Researchers Find Flaws In Online Services

Research has shown that bugs have been found in many web-based services, with the potential to disrupt online activity such as hacking.

The discovery of authentication flaws within single sign-on services such as Facebook, Google, PayPal and Twitter could give hackers the necessary settings to hijack a user's account.

"These bugs allow an unauthorized party to log into legitimate users' accounts...thereby completely defeating their authentication protection," explained researcher with Microsoft Research, Rui Wang.

The 15-page report outlined Web single sign-on (SSO) as a service consisting of three aspects: a user with a browser, a service offering the user a profile, and a party reliant on the service to verify the identity and the user. The report also listed poor integration by site developers of the application programming interfaces (APIs) made available by the identity providers, as well as the absence of sufficient end-to-end security checks.

Researchers have stated that all the sites have recognised the vulnerabilities and have since been corrected, however they have emphasised the overall security of the SSO deployments as 'worrisome'.

Wang explained in an interview that the lack of end-to-end security checks is a serious matter.

"The main concern we have is not about the infrastructure, but about the programming practice of API integration," he confirmed. "The current practice is that ID-providers only provide APIs and corresponding specs, and it is website developers' responsibility to securely integrate these APIs to their systems. This practice can easily introduce misunderstanding between these parties, which can potentially be exploited by the attacker. We believe that it is important to do an end-to-end security analysis to see if a concrete integration is secure."

Source: ZDNet