SudoWeb: Minimizing Information Disclosure

(1)

SudoWeb: Minimizing Information Disclosure

to Third Parties in Single Sign-On Platforms

to Third Parties in Single Sign On Platforms

Georgios Kontaxis,

Columbia University, USA

Michalis Polychronakis

Columbia University USA

Michalis Polychronakis,

Columbia University, USA

Evangelos P. Markatos,

FORTH and University of Crete

Greece

(2)

The Problem



Single-sign on approaches in

(3)

Create yet

C eate yet

another

account

[email protected] – www.syssec-project.eu – Cambridge Systems Workshop, March 8, 2012 3

(4)

Sign in with

(5)

Social Login



Convenience – fewer passwords to

remember



Rich experience through social features



O tso rce ser registration and



Outsource user registration and

management



Same credentials for multiple sites



User tracking (future work)



User tracking (future work)



Access to user’s profile (this work)

(6)

Users Like Social Login

66% prefer it vs. 34% traditional login

Users Like Social Login

g

76% admit to having given incorrect registration

info

Social login

f

preferences

Q2, 2011

(7)

(8)

Take it or

leave it

(9)

Loss of anonymity

(10)

Access to private data

(11)

Access to other’s private data

Access to other s private data

(12)

Act in the place of user

(13)

Distribution of Requested Permissions

Random sample of 755 websites that have incorporated Facebook’s social login

platform

(14)

Threats

An untrustworthy (or compromised) site can…

S ll

i

t d t t thi d

ti

Threats

Sell private data to third parties

Post spam messages

Build behavioral profiles

Provide accidental access to third parties

[Symantec ’11]

…

Sites usually ask for much more permissions than

what actually needed…

[Felt ’08]

And have perpetual access to personal data,

including those added in the

future

(15)

SU(1)

( )

User

Commands

SU(1)

( )

NAME

su

‐

change

user

ID

or

become

superuser

su

change

user

ID

or

become

superuser

SYNOPSIS

[

ti

]

[

]

su [options]

[username]

DESCRIPTION

The

su command

is

used

to

become

another

user

during

a

login

session.

Invoked

without

a

username,

su defaults

to

becoming

g

the

superuser.

p

The

optional

p

argument

g

‐

may

y

be

used

to

provide

an

environment

similar

to

what

the

user

would

expect

had

the

user

logged

in

directly.

(16)

SudoWeb

Bring the least privilege paradigm

SudoWeb

g

p

g p

g

in social login platforms

Root account vs normal user account analogy

Root account vs. normal user account analogy

Primary profile == root account

Use carefully! Contains sensitive private information!

Should never be used as a default account

S

d

fil

l

t

Secondary profile == normal user account

(17)

Design and Implementation



Maintain multiple concurrent sessions

Design and Implementation



Use primary account for direct interaction with

the social network



Automatically

switch to the secondary account

for all interactions with third-party sites



Transparent operation



Implemented as an extension for Chrome



Current prototype supports Facebook

T k

d

t

f Ch

’ “i

it ”

d



Takes advantage of Chrome’s “incognito” mode

for maintaining concurrent sessions with different

sets of credentials

(18)

Workflow

4 Workflow

1

3

(19)

Initial

configuration

(20)

Configure

(21)

Primary identity set

(22)

Log in using

secondary

account

(23)

C

fi

d

Configure secondary

identity

(24)

(25)

Already logged in

using real identity

(26)

Still logged in

using real

identity

Optionally switch to

primary identity

S

d

p

y

Secondary

identity is used by

(27)

Summary

Social login platforms pose threats to user

Summary

g

p

privacy

SudoWeb: don’t surf as root!

SudoWeb: don t surf as root!

https://code.google.com/p/sudoweb/

(28)

https //code google com/p/s do eb/

https://code.google.com/p/sudoweb/

thank you!

y