[WEB SECURITY] Social login / federated identity

Evan Larsen evan.larsen at gmail.com
Fri Feb 22 18:00:17 EST 2013


IMO this breach of their SSO is Facebook's implementation of OAUTH.

SSO using WS-Federation is a true SSO solution for an enterprise.

I wouldn't expect a bank to use OAuth to secure their services but
WS-Federation definitely could.


On Fri, Feb 22, 2013 at 3:35 AM, Martin O'Neal
<martin.oneal at corsaire.com> wrote:
>
> "I told you so", just doesn't seem to do it justice...
>
> http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get
> -full.html
>
>
> -----Original Message-----
> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On
> Behalf Of Martin O'Neal
> Sent: 16 October 2012 11:01
> To: Paul Johnston
> Cc: websecurity at lists.webappsec.org
> Subject: Re: [WEB SECURITY] Social login / federated identity
>
>
>> I think this is a complete misunderstanding on your part
>
> No, but it is a complete assumption on your part. ;)
>
> SSO within a cluster of services, with a common owner etc makes perfect
> sense. Who wants to have multiple accounts across a number of products
> with a single vendor for example? (you know who you are!)
>
> SSO across dissimilar platforms, different vendors etc simply trades
> convenience for your security and privacy.
>
> In a perfect world, your SSO provider would be entirely independent,
> host all their auth in a bullet-proof system, and for the price of a few
> API calls, life would be peachy. As it is though, it's not. Facebook for
> example have their own problems in keeping their auth data secure, so
> tying yourself into their systems adds a whole world of additional risk
> to your site. And in the event of it all going pear-shaped, there isn't
> a lot you can do to fix the situation, without exiting the SSO.
>
> Martin...
>
>
>
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list