This post is the second out of three blog posts summarizing my (Louis Jannett) research on the design, security, and privacy of real-world Single Sign-On (SSO) implementations. It is based on my master's thesis that I wrote between April and October 2020 at the Chair for Network and Data Security.
We structured this blog post series into three parts according to the research questions of my master's thesis: Single Sign-On Protocols in the Wild, PostMessage Security in Single Sign-On, and Privacy in Single Sign-On Protocols.
PostMessage Security in Single Sign-On
Comparison: response_mode=web_message vs. popup flow
Vuln. 1) DOM-based XSS on myaccount.nytimes.com
- 2020-08-27: Initial report sent to The New York Times via HackerOne Disclosure Assistance
- 2020-09-09: Acknowledged by HackerOne
- 2020-11: Fixed with a domain whitelist: `["nytimes.com", "captcha-delivery.com", "localhost"].includes(...)`
Vuln. 2) Account Takeover on cbsnews.com, cnet.com, and zdnet.com
The SSO flow on cnet.com involves a popup window and an iframe on the primary window. The iframe loads the easyXDM library, which is (insecurely) used as a proxy between the popup window and the primary window.
- 2020-08-09: Initial report sent to email@example.com
- 2020-08-11: Acknowledged by CNET Customer Support
- 2020-08-28: Fix provided with an access control list containing insecure regular expressions: `/^.*\.cnet\.com((\/.*)?)$/` is valid for `xdm_e=https://attacker.com/.cnet.com`
- 2020-08-28: Second report sent to firstname.lastname@example.org
- 2020-08-29: Acknowledged by CNET Customer Support
- 2020-09-04: Fix provided with secure regular expressions: `/^(https:\/\/)([a-zA-Z0-9\-]+\.)*cnet\.com((\/.*)?)$/`
Vuln. 3) Account Takeover in SAP Customer Data Cloud (GIGYA)
- 2020-08-05: Initial report sent to Secure@sap.com
- 2020-08-18: Acknowledged by SAP
- 2020-09-17: Fixed validation on backend server