Skip to main content
SpringerLink
Log in

Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

This paper studies the privacy risks for the users of two popular single sign-on platforms for web-based content access: OpenID and Facebook Connect. In particular we describe in detail a privacy vulnerability of the OpenID Authentication Protocol that leads to the exposure of the OpenID user identifier to third parties. We illustrate how OpenID agents leak the (potentially unique) OpenID identifiers of their users to third parties, like advertisement and traffic analysis corporations. This vulnerability is a real and widespread privacy risk for OpenID users. This paper also analyzes the privacy of Facebook Connect --the proprietary single sign-on platform that is gaining a lot of popularity recently-- and, we conclude that it is not affected by the same vulnerability but other important privacy issues remain. Finally, this paper studies the solution space of these problems and defines a number of possible countermeasures. In the case of the OpenID vulnerability, we propose three solutions to this problem: one for the long term to avoid the root cause of the vulnerability, and another two short-term mitigations.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

Notes

  1. Instead of URLs, OpenID users can employ a XRI URL pointing to an XML document as an alternative to identify themselves. For simplicity, in this paper we will only consider plain OpenID URL identifiers. Nevertheless all the results of this work are still valid, irrespectively of which kind of OpenID identifier is employed.

  2. OpenID Authentication parameters must be percent-encoded before being added as URL parameters. This encoding has been ignored in all the examples of the paper in order to ease it understanding by the reader.

  3. Google Connect service includes a privacy enhancement that replaces the User’s OpenID identifier with a random-looking identifier that is fixed for a given RP but different among RPs. However all the tested Google Connect RPs also request the user’s e-mail address and/or full name, which is then included in the return URL. Thus in practical terms user’s data also appears in the return URL of the Google Connect service.

  4. This field is misspelled in English. It should be spelled “Referrer” but as it appears as Referer in the HTTP specification, implementations use it as it is.

  5. Disclaimer: All user names, DNS domains and URLs that appear in this paper are fictitious, and they do not belong to any of the RPs and OPs studied by this work.

  6. This HTTP POST mechanism has been already defined in the version 2.0 [8] of the OpenID Authentication Protocol, but none of the analysed RPs or OPs employ it. Probably this is because, in order to send a HTML form automatically, the User Agent must support and enable JavaScript.

  7. http://www.facebook.com/press/info.php?statistics

References

  1. Escola R. Diffie-Hellman Key Agreement Method. IETF RFC 2631. June 1999.

  2. Facebook Connect. http://developers.facebook.com/docs/authentication. Accessed 28 November 2011

  3. Felt A, Evans D. Privacy protection for social networking platforms. In proceedings of the Workshop on Web 2.0 Security and Privacy. 2008.

  4. Fielding R, Gettys J, Mogul J, Frystyk H, Masinter L, Leach P, Berners-Lee T. Hypertext Transfer Protocol – HTTP/1.1. June 1999.

  5. Hammer-Lahav E, Recordon D, Hardt D. The OAuth 2.0 Authorization Protocol <draft-ietf-oauth-v2-22>. Internet-Draft, September 2011.

  6. Miculan M, Urban C. Formal analysis of Facebook Connect single sign-on authentication protocol. 37th Conference on Current Trends in Theory and Practice of Computer Science, Slovakia, January 22-28, 2011.

  7. OpenID Foundation website. http://openid.net. Accessed 28 November 2011.

  8. OpenID Foundation. OpenID Authentication 2.0 - Final. December 2007.

  9. Recordon D, Fitzpatrick B. OpenID Authentication 1.1. May 2006.

  10. Sovis P, Kohlar F, Schwenk J. Security Analysis of OpenID. In proceedings of the Information Security Solutions Europe (ISSE’10) Conference. 2010.

Download references

Acknowledgements

The work presented in this paper has been funded by the INDECT project (Ref 218086) of the 7th EU Framework Programme.

Author information

Authors and Affiliations

  1. Universidad Carlos III de Madrid, Avda. Universidad 30, 28911, Leganés (Madrid), Spain

    Manuel Urueña, Alfonso Muñoz & David Larrabeiti

Authors
  1. Manuel Urueña
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alfonso Muñoz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Larrabeiti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Manuel Urueña.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Urueña, M., Muñoz, A. & Larrabeiti, D. Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimed Tools Appl 68, 159–176 (2014). https://doi.org/10.1007/s11042-012-1155-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-012-1155-4

Keywords

Search

Navigation