If you’ve ever used an app on your phone or signed up to become an account user of a website, you are likely to have come across something known as a single sign-on (SSO) or “social login”. Social logins allow you to keep just one password and username to manage the ecosystems of websites and accounts you have, to better manage your online life and avoid annoying password resets. While social logins create efficiency and ease, using one ID and password may expose you to more risks online. In this article, we’ll explore what social logins are, how they work and the risks involved.
What is a Single Sign-On or Social Login?
Social logins create a single sign-on for users to use their existing login information from a social networking service such as Facebook or Twitter to sign into a third party website. Users no longer need to create multiple accounts with many combinations of usernames and passwords. Social logins are designed to simplify logins for users as well as to provide more reliable information to websites. Studies have also shown that the majority of web users surveyed (77%) preferred using an SSO.
How Do They Work?
Ever wondered how Angry Birds allows you to use your Facebook login details to log in to the Angry Birds App?
Let’s say a website allows you to use your Facebook sign in details to log in to Twitter. The social login or SSO links to Facebook by using either a plugin or a widget, allowing you to enter your Facebook credentials to access the third party site. The third party site does not collect your user details.
Are There Any Risks?
Using just one set of login details for all your applications and social networks can open you up to security risks online. A research team at Indiana University looked at the risks associated with SSOs or social logins.
Rui Wang, Shuo Chen and XiaoFeng Wang looked at the security flaws of social logins and released a paper on the topic in March 2012. The trio reported an extensive study of social login mechanisms, finding eight serious logic flaws in high-profile identification providers and their reliant third party websites. The list included Facebook, Janrain, FarmVille, Sears.com, Freelancer and OpenID (including Google ID and PayPal Access).
Methodology of the Study
Chen and the two Wangs looked at Google and smartsheet.com in one of their examples.
The team obtained the information that Google, as the social login provider, needed to provide to smartsheet.com to prove the identity of the user the browser represented.
The information contained an element which indicated that the SSO was based on a ‘signed token’. The team found that elements of the ‘signed token’ were writable by an adversary (a person who could hack into another’s account) and were not under signature protection.
The team tested the system using a flaw and exploit methodology, exploiting the common practice of a website using an email as a username. The team removed ‘email’ from the list of elements which needed to be provided to smartsheet.com and were able to log on as another user, using their own browser.
Results and Outcome
Every flaw the research team identified allowed an adversary to sign in as the victim user. The team reported their findings to the affected companies and had their reports acknowledged. The companies involved fixed all the reported flaws.
However, the team commented that the ‘overall security quality of SSO deployment seems worrisome’. The study showed that security-critical logic flaws do exist in SSO systems, which can be discovered from browser-related messages and practically exploited by a party without access to source code or other insider knowledge of these systems.
Often when you use SSOs, the third party website asks for access to your information. For example, if you use your Facebook details to login, the third party website might ask you for access to the information contained in the “About You” section (age, school, likes, movies, shows) or places you have tagged yourself or been tagged in.
When you use an SSO, you are giving away valuable information to third party websites. This information allows websites to build a profile and social graph to target you with personalised content. Are you comfortable with websites knowing more and more about you?
What Can You Do
If you are concerned about your privacy or the security issues involved with SSOs, the best strategy is not to use them. As an alternative, you can sign up and create an account with each website you use, so you remain in control of the information you provide.
Social logins are increasingly used to create a better user experience for internet users and to allow websites to gather even more information about users on their platforms. It is obvious that using just one set of login details creates more risk and it is worrying that a dedicated research team found relatively obvious logic flaws in commonly used SSOs. If the risks of using a single sign-on concern you, choose to create a new account with each site or social network so that you remain in better control of your personal information and login details. If you have any questions, get in touch with our IT lawyers on 1300 544 755.