Single Sign-On (SSO) shifts the crucial authentication process on a website to to the underlying SSO protocols and their correct implementation. To strengthen SSO security, organizations, such as IETF and W3C, maintain advisories to address known threats. One could assume that these security best practices are widely deployed on websites. We show that this assumption is a fallacy. We present SSO-MONITOR, an open-source fully-automatic large-scale SSO landscape, security, and privacy analysis tool. In contrast to all previous work, SSO-MONITOR uses a highly extensible, fully automated workflow with novel visual-based SSO detection techniques, enhanced security and privacy analyses, and continuously updated monitoring results. It receives a list of domains as input to discover the login pages, recognize the supported Identity Providers (IdPs), and execute the SSO. It further reveals the current security level of SSO in the wild compared to the security best practices on paper. With SSO-MONITOR, we automatically identified 1,632 websites with 3,020 Apple, Facebook, or Google logins within the Tranco 10k. Our continuous monitoring also revealed how quickly these numbers change over time. SSO-MONITOR can automatically login to each SSO website. It records the logins by tracing HTTP and in-browser communication to detect widespread security and privacy issues automatically. We introduce a novel deep-level inspection of HTTP parameters that we call SMARTPARMS. Using SMARTPARMS for security analyses, we uncovered URL parameters in 5 Client Application (Client) secret leakages and 337 cases with weak CSRF protection. We additionally identified 447 cases with no CSRF protection, 342 insecure SSO flows and 9 cases with nested URL parameters, leading to an open redirect in one case. SSO-MONITOR reveals privacy leakages that deanonymize users in 200 cases.

翻译：单点登录（SSO）将网站的关键认证过程转移到底层SSO协议及其正确实现上。为加强SSO安全性，IETF和W3C等组织持续发布安全建议以应对已知威胁。人们可能认为这些安全最佳实践已在网站中广泛部署。我们证明这一假设是错误的。我们提出SSO-MONITOR——一个开源的、全自动的大规模SSO景观、安全与隐私分析工具。与以往所有工作不同，SSO-MONITOR采用高度可扩展的全自动工作流，包含创新的基于视觉的SSO检测技术、增强的安全与隐私分析以及持续更新的监测结果。它以域名列表为输入，发现登录页面，识别支持的Identity Providers，并执行SSO流程。进而揭示实际环境中SSO的安全水平与理论安全最佳实践之间的差距。通过SSO-MONITOR，我们在Tranco 10k网站集中自动识别出1,632个网站，共包含3,020个Apple、Facebook或Google登录入口。持续监测还揭示了这些数字随时间变化的速度。SSO-MONITOR可自动登录每个SSO网站，通过追踪HTTP和浏览器内通信记录登录过程，自动检测广泛存在的安全与隐私问题。我们引入了一种名为SMARTPARMS的新型HTTP参数深度检查方法。使用SMARTPARMS进行安全分析后，我们发现了5个Client Application密钥泄露、337个CSRF防护薄弱案例，另有447个无CSRF防护、342个不安全SSO流程和9个嵌套URL参数案例（其中1例导致开放重定向）。SSO-MONITOR还揭示了200例泄露用户身份可去匿名化的隐私问题。