In 2012 a third-party Twitter app was hacked but passwords were not taken.
SSO systems themselves aren't insecure and protect user passwords. "From the operational side, SSO authentication providers devote considerable resources to cybersecurity," says Lukasz Olejnik, an independent cybersecurity and privacy researcher. (Other standards, such as OpenID, exist to authenticate individuals). OAuth is essentially a system that provides authorisation to give functionality to other websites. The OAuth protocols, which are used by Amazon, Google, and Facebook, set-out ways for developers to use APIs without requiring them to provide their password to third-parties. There are standards that companies use when creating single sign-on systems. "The end user doesn't always have visibility of what information about them is being sent back and forth, which is generally bad for privacy, freedom and autonomy." "The site they're signing into can get a lot of their profile information from the social login provider," says Rowenna Fielding, a security specialist and senior data protection lead at Protecture
Another dating app, Hinge, also moved away from Facebook logins in June. In return, Facebook, gained information about the behaviour of Bumble users. By initially deciding to use Facebook's SSO, Bumble got access to friend lists, relationship statuses, locations and likes. In April, dating app Bumble moved away from Facebook's social login to stop data being shared with the social network. SSO has also created privacy concerns around the amount of data that is collected and given back to the provider of the login service. "We have shown that SSO as it is currently implemented exposes users to numerous dangerous and stealthy attacks, some of which extend to services not connected to the original provider," the paper concludes, adding there would be little that individual victims could do if their accounts and SSO systems were compromised by attackers. "Using a hijacked Facebook account an attacker could indirectly compromise an additional 226 ," the researchers wrote.
The researchers created a proof-of-concept attack against Facebook, where they could completely take over an account. In a research paper published is June, five University of Illinois at Chicago researchers said SSO tech can "pose a massive security risk".
But there are a number of potential problems with SSO systems.
0 kommentar(er)
