Reading time: 5 minutes

If you’ve ever used an app on your phone or signed up to become an account user of a website, you are likely to have come across something known as a single sign-on (SSO) or “social login”. Social logins allow you to keep just one password and username to manage the ecosystems of websites and accounts you have, to better manage your online life and avoid annoying password resets. While social logins create efficiency and ease, using one ID and password may expose you to more risks online. In this article, we’ll explore what social logins are, how they work and the risks involved.

What is a Single Sign-On or Social Login?

Social logins create a single sign-on for users to use their existing login information from a social networking service such as Facebook or Twitter to sign into a third party website. Users no longer need to create multiple accounts with many combinations of usernames and passwords. Social logins are designed to simplify logins for users as well as to provide more reliable information to websites. Studies have also shown that the majority of web users surveyed (77%) preferred using an SSO.

How Do They Work?

Ever wondered how Angry Birds allows you to use your Facebook login details to log in to the Angry Birds App?

Let’s say a website allows you to use your Facebook sign in details to log in to Twitter. The social login or SSO links to Facebook by using either a plugin or a widget, allowing you to enter your Facebook credentials to access the third party site. The third party site does not collect your user details.

Are There Any Risks?

Using just one set of login details for all your applications and social networks can open you up to security risks online. A research team at Indiana University looked at the risks associated with SSOs or social logins.

Rui Wang, Shuo Chen and XiaoFeng Wang looked at the security flaws of social logins and released a paper on the topic in March 2012. The trio reported an extensive study of social login mechanisms, finding eight serious logic flaws in high-profile identification providers and their reliant third party websites. The list included Facebook, Janrain, FarmVille, Sears.com, Freelancer and OpenID (including Google ID and PayPal Access).

Methodology of the Study

Chen and the two Wangs looked at Google and smartsheet.com in one of their examples.

The team obtained the information that Google, as the social login provider, needed to provide to smartsheet.com to prove the identity of the user the browser represented.

The information contained an element which indicated that the SSO was based on a ‘signed token’. The team found that elements of the ‘signed token’ were writable by an adversary (a person who could hack into another’s account) and were not under signature protection.

The team tested the system using a flaw and exploit methodology, exploiting the common practice of a website using an email as a username. The team removed ‘email’ from the list of elements which needed to be provided to smartsheet.com and were able to log on as another user, using their own browser.

Results and Outcome

Every flaw the research team identified allowed an adversary to sign in as the victim user. The team reported their findings to the affected companies and had their reports acknowledged. The companies involved fixed all the reported flaws.

However, the team commented that the ‘overall security quality of SSO deployment seems worrisome’. The study showed that security-critical logic flaws do exist in SSO systems, which can be discovered from browser-related messages and practically exploited by a party without access to source code or other insider knowledge of these systems.

Other Concerns

Often when you use SSOs, the third party website asks for access to your information. For example, if you use your Facebook details to login, the third party website might ask you for access to the information contained in the “About You” section (age, school, likes, movies, shows) or places you have tagged yourself or been tagged in.

When you use an SSO, you are giving away valuable information to third party websites. This information allows websites to build a profile and social graph to target you with personalised content. Are you comfortable with websites knowing more and more about you?

What Can You Do

If you are concerned about your privacy or the security issues involved with SSOs, the best strategy is not to use them. As an alternative, you can sign up and create an account with each website you use, so you remain in control of the information you provide.

Key Takeaways

Social logins are increasingly used to create a better user experience for internet users and to allow websites to gather even more information about users on their platforms. It is obvious that using just one set of login details creates more risk and it is worrying that a dedicated research team found relatively obvious logic flaws in commonly used SSOs. If the risks of using a single sign-on concern you, choose to create a new account with each site or social network so that you remain in better control of your personal information and login details. If you have any questions, get in touch with our IT lawyers on 1300 544 755. 

Webinars

Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

Online
If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Online
Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Online
Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Online
Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Online
Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Online
Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Online
Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

Online
As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Chloe Sevil
Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards