At the 40th Annual Computer Security Applications Conference (ACSAC) 2024, held from December 9-13 in Honolulu, Hawaii, the paper “Single Sign-On Privacy: We Still Know What You Did Last Summer” by Maximilian Westers, Andreas Mayer, and Louis Jannett, was awarded the Distinguished Paper with Artifacts Award. Their study unveils critical privacy vulnerabilities in Single Sign-On (SSO) technologies used by millions daily.
Understanding Single Sign-On (SSO)
SSO simplifies online authentication, allowing users to log in to multiple websites using their accounts from providers like Google, Facebook, or Apple (called Identity Providers or IdPs). While convenient, this system involves sharing user data between the websites and third parties, raising privacy concerns. These providers can track user activities across sites, and users must trust them to handle data responsibly.
Exposing Privacy Leaks
The paper uncovers three new types of privacy leaks in SSO systems:
- Partial Leaks: IdPs learn about the user’s visit to a website, even without explicit login actions or the user’s awareness, enabling tracking.
- Full Leaks: Websites can automatically retrieve and utilize a user’s identity in the background, logging them automatically in without their awareness.
- Escalated Leaks: User identities are leaked to third parties like trackers or advertising agencies, amplifying privacy risks.
A large-scale analysis revealed that over 10k websites are affected by these leaks, exposing users’ personal data even without their awareness.
Towards a Privacy-Respecting Future
The paper further discusses mitigation strategies, emphasizing the potential of the Federated Credential Management (FedCM) API. This emerging browser technology was designed to explicitly prevent the leaks and preserve user privacy by acting as a mediator between IdPs and websites, ensuring sensitive data remains protected.
The author’s findings underline the urgency of improving SSO systems to safeguard user privacy while maintaining convenience, and set a benchmark for advancing secure and privacy-aware digital authentication solutions.