DISTINCT: Identity theft using in-browser communications in dual-window single sign-on

  • Single Sign-On (SSO) protocols like OAuth 2.0 and OpenID Connect 1.0 are cornerstones of modern web security, and have received much academic attention. Users sign in at a trusted Identity Provider (IdP) that subsequently allows many Service Providers (SPs) to verify the users' identities. Previous research concentrated on the standardized - called textbook SSO in this paper - authentication flows, which rely on HTTP redirects to transfer identity tokens between the SP and IdP. However, modern web applications like single page apps may not be able to execute the textbook flow because they lose the local state in case of HTTP redirects. By using novel browser technologies, such as postMessage, developers designed and implemented SSO protocols that were neither documented nor analyzed thoroughly. We call them dual-window SSO flows. In this paper, we provide the first comprehensive evaluation of dual-window SSO flows. In particular, we focus on the In-Browser Communication (InBC) used to exchange authentication tokens between SPs and IdPs in iframes and popups. We automate our analysis by developing Distinct - a tool that dynamically analyzes the JavaScript code executing as part of the SSO flow. Distinct translates the flow into a sequence diagram depicting all communicating entities and their exchanged messages, highlights insecure communication channels, and quantifies novel threats in dual-window SSO flows. We found that 56% of the SPs in the Tranco top 1k list support dual-window SSO. Surprisingly, 28% of the SPs implemented dual-window SSO without using official SDKs, leading to identity theft and XSS in 31% of these self-implemented SPs.

Download full text files

Export metadata

Additional Services

Share in Twitter Search Google Scholar
Author:Louis JannettGND, Vladislav MladenovGND, Christian MainkaGND, Jörg SchwenkGND
Parent Title (English):CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
Publisher:Association for Computing Machinery
Place of publication:New York City, New York
Document Type:Article
Date of Publication (online):2024/03/01
Date of first Publication:2022/11/07
Publishing Institution:Ruhr-Universität Bochum, Universitätsbibliothek
Tag:Identity; OAuth; OpenID Connect; Single Sign-On; Web Security
First Page:1553
Last Page:1567
Institutes/Facilities:Lehrstuhl für Netz- und Datensicherheit
Dewey Decimal Classification:Allgemeines, Informatik, Informationswissenschaft / Informatik
open_access (DINI-Set):open_access
faculties:Fakultät für Informatik
Licence (English):License LogoCreative Commons - CC BY-NC-SA 4.0 - Attribution-NonCommercial-ShareAlike 4.0 International