Hacker
  32. Pentest Tools Bluekeep
  33. Hacker Tools For Ios
  34. Pentest Tools Framework
  35. Hacking Tools For Beginners
  36. Hack Apps
  37. Hacker Tools Linux
  38. Hacker Hardware Tools
  39. Pentest Tools Find Subdomains
  40. Pentest Box Tools Download
  41. Hacking Tools For Games
  42. Pentest Automation Tools
  43. Wifi Hacker Tools For Windows
  44. Hackers Toolbox
  45. Hacking Tools Pc
  46. Pentest Tools Linux
  47. Pentest Tools For Windows
  48. Hack Apps
  49. Game Hacking
  50. Pentest Tools
  51. Pentest Tools Android
  52. Pentest Tools For Ubuntu
  53. Usb Pentest Tools
  54. Hack Tools For Pc
  55. Hacking Tools And Software
  56. Hacker Tools Online
  57. Hacking Tools Hardware
  58. Hacking Tools For Games
  59. Hack Tool Apk
  60. Hacking Tools Usb
  61. Pentest Tools Tcp Port Scanner
  62. Hacker Tools Software
  63. Pentest Tools Online
  64. Hacking Tools Usb
  65. Install Pentest Tools Ubuntu
  66. Pentest Recon Tools
  67. Hacking Tools Windows
  68. Hacking Tools
  69. Hacker Tools Apk
  70. Hacking Tools And Software
  71. Hacking Tools Name
  72. Hacking Tools Download
  73. Hack Tools Download
  74. Pentest Tools Subdomain
  75. Hacking Tools Github
  76. Pentest Tools Url Fuzzer
  77. Hack Tools Online
  78. Hackrf Tools
  79. Hacking Tools Software
  80. Pentest Tools Subdomain
  81. Nsa Hack Tools Download
  82. Hack Tools For Games
  83. Tools 4 Hack
  84. Kik Hack Tools
  85. Hacking Tools Software
  86. Hacking Tools Hardware
  87. Hacker Tools For Windows
  88. Hacker Tools Software
  89. Pentest Tools Online
  90. Hacker Tools For Pc
  91. Hacking Tools
  92. World No 1 Hacker Software
  93. Pentest Reporting Tools
  94. Pentest Tools Open Source
  95. Hacking Tools And Software
  96. Growth Hacker Tools
  97. Hacker Tool Kit
  98. Pentest Tools Linux
  99. Nsa Hack Tools Download
  100. Hacking Tools Kit
  101. Hack Tools For Pc
  102. Hack Tools
  103. Pentest Tools For Mac
  104. Hacker Tools Free
  105. Nsa Hack Tools
  106. Pentest Tools List
  107. Hacking Tools Github
  108. Pentest Automation Tools
  109. Pentest Tools List
  110. Hacking Tools Download
  111. Pentest Tools Review
  112. Hacker Tools For Windows
  113. Hack App
  114. Hacker Tools List
  115. Ethical Hacker Tools
  116. Wifi Hacker Tools For Windows
  117. What Are Hacking Tools
  118. Hacking Tools Hardware
  119. Pentest Tools Find Subdomains
  120. Hackrf Tools
  121. Pentest Tools Website
  122. Pentest Tools Framework
  123. Kik Hack Tools
  124. Pentest Tools Android
  125. Hack Tools Download
  126. Hack Tools Mac
  127. Blackhat Hacker Tools
  128. Top Pentest Tools
  129. Pentest Tools Alternative
  130. Hacker Tools Online
  131. Pentest Tools Android
  132. Hacking Tools Software
  133. Pentest Tools Alternative
  134. What Are Hacking Tools
  135. Hacker Tools Free
  136. Hackers Toolbox
  137. Pentest Tools Subdomain
  138. Black Hat Hacker Tools
  139. Pentest Reporting Tools
  140. Hacking Apps
  141. Hacking Tools And Software
  142. Hacking Tools For Beginners
  143. Easy Hack Tools
  144. Hacking Tools Kit
  145. Bluetooth Hacking Tools Kali
  146. Hacker Tools Free Download
  147. Pentest Tools Linux
  148. Pentest Tools
  149. Hackers Toolbox
  150. Hacker Tools Software
  151. Hacker Tools Linux
  152. Hacking Tools Pc
  153. Hack Tools For Ubuntu
  154. Hacking Tools Hardware
  155. Hacking Apps
  156. Hack Tools
  157. Black Hat Hacker Tools
  158. Hack Tools For Games
  159. Hacker Tools For Ios
  160. Pentest Tools Website Vulnerability
  161. Hacker Tools For Windows
  162. Hacking Tools Online
  163. Hacking Tools
  164. Hacking Tools Download
  165. Computer Hacker
  166. Hack Tools For Pc
  167. Pentest Automation Tools
  168. Hacker Hardware Tools
  169. Nsa Hacker Tools
  170. Hacker Tools Windows
  171. Hackrf Tools
  172. Best Hacking Tools 2020
  173. Hack App
  174. Hacker Tools For Ios

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)