Jason Polakis

The advent of Single Sign-On (SSO) has ushered in the era of a tightly interconnected Web. Users can now effortlessly navigate the Web and obtain a personalized experience without the hassle of creating and managing accounts across different services. Due to the proliferation of SSO, user accounts in identity providers are now keys to the kingdom and pose a massive security risk. If such an account is compromised, attackers can gain control of the user’s accounts in numerous other web services. In this talk, I will present some of our research on SSO account hijacking. In this work we presented an empirical investigation of the different attacks that are facilitated (or enabled) by SSO, and highlighted the current lack of remediation mechanisms available in third parties that support SSO. I will also frame some of our findings within the seeming discrepancy between user expectations and understanding of SSO functionality, as expressed by users online after the major Facebook hack in 2018. Finally, I will discuss potential future directions and interesting questions that arise from this incident.

View More Papers

Browser-Based Deep Behavioral Detection of Web Cryptomining with CoinSpy

C. Kelton, A. Balasubramanian, R. Raghavendra, M. Srivatsa

Read More

HTTPS-Only: Upgrading all connections to https: in Web Browsers

Christoph Kerschbaumer, Julian Gaibler, Arthur Edelstein (Mozilla Corporation), Thyla van der Merwey (ETH Zurich)

Read More

K-resolver: Towards Decentralizing Encrypted DNS Resolution

N.P. Hoang, I. Lin, S. Ghavamnia, M. Polychronakis

Read More