Single Sign-On Privacy: We Still Know What You Did Last Summer

Abstract

Today, Single Sign-On (SSO) is omnipresent on the Internet. Every day, millions of users utilize SSO protocols such as OAuth 2.0 (OAuth) or OpenID Connect 1.0 (OIDC). These protocols allow users to log in to multiple websites or services, called Relying Partys (RPs), using their accounts from major Identity Providers (IdPs) such as Apple, Facebook, and Google. Consequently, these IdPs gain the ability to track their users across the Internet. In return, RPs gain access to an enriched set of the user’s personal data stored at the IdP, including names, email addresses, and profile pictures.In this paper, we present three novel SSO privacy leaks found in the wild. Contrary to prior work, our leaks occur automatically as soon as the user visits the RP, without their consent or awareness, in a non-transparent manner. To prove their prevalence, we conducted a large-scale study on the Tranco top 1M websites. Our measurement shows that 10,931 RPs automatically leak the user’s identity, the currently visited RP, and other metadata (e.g., time of access) to the IdPs (partial leak). Additionally, 2,947 RPs silently deanonymize users, logging them into their accounts without their awareness (full leak). Even worse, 6 RPs leak the user’s identity to third parties (escalated leak). Besides 4 major IdPs, including Facebook and Google, we identified privacy leaks affecting 1,032 additional, less-popular IdPs. Conversely, 7 IdPs, including Apple and Github, are exemplary in avoiding these leaks.To protect users, we present our browser extension called SSO Privacy Guard. We demonstrate its effectiveness in preventing all the identified leaks. Furthermore, we discuss if and how emerging initiatives by major browser vendors related to tracking prevention can also improve privacy in the SSO ecosystem. To promote reproducibility, we publicly release the source code and all artifacts, and we plan to release SSO Privacy Guard in the official Chrome and Firefox extension stores.