An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web

Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis
University of Illinois at Chicago

Overview

The usability of Single Sign-On (SSO) has made it a popular authentication scheme for users and websites. In this project, we conducted a large-scale study on the prevalence of SSO, investigated the security implications of SSO and offered an in-depth empirical analysis of account hijacking on the modern Web.

Research Paper

Details of our research can be found in the following paper:

O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web [PDF][BibTeX]
Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis
in Proceedings of the 27th USENIX Security Symposium, August 2018

FAQ

Is data available to the public?
Yes! Due to the increasing popularity of SSO, we have made our dataset public so as to facilitate more research on the deployment of SSO. Details below.

How did you collect the data?
We built a tool to crawl the Alexa top 1 million websites and obtain identity providers and their relying parties. Our tool uses a heuristic approach to find common terms and links of identity providers in each webpage. More details can be found in our research paper.

When was the data collected?
The Alexa top 1M file was obtained on September 14, 2017 and is available here. The SSO data was collected between September 2017-January 2018. The data collection was done over multiple rounds to limit the number of server errors (e.g. DNS errors).

What information is included in the dataset?
The collected data is available as a JSON file in the download section. The file includes all the crawled websites from the Alexa top 1M from which we received correct response. We have excluded any websites that had erroneous behavior even after multiple crawls.

How to cite data?
If you use the data please cite our paper:

@inproceedings {217498,
    author = {Mohammad Ghasemisharif and Amrutha Ramesh and Stephen Checkoway and Chris Kanich and Jason Polakis},
    title = {O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web},
    booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
    year = {2018},
    address = {Baltimore, MD},
    url = {https://www.usenix.org/conference/usenixsecurity18/presentation/ghasemisharif},
    publisher = {{USENIX} Association},
}

Download Data

You can download our dataset here:

SSO data as JSON (30 MB)

Disclaimer

Due to the dynamic and constantly-evolving nature of the Internet, SSO support changes over time. In our experiments we have observed relying parties change their identity providers or completely drop support of SSO.

Contact

For any questions or suggestions, please email mghas2@uic.edu