Jason Polakis

The advent of Single Sign-On (SSO) has ushered in the era of a tightly interconnected Web. Users can now effortlessly navigate the Web and obtain a personalized experience without the hassle of creating and managing accounts across different services. Due to the proliferation of SSO, user accounts in identity providers are now keys to the kingdom and pose a massive security risk. If such an account is compromised, attackers can gain control of the user’s accounts in numerous other web services. In this talk, I will present some of our research on SSO account hijacking. In this work we presented an empirical investigation of the different attacks that are facilitated (or enabled) by SSO, and highlighted the current lack of remediation mechanisms available in third parties that support SSO. I will also frame some of our findings within the seeming discrepancy between user expectations and understanding of SSO functionality, as expressed by users online after the major Facebook hack in 2018. Finally, I will discuss potential future directions and interesting questions that arise from this incident.

View More Papers

Work-in-Progress: Manifest V3 Unveiled: Navigating the New Era of...

Nikolaos Pantelaios and Alexandros Kapravelos (North Carolina State University)

Read More

Why do Internet Devices Remain Vulnerable? A Survey with...

Tamara Bondar, Hala Assal, AbdelRahman Abdou (Carleton University)

Read More

[WITHDRAWN] First, Do No Harm: Studying the manipulation of...

Shubham Agarwal (Saarland University), Ben Stock (CISPA Helmholtz Center for Information Security)

Read More

CROW: Code Diversification for WebAssembly

Javier Cabrera Arteaga, Orestis Floros, Benoit Baudry, Martin Monperrus (KTH Royal Institute of Technology), Oscar Vera Perez (Univ Rennes, Inria, CNRS, IRISA)

Read More