With Facebook’s recent breach, single sign-on is back in the spotlight as it highlights just how much damage attackers can do with a single account and how little control remains in user hands.
When Facebook discovered the breach that impacted at least 50 million user accounts, it acknowledged that attackers had stolen access tokens for those accounts. Those tokens let users stay signed in to Facebook, and also let users access other sites using their Facebook credentials. While there was a lot of concern about the kind of information attackers could have stolen from user profiles, there was also the possibility that the attackers could have used those tokens to gain access to other third-party sites.
Just to clarify, these access tokens aren’t Facebook passwords, and single sign-on isn’t the same as reusing passwords across multiple sites. With single sign-on, a service or app doesn’t require the user to pick a username and password when creating an account. Instead, the service asks another site, such as Facebook, to handle the authentication. If the user successfully authenticates to Facebook, the social network generates an access token and sends it to the original service. So long as the token is valid, the user can access the site. The Facebook password never goes to the site. Single sign-on makes authentication much more user-friendly and makes the web tightly interconnected.
User accounts in identity providers are now keys to the kingdom and pose a massive security risk.
For most online services and apps, account compromise is the biggest problem, but session cookie hijacking, where the attacker steals these tokens, is a close second. The attackers are able to use the tokens to gain access to user accounts on other services even if they never have the original password. Of the top 1 million websites according to Alexa, 6.3 percent of websites support single sign-on, according to a paper from a team of researchers from the University of Illinois at Chicago which was presented at the USENIX Security Symposium back in August.
That is a lot of websites attackers can potentially take over just by stealing the tokens, whether in a mass compromise like what happened with Facebook, or individually by using methods such as WiFi sniffing.
“User accounts in identity providers are now keys to the kingdom and pose a massive security risk,” researchers Mohammad Ghasemisharif, Amruta Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis wrote in the O Single Sign-Off, Where Art Thou? paper. “If such an account is compromised attackers can gain control of the user’s accounts in numerous other web services.”
The researchers found that someone with stolen Facebook cookies could impersonate victims on 93 other sites, The user doesn’t need to have already created an account on the site, either. A stolen access token means the attacker can access any of those sites while impersonating the user. The number of sites supporting SSO “highlights the scale of the threat, as attackers can gain access to a massive number of web services.”
Sessions can also be chained, so a user could log in to one site using an account on the identity provider, and then use the second site as an identity provider for a third one. If the attacker has the session cookie from the first identity provider, the attacker will be able to follow the whole chain to get to the third site. The researchers said it would be possible for someone with a Facebook cookie to get to a user’s Bitbucket account, and then to GitLab, for example.
“Even an ephemeral IdP [identity provider] account compromise can have significant, lasting ramifications as adversaries are able to gain and retain access to the victim’s accounts on other services that support that IdP,” the researchers wrote.
Can’t Stop Signing In
Facebook revoked the tokens after detecting the breach, which means the attackers won’t be able to use the tokens to get access to any of the services that rely on single sign-on. However, if this had been an individual case, where a user’s access token was stolen through some other means (session hijacking), it would have been really difficult for the user to revoke that token. The researchers found that most services don’t have a mechanism to let users revoke the token themselves.
“The user does not have any course of action to revoke attacker access to the accounts,” the researchers wrote.
The researchers found that 89.5 percent of sites they looked at did not offer any options to users to invalidate active sessions. For 74.7 percent of sites, users had no way to recover from a session cookie hijacking attack, the researchers said.
"Out of the 95 RPs we evaluated, only 10 (six web, four iOS) offer some form of session management,” the researchers at University of Illinois at Chicago said. Those 10 services let users lock the attacker out by changing the password of the account with the identity provider and invalidating all active sessions.
Some sites exhibited uneven behavior. Goodreads allowed users to revoke access and log out all active sessions, but the app session remained open. In the case of travel booking site Kayak, “the attacker retains partial read access to the account no matter what actions are taken,” the researchers found.
For all the other services, once that session is stolen, it remains stolen. The user logging out doesn’t help. The user has to wait for the session cookie to expire, but most of them have long expiration dates, or are set to never expire.
“Without a process for universally revoking permission across all RPs [relying parties] and simultaneously invalidating all existing sessions in every RP account associated with the compromised IdP [identity provider] account, SSO facilitates attackers in maintaining persistent and pervasive control over victims’ accounts,” the researchers wrote.
The user does not have any course of action to revoke attacker access to the accounts.
Single sign-on made it possible for users to seamlessly access an ecosystem of apps and services. However, it is clear that users don't always have a way to turn it off. To address this gap, the researchers proposed an extension to OpenID Connect that would allow “for universally revoking access to all the accounts associated with the hijacked identity provider account.” Dubbed single sign-off, users would be able to kick off a “chain reaction” that would propagate across all associated accounts.
If users could revoke the tokens themselves, they can minimize the amount of damage that could happen after a session cookie compromise. They could also take steps to block unauthorized access to their accounts. Just because they connected the accounts using single sign-on doesn’t mean they have to stay linked forever.