Reading time: 5 minutes

If you’ve ever used an app on your phone or signed up to become an account user of a website, you are likely to have come across something known as a single sign-on (SSO) or “social login”. Social logins allow you to keep just one password and username to manage the ecosystems of websites and accounts you have, to better manage your online life and avoid annoying password resets. While social logins create efficiency and ease, using one ID and password may expose you to more risks online. In this article, we’ll explore what social logins are, how they work and the risks involved.

What is a Single Sign-On or Social Login?

Social logins create a single sign-on for users to use their existing login information from a social networking service such as Facebook or Twitter to sign into a third party website. Users no longer need to create multiple accounts with many combinations of usernames and passwords. Social logins are designed to simplify logins for users as well as to provide more reliable information to websites. Studies have also shown that the majority of web users surveyed (77%) preferred using an SSO.

How Do They Work?

Ever wondered how Angry Birds allows you to use your Facebook login details to log in to the Angry Birds App?

Let’s say a website allows you to use your Facebook sign in details to log in to Twitter. The social login or SSO links to Facebook by using either a plugin or a widget, allowing you to enter your Facebook credentials to access the third party site. The third party site does not collect your user details.

Are There Any Risks?

Using just one set of login details for all your applications and social networks can open you up to security risks online. A research team at Indiana University looked at the risks associated with SSOs or social logins.

Rui Wang, Shuo Chen and XiaoFeng Wang looked at the security flaws of social logins and released a paper on the topic in March 2012. The trio reported an extensive study of social login mechanisms, finding eight serious logic flaws in high-profile identification providers and their reliant third party websites. The list included Facebook, Janrain, FarmVille,, Freelancer and OpenID (including Google ID and PayPal Access).

Methodology of the Study

Chen and the two Wangs looked at Google and in one of their examples.

The team obtained the information that Google, as the social login provider, needed to provide to to prove the identity of the user the browser represented.

The information contained an element which indicated that the SSO was based on a ‘signed token’. The team found that elements of the ‘signed token’ were writable by an adversary (a person who could hack into another’s account) and were not under signature protection.

The team tested the system using a flaw and exploit methodology, exploiting the common practice of a website using an email as a username. The team removed ‘email’ from the list of elements which needed to be provided to and were able to log on as another user, using their own browser.

Results and Outcome

Every flaw the research team identified allowed an adversary to sign in as the victim user. The team reported their findings to the affected companies and had their reports acknowledged. The companies involved fixed all the reported flaws.

However, the team commented that the ‘overall security quality of SSO deployment seems worrisome’. The study showed that security-critical logic flaws do exist in SSO systems, which can be discovered from browser-related messages and practically exploited by a party without access to source code or other insider knowledge of these systems.

Other Concerns

Often when you use SSOs, the third party website asks for access to your information. For example, if you use your Facebook details to login, the third party website might ask you for access to the information contained in the “About You” section (age, school, likes, movies, shows) or places you have tagged yourself or been tagged in.

When you use an SSO, you are giving away valuable information to third party websites. This information allows websites to build a profile and social graph to target you with personalised content. Are you comfortable with websites knowing more and more about you?

What Can You Do

If you are concerned about your privacy or the security issues involved with SSOs, the best strategy is not to use them. As an alternative, you can sign up and create an account with each website you use, so you remain in control of the information you provide.

Key Takeaways

Social logins are increasingly used to create a better user experience for internet users and to allow websites to gather even more information about users on their platforms. It is obvious that using just one set of login details creates more risk and it is worrying that a dedicated research team found relatively obvious logic flaws in commonly used SSOs. If the risks of using a single sign-on concern you, choose to create a new account with each site or social network so that you remain in better control of your personal information and login details. If you have any questions, get in touch with our IT lawyers on 1300 544 755. 


COVID-19 Vaccines In The Workplace

Thursday 10 February | 11:00 - 11:45am

Can you compel employees to have a COVID-19 vaccine? Understand your rights and responsibilities as an employer. Register today for our free webinar.
Register Now

Preventing Wage Underpayment In Your Franchise

Wednesday 16 February | 11:00 - 11:45am

Learn how to identify and prevent wage underpayment in your franchise. Register today for our free webinar.
Register Now

How to Prevent and Manage Commercial Contract Disputes

Thursday 24 February | 11:00 - 11:45am

Learn how to prevent and manage common commercial contract disputes. Register today for our free webinar.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer