As more and more organizations tap into single sign-on (SSO) schemes through Web services providers such as Google and Facebook, new research suggests that they must better plan how they implement SSO APIs lest they leave users open to attack.
New findings by Microsoft Research found troubling logic flaws in SSO for Facebook, Google ID, PayPal, and other Web services that threaten a large number of users online.
"All these flaws allow the attacker to sign in as the victim to her accounts on the websites using SSO services even without knowing the victim's password," says Dr. XiaoFeng Wang, associate professor of computer science at Indiana University at Bloomington and co-author of the report with Rui Wang and Shuo Chen.
"IT decision-makers should realize the security risk that comes with the convenience of SSO.
Most problems we discovered actually can be fixed through correct integration on the website part.
In other words, if the developer of these websites incorporate such SSO services carefully, SSO can be more secure," Wang says.
According to the report, many of the problems associated with spotting flaws in Web services SSO implementations are a result of individual developer's idiosyncratic methods of integrating the APIs, SDKs, and sample code offered up by identity providers.
Automated summary from: Darkreading.com