O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web


Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis, University of Illinois at Chicago


Single Sign-On (SSO) allows users to effortlessly navigate the Web and obtain a personalized experience without the hassle of creating and managing accounts across different services. Due to its proliferation, user accounts in identity providers are now keys to the kingdom and pose a massive security risk. In this paper we investigate the security implications of SSO and offer an in-depth analysis of account hijacking in the modern Web. Our experimental methodology explores multiple aspects of the attack workflow and reveals significant variance in how services deploy SSO. We first present a cookie hijacking attack for Facebook that results in complete account takeover, which in turn can be used to compromise accounts in services that support SSO. Next we introduce several novel attacks that leverage SSO for maintaining long-term control of user accounts. We empirically evaluate our attacks against 95 major web and mobile services and demonstrate their severity and stealthy nature. Next we explore what session and account management options are available to users after an account is compromised. Our findings highlight the inherent limitations of prevalent SSO schemes as most services lack the functionality that would allow users to remediate an account takeover. This is exacerbated by the scale of SSO coverage, rendering manual remediation attempts a futile endeavor. To remedy this we propose Single Sign-Off, an extension to OpenID Connect for universally revoking access to all the accounts associated with the hijacked identity provider account.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {217498,
author = {Mohammad Ghasemisharif and Amrutha Ramesh and Stephen Checkoway and Chris Kanich and Jason Polakis},
title = {O Single {Sign-Off}, Where Art Thou? An Empirical Analysis of Single {Sign-On} Account Hijacking and Session Management on the Web},
booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {1475--1492},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/ghasemisharif},
publisher = {USENIX Association},
month = aug

Presentation Video 

Presentation Audio