Minutes of the SSO, allowing, for example, to enter into with Google Accounts and Facebook to other online services, have a vulnerability with which fraudsters can use other people's credentials data, according to researchers from Indiana University in Bloomington and subdivisions Microsoft Research. They found serious flaws in the system and the OpenID single sign-on Facebook.
If you are using single sign-visited site asks the provider identifies the account confirmation of certain information. It turned out that not all sites shall ensure that, in using OpenID verification confirmed all the requested fields (such as name and email address). The researchers were able to make a request to exclude one of the fields (address) before sending it to OpenID, and then paste it into the already signed confirmation from OpenID. This would allow an attacker who does not know this address, enter under a false login.
The researchers were also able to go to other sites using other people's usernames Facebook. All found their flaws have been removed, the authors say, but according to them, on sites with a single sign-on can still be "mass similar problems."
To view the report, researchers here:
https://research.microsoft.com/pubs/160659/websso-final.pdf
0 comments:
Post a Comment