508 23rd USENIX Security Symposium USENIX Association
a form on their website or through email. The responses
were very disappointing, especially compared with our
previous experiences reporting SDK-level vulnerabilities
to identity providers who tend to respond quickly and ef-
fectively to vulnerability reports [27]. The vulnerabili-
ties found by SSOScan, on the other hand, are primar-
ily in consumer-oriented sites without dedicated security
teams or clear ways to effectively report security issues.
Of the 20 notifications, we only received eight re-
sponses, most of which appear to be automated. After the
initial response, three websites sent us follow-up status
updates.
ESPN.com thanked us and told us the message
has been passed onto appropriate personnel, but no fol-
low up actions ensued. One of
answers.com’s engineers
asked us for more details, but failed to respond again af-
ter we replied with proposed fix. As of July 2014, both
sites are still vulnerable. Four months after getting the
automated reply from
ehow.com, we received a response
stating that they have removed Facebook SSO from their
website due to “content deemed inappropriate”, and we
have confirmed that the Facebook SSO button has in-
deed been removed. Sadly, we think their staff likely
did not (bother to) understand our explanation for the fix
and simply removed the feature.
The other instance where a reported vulnerability was
fixed was for
hipmunk.com. Hipmunk was found to be
vulnerable to both the access
token and signed request
replacement attacks. We did not get any response from
Hipmunk when the vulnerability was reported through
the normal channels, but through a personal connection
we were able to contact them directly. This led to a quick
response and series of emails with one of Hipmunk’s en-
gineers. We explained how to check the signature of
a signed
request, which should fix both vulnerabilities.
However, when they got back to us believing that the fix
was complete, we re-ran SSOScan and found that Hip-
munk was still vulnerable to the access
token replace-
ment attack. This meant Hipmunk checked the signa-
ture of signed
request after the fix, but never decoded the
signed message body and compared its Facebook ID with
the one returned by exchanging access
token. This sur-
prised us, as we implicitly assumed the developers will
consume the signed message body after verifying its sig-
nature, and thus only included ‘verifying signature’ in
the proposed fix. After further explanation, the site was
fixed and now passes all our tests.
Retesting vulnerable sites. We retested all 345 vulnera-
ble sites in May 2014, nine months after our initial exper-
iment, including the 20 websites we had notified directly.
SSOScan found that 48 of the sites had eliminated the
vulnerabilities (including one out of the 20 sites we con-
tacted,
mapquest.com). Of the 48 fixed sites, 22 had pre-
viously been diagnosed as credential leaking sites, and
27 were misusing credentials (one site,
trove.com, fixed
both problems). We further examined these sites man-
ually to investigate the possible reasons and measures
to fix the problems. As for sites that fixed credential
misuses, we found that many had abandoned the token
or signed
request flow in favor of the more secure code
flow, which automatically protects them from credential
reuse attacks. For credential leakages, we found that
a number of sites redesigned their SSO process to fea-
ture a smoother user experience, e.g., replaced traditional
redirection flows with AJAX operations, which naturally
eliminated credential leakage via referer header.
Communication with Facebook. Due to the ineffec-
tiveness of our direct communication with site owners,
we contacted Facebook’s platform integrity team in May
2014. Facebook’s engineers indicated that they are par-
ticularly worried about access
token leakage through ref-
erer headers (because a malicious party in possess of the
token may perform privileged Facebook actions on be-
half of the user, which potentially directly harms Face-
book), but are also concerned with the credential misuse
scenario. Facebook asked for a list of the vulnerable ap-
plications and contacted all the sites with access
token
leakage and credential misuse vulnerabilities (a total of
95 sites that we were able to re-confirm at the time of re-
port), and informed us that they would “take enforcement
action as necessary” upon the ten sites that are leaking
access
tokens in the referer headers. Facebook’s engi-
neers could not provide us with more information about
what this entails or any direct responses they received,
but an SSOScan re-run one month later (early July 2014)
revealed that only four out of the 95 sites had fixed their
problems (of the ten sites leaking access
tokens, only
two had been fixed). Even for Facebook, it appears to be
difficult to convince consumer-focused websites to take
security vulnerabilities seriously.
6.3 Deployment
Our experiences reporting vulnerabilities found by SSO-
Scan suggest that notifying vendors individually will
have little impact, which is consistent with experiences
reported by Wang et al. with on-line stores [26]. Hence,
we consider two alternate ways of deploying SSOScan
to improve the security of integrated applications.
App center integration. We believe SSOScan would
be most effective when used by an application distribu-
tion center (e.g. Apple store, Google Play) or identity
provider (e.g., Facebook) as part of the application vali-
dation process. The identity provider has a strong moti-
vation to protect users who use its service for SSO, and
could use SSOScan to identify sites that can compro-
mise those users. It could then deliver warning messages