The Twitter accounts of top celebrities were recently hacked. You could be the next victim, only to be locked out of your Twitter account. And social logins could be the reason. When consumers register for online services they are usually presented with options and can use their existing Facebook, Google, Microsoft, Apple, or Amazon IDs to login to that service. These are called social logins. Some services also offer options to use LinkedIn and Twitter accounts for login. And in others, you could use your mobile number. This concept is also known as single sign-on or SSO. But using social logins on third-party websites can result in credential or identity theft and hacked social media accounts. In fact, Digital Shadows found threat actors trading more than 15 billion usernames and passwords, including over 5 billion unique credentials on various hacking forums on the dark web. Many of those credentials include stolen social logins. Here’s how social logins get stolen and what you can do to prevent it.
By Brian Pereira, Principal Editor, CISO MAG
SSO was originally developed for IT administrators who found it cumbersome to remember IDs and passwords for hundreds of IT services, servers, and enterprise applications. SSO enables them to use a single password and user ID to use multiple services on the corporate network. Well, in recent years, SSO also came to the web for consumers. For instance, if you log into Gmail, you can open other Google services (in separate browser tabs) without logging in repeatedly. The same Gmail credentials can be used for Google Drive, Google Maps, Google Photos, etc. So, SSO systems are very practical and spare the end-user the need to remember multiple passwords.
Third-party web services take SSO a step further by connecting with social media sites through plug-ins, widgets, and APIs. SSO for consumer websites uses the OAuth industry standard for authorization. That enables consumers to sign into third-party websites/online services using their social media accounts. This is designed to simplify logins for end users as well as provide more reliable demographic information to web developers. Users struggle to remember multiple login IDs and passwords. So why not use something they already know? That sounds very convenient until one’s social media account gets hacked and taken over.
In 2018, the University of Illinois, Chicago, conducted a study on the top 1 million websites according to Alexa. The study found that 6.30% of websites support SSO. That was two years ago, and this number is much higher today. This highlights the scale of the threat, as attackers can gain access to a massive number of web services just by getting one’s social media credentials.
How Social Logins work
According to AuthO, Social Login is a simple process, with the following steps.
- The end-user visits the third-party website (relying party or RP) and selects the desired social network provider (Identity Provider) for login.
- A login request is sent to the concerned identity provider (IdP).
- Once the IdP confirms the user’s identity, it sends an access token or authorization code to the RP, allowing the end-user to login to the RP’s website or service.
- For the first login, a user will be registered as a new user and then logged into the application or service.
SSO tech is not perfect
SSO systems are far from perfect and have several potential problems. Wired Magazine UK quoted a research paper where five University of Illinois, Chicago, researchers said SSO tech can “pose a massive security risk”. The researchers created a proof-of-concept attack against Facebook, where they could completely take over an account. “Using a hijacked Facebook account an attacker could indirectly compromise an additional 226 [other services],” the researchers wrote. The research paper is titled: “O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web” and it was published in August 2018.
To quote from the research paper: “Due to the proliferation of SSO, user accounts in identity providers are now keys to the kingdom and pose a massive security risk. If such an account is compromised, attackers can gain control of the user’s accounts in numerous other web services.”
Following the release of this paper, Facebook CEO Mark Zuckerberg revealed that hackers had compromised the social network and accessed around 50 million access tokens. The tokens are generated once a user logs into Facebook and avoid users having to re-login every time they return to the website. Facebook tokens are reusable on other websites like Tinder, Spotify, and Airbnb. These sites also share user data with Facebook, thereby breaching user privacy. And this happens without the user’s knowledge.
How access tokens get stolen
There are multiple attack vectors that bad attackers use to steal access tokens or authorization codes. The technical details of these attack methods are beyond the scope of this article but you can find all the details in the aforementioned research paper. Some of the methods quoted in the paper are:
- Cookie hijacking (Sniff Wifi)
How to secure your accounts
- Use two-factor authentication
- Use an authenticator app like Google Authenticator
- Do not re-use passwords across sites or services
- Use a sentence or a string of random words as a password
- Consider using a trusted password manager (like Norton Password Manager or LastPass) for all your accounts
- Change the default passwords on gadgets you own
- Change the passwords in your social media accounts every few months
- Use apps on your phone for the same email and social media accounts you access through a desktop browser
- Regularly check where account activity originates
- Go through the security settings in your Google account and “revoke” access to apps you no longer use
- Check the security settings in your social media accounts and review which third-party services have been linked to these accounts
- Set up email notifications for suspicious logins
- Link a few trusted devices to your Google account
In closing, we advise you to be very alert and aware while using social logins and SSO on websites. Check your account login activity regularly. Set up email notifications for suspicious logins. For instance, you can do this on accounts.google.com or in the security and privacy settings of your social media accounts. Check which third-party apps are linked to your Google, Facebook, and Twitter accounts and revoke access for apps or services you no longer use. If you set up alerts and notifications, the social media or email service will send you security alerts via email or SMS if it detects a suspicious login from a user in another country or from an unregistered device.