Researchers at Microsoft and Indiana University have uncovered some serious security flaws in Web-based single sign-on (SSO) services that could allow access to users accounts. Citing poor integration by website developers, the report states that a lack of end to end security checks is the main reason for the issue.
"In this study, we discovered eight serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, JanRain, Freelancer, FarmVille, Sears.com, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways," the researchers wrote in their report. Although the flaws have been fixed by the affected companies, “this study shows that the overall security quality of SSO deployments seems worrisome”, they noted.