Jason Polakis
The advent of Single Sign-On (SSO) has ushered in the era of a tightly interconnected Web. Users can now effortlessly navigate the Web and obtain a personalized experience without the hassle of creating and managing accounts across different services. Due to the proliferation of SSO, user accounts in identity providers are now keys to the kingdom and pose a massive security risk. If such an account is compromised, attackers can gain control of the user’s accounts in numerous other web services. In this talk, I will present some of our research on SSO account hijacking. In this work we presented an empirical investigation of the different attacks that are facilitated (or enabled) by SSO, and highlighted the current lack of remediation mechanisms available in third parties that support SSO. I will also frame some of our findings within the seeming discrepancy between user expectations and understanding of SSO functionality, as expressed by users online after the major Facebook hack in 2018. Finally, I will discuss potential future directions and interesting questions that arise from this incident.