[WEB SECURITY] Social login / federated identity

Paul Johnston paul.johnston at pentest.co.uk
Sun Feb 24 10:54:05 EST 2013


By the same argument, Firefox has had a security vulnerability, so
no-one should use Firefox. In fact, all mainstream browsers have had a
security vulnerability at some point, so we shouldn't use the web at all...?

Yes, you did "tell me so", but I don't much care for your negative
opinion. I think using social login is a prudent risk for most websites
- not online banking, sure, but most websites.

If you do use it, the Facebook vulnerability doesn't affect all the
users on your site - it only affects those who have explicitly chosen to
use Facebook as their identity provider. Although it's usually difficult
to palm off blame for security failures, I think this is one that people
will accept. "Your Facebook account was hacked and because you chose to
link your Facebook account to MyWebSite.com, the hackers were able to
access you MyWebSite account."


On 22/02/2013 08:35, Martin O'Neal wrote:
> "I told you so", just doesn't seem to do it justice...
> http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get
> -full.html
> -----Original Message-----
> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On
> Behalf Of Martin O'Neal
> Sent: 16 October 2012 11:01
> To: Paul Johnston
> Cc: websecurity at lists.webappsec.org
> Subject: Re: [WEB SECURITY] Social login / federated identity
>> I think this is a complete misunderstanding on your part
> No, but it is a complete assumption on your part. ;)
> SSO within a cluster of services, with a common owner etc makes perfect
> sense. Who wants to have multiple accounts across a number of products
> with a single vendor for example? (you know who you are!)
> SSO across dissimilar platforms, different vendors etc simply trades
> convenience for your security and privacy. 
> In a perfect world, your SSO provider would be entirely independent,
> host all their auth in a bullet-proof system, and for the price of a few
> API calls, life would be peachy. As it is though, it's not. Facebook for
> example have their own problems in keeping their auth data secure, so
> tying yourself into their systems adds a whole world of additional risk
> to your site. And in the event of it all going pear-shaped, there isn't
> a lot you can do to fix the situation, without exiting the SSO.
> Martin...

Pentest - The Application Security Specialists

Paul Johnston - IT Security Consultant / Tiger SST
PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

More information about the websecurity mailing list