Note, just because you’ve been signed out of Facebook does not mean the threat has passed. If you use Facebook to log in to any other site, those are all potentially still compromised.
-
Show this thread
-
The issue is that an attacker who compromises your FB account can log in to all of the sites where you use FB as an SSO provider and they remain logged in until their cookie expires (or is expired by the site).
1 reply 13 retweets 10 likesShow this thread -
Any site operator that allows FB to act as an identity provider (SSO provider) should expire all such session cookies. In our paper, we argue for a single sign-off mechanism to help remediate SSO provider compromise. https://www.usenix.org/conference/usenixsecurity18/presentation/ghasemisharif …
3 replies 60 retweets 70 likesShow this thread -
Replying to @stevecheckoway
As an aside, using Facebook for SSO seems like an awful idea. It's both giving FB additional data about you, and potentially compromising some of your FB profile to the site you're logging in to, at least allowing them to link you to a FB identity.
1 reply 1 retweet 2 likes -
Replying to @RichFelker
I’m not sure I have an opinion about FB, but I use GitHub as an IdP for several sites (travis, appveyor, macports, etc). It _is_ convenient.
1 reply 0 retweets 5 likes -
Replying to @stevecheckoway
Yes, SSO/identity-provider is convenient. But FB makes a really really bad choice of one. I would go so far as to say it's irresponsible for a site to allow users to use FB as their SSO/identity provider.
2 replies 1 retweet 2 likes -
See replies.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.