Note, just because you’ve been signed out of Facebook does not mean the threat has passed. If you use Facebook to log in to any other site, those are all potentially still compromised.
-
Show this thread
-
The issue is that an attacker who compromises your FB account can log in to all of the sites where you use FB as an SSO provider and they remain logged in until their cookie expires (or is expired by the site).
1 reply 13 retweets 10 likesShow this thread -
Any site operator that allows FB to act as an identity provider (SSO provider) should expire all such session cookies. In our paper, we argue for a single sign-off mechanism to help remediate SSO provider compromise. https://www.usenix.org/conference/usenixsecurity18/presentation/ghasemisharif …
3 replies 60 retweets 70 likesShow this thread -
Replying to @stevecheckoway
As an aside, using Facebook for SSO seems like an awful idea. It's both giving FB additional data about you, and potentially compromising some of your FB profile to the site you're logging in to, at least allowing them to link you to a FB identity.
1 reply 1 retweet 2 likes -
Replying to @RichFelker
I’m not sure I have an opinion about FB, but I use GitHub as an IdP for several sites (travis, appveyor, macports, etc). It _is_ convenient.
1 reply 0 retweets 5 likes -
Replying to @stevecheckoway
Yes, SSO/identity-provider is convenient. But FB makes a really really bad choice of one. I would go so far as to say it's irresponsible for a site to allow users to use FB as their SSO/identity provider.
2 replies 1 retweet 2 likes -
Replying to @RichFelker
What about Google? I believe those are the two largest IdPs.
2 replies 0 retweets 0 likes -
Replying to @stevecheckoway
Google is getting worse too, depending on which of their services and products you use. But I feel like supporting Google as SSO is reasonable because some people use it in ways that don't expose huge parts of their lives to Google.
1 reply 0 retweets 4 likes
On the other hand, if you're on Facebook, you're probably using it in ways that reveal your entire network of relationships to other people and lots of private aspects of your life. Unlike Google it doesn't have any purpose beyond that.
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
