"I told you so", just doesn't seem to do it justice... http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get -full.html -----Original Message----- From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Martin O'Neal Sent: 16 October 2012 11:01 To: Paul Johnston Cc: websecurity@lists.webappsec.org Subject: Re: [WEB SECURITY] Social login / federated identity > I think this is a complete misunderstanding on your part No, but it is a complete assumption on your part. ;) SSO within a cluster of services, with a common owner etc makes perfect sense. Who wants to have multiple accounts across a number of products with a single vendor for example? (you know who you are!) SSO across dissimilar platforms, different vendors etc simply trades convenience for your security and privacy. In a perfect world, your SSO provider would be entirely independent, host all their auth in a bullet-proof system, and for the price of a few API calls, life would be peachy. As it is though, it's not. Facebook for example have their own problems in keeping their auth data secure, so tying yourself into their systems adds a whole world of additional risk to your site. And in the event of it all going pear-shaped, there isn't a lot you can do to fix the situation, without exiting the SSO. Martin...

IMO this breach of their SSO is Facebook's implementation of OAUTH. SSO using WS-Federation is a true SSO solution for an enterprise. I wouldn't expect a bank to use OAuth to secure their services but WS-Federation definitely could. On Fri, Feb 22, 2013 at 3:35 AM, Martin O'Neal <martin.oneal@corsaire.com> wrote: > > "I told you so", just doesn't seem to do it justice... > > http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get > -full.html > > > -----Original Message----- > From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On > Behalf Of Martin O'Neal > Sent: 16 October 2012 11:01 > To: Paul Johnston > Cc: websecurity@lists.webappsec.org > Subject: Re: [WEB SECURITY] Social login / federated identity > > >> I think this is a complete misunderstanding on your part > > No, but it is a complete assumption on your part. ;) > > SSO within a cluster of services, with a common owner etc makes perfect > sense. Who wants to have multiple accounts across a number of products > with a single vendor for example? (you know who you are!) > > SSO across dissimilar platforms, different vendors etc simply trades > convenience for your security and privacy. > > In a perfect world, your SSO provider would be entirely independent, > host all their auth in a bullet-proof system, and for the price of a few > API calls, life would be peachy. As it is though, it's not. Facebook for > example have their own problems in keeping their auth data secure, so > tying yourself into their systems adds a whole world of additional risk > to your site. And in the event of it all going pear-shaped, there isn't > a lot you can do to fix the situation, without exiting the SSO. > > Martin... > > > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi, By the same argument, Firefox has had a security vulnerability, so no-one should use Firefox. In fact, all mainstream browsers have had a security vulnerability at some point, so we shouldn't use the web at all...? Yes, you did "tell me so", but I don't much care for your negative opinion. I think using social login is a prudent risk for most websites - not online banking, sure, but most websites. If you do use it, the Facebook vulnerability doesn't affect all the users on your site - it only affects those who have explicitly chosen to use Facebook as their identity provider. Although it's usually difficult to palm off blame for security failures, I think this is one that people will accept. "Your Facebook account was hacked and because you chose to link your Facebook account to MyWebSite.com, the hackers were able to access you MyWebSite account." Paul On 22/02/2013 08:35, Martin O'Neal wrote: > > "I told you so", just doesn't seem to do it justice... > > http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get > -full.html > > > -----Original Message----- > From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On > Behalf Of Martin O'Neal > Sent: 16 October 2012 11:01 > To: Paul Johnston > Cc: websecurity@lists.webappsec.org > Subject: Re: [WEB SECURITY] Social login / federated identity > > >> I think this is a complete misunderstanding on your part > No, but it is a complete assumption on your part. ;) > > SSO within a cluster of services, with a common owner etc makes perfect > sense. Who wants to have multiple accounts across a number of products > with a single vendor for example? (you know who you are!) > > SSO across dissimilar platforms, different vendors etc simply trades > convenience for your security and privacy. > > In a perfect world, your SSO provider would be entirely independent, > host all their auth in a bullet-proof system, and for the price of a few > API calls, life would be peachy. As it is though, it's not. Facebook for > example have their own problems in keeping their auth data secure, so > tying yourself into their systems adds a whole world of additional risk > to your site. And in the event of it all going pear-shaped, there isn't > a lot you can do to fix the situation, without exiting the SSO. > > Martin... -- Pentest - The Application Security Specialists Paul Johnston - IT Security Consultant / Tiger SST PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK