We all knew this familiar scenario: to be able to use specific features of a website you need to log in, but creating an individual account for every single site is tedious. For this reason it makes a lot of sense to use your own Facebook or Google account for authentication. However, this means that Facebook or Google data will be passed directly to the companies behind the respective website, and that creates risks.
Researchers at TU Wien have taken a closer look at this authentication process. They have developed a browser plug-in that closes this security gap in a very rigorous way: it is logically impossible to circumvent the browser plug-in. The first prototype can already by installed and currently talks are underway with browser creators to integrate the plug-in into future browser versions.
Logging in via Facebook or Google
“Logging in on websites with social media accounts has become commonplace,” says Prof Matteo Maffei from the Security and Privacy group, Institute of Logic and Computation at the TU Wien. “You can use your Facebook account to log into Instagram, or different online forums or blogs and online magazines.” In doing so, the respective website that you want to log into receives data directly from Facebook or Google. However, it is not clear which other programmes also run on this website and could potentially be running harmful actions.
It is possible that the social media log in details that you use for authentication are used illegally to obtain further information. “An attacking programme can access personal data, view friend lists or even find out which sites you have visited. In the worst case scenario your social media account could even be taken over,” Maffei explains.
Security that can be proven
Prof Maffei and his team are now developing an extension that acts as a barrier between malicious scripts and a browser. “During authentication Facebook sends a code back to the browser that you use to log into a third party's website,” Maffei continues. “Our plug-in replaces this code with a randomly-generated replacement code. The real code is only used for communicating with Facebook, while scripts from other websites only see the replacement code. The browser extension acts as a data transmitter between them. This way it becomes impossible for malicious scripts to exchange data with Facebook without permission.”
But that’s not all – the plug-in also monitors the whole data transfer to and from the browser. “Authentication protocols are precisely defined, so we know exactly which information is exchanged in which sequence between the browser and the website,” Prof Maffei explains. “If the website does not comply, for example when a specific step during the authentication sequence is triggered without completing previous steps, then this is an irregular action that can be risky.”
Data exchange between a browser and a website is monitored in a way that makes it impossible to circumvent the plug-in, which can be proven mathematically. In other words, the browser plug-in yields formal security guarantees.
For this idea Prof Matteo Maffei received an ERC grant last year, and the plug-in is now the first success of his ERC project. “A proof-of-concept version of the plug-in can already be downloaded and installed on the Chrome browser. But we are still working to improve it. We are already talking to well-known browser vendors that want to implement our idea directly into their browser.”
The plug-in not only guarantees improved safety compared to existing protection methods, but it is also very lightweight and its use does not noticeably slow down the loading of the website. The plug-in was officially presented at the 27th Usenix Security Symposium, the most important system security conference in the world, in Baltimore on 17th August.
This work is the result of a research collaboration between TU Wien and the Ca’ Foscari University of Venice.
Prof. Matteo Maffei
Institute of Logic and Computation
Favoritenstraße 9-11, 1040 Vienna