What is web SSO?
Most likely you have already been using SSO all the time. Many websites, such as NYTimes.com, Sears.com, Renren.com, allow you to authenticate through Windows Live ID, Google ID, Facebook, Twitter, etc. Here is a slightly longer description about SSO.
Why do we set up this web service?
We studied a wide range of SSO websites, and found numerous logic bugs. Each bug allows us to get into other people's online accounts. We will present the study in the Oakland Conference in May 2012. Here is the paper. Because these bugs are in websites' integrations of SSO APIs, as oppose to the APIs themselves, we believe that the scope of the vulnerable websites is much bigger than what we have studied. We want the community to help expand the investigation effort.
This web service consists of an online tool, which we used in our study, and a discussion forum to track investigation cases. More information is provided in the rest of this page.
You can certainly contribute, if ...
Here is how you contribute.
Here is an example. It is the integration of Google ID on smartsheet.com. Open the case page by clicking this link. The top section of the post contains four labeled traces, including one for the benign scenario and three for adversarial scenarios. You can click any of the four links to see the corresponding trace. To understand the notations in the traces, please read Sections 2 and 3 of the paper mentioned above. A mouseover on an element shows the propagation chain of the element. A click on an element brings out a dialog box for editing its attributes. You job is to enhance the abstract traces and/or raise insightful questions about the security assumptions of the investigated website.
We are committed to maintain this web service and to support your contributions and investigations. For any question, please feel free to email us: Rui Wang (ruiwanATmicrosoftDOTcom), Shuo Chen (shuochenATmicrosoftDOTcom) and XiaoFeng Wang (xw7ATindianaDOTedu), or write a comment for this post, or post a new discussion. We are moderating the forum.