Identity 2.0: How Attackers Break into Identity-centric Services
When learning about Web 2.0, we stumble across several other terms such as Internet 2.0, Life 2.0, and (as the title of this article suggests) Identity 2.0. It is almost as if we want to move away from what we have here today and jumpstart a fresh new life without the old clutter.
This change affects almost every aspect of your life. The Internet—and more precisely the Web—brought that change a decade ago. Today, we cannot really live without it, but it has its challenges, which we will solve and move away from for version 3.0.
One problem that is almost essential to solve is the way we identify ourselves on the Web. Everyone will agree that the Web is the largest and most useful tool man has ever built. It does not make sense anymore to register for every single service out there. We are covered with tons of passwords to remember, which do not improve the situation but make it worse.
The average users usually reuse the same username/password pairs for most of their accounts. Why shouldn’t they when it makes life so much easier? But this only increases the chances of their entire online identities being compromised. The more people know your secret, the higher are the chances of it being leaked.
This introduces a huge dilemma in the Web 2.0 era. How do we identify ourselves? How can we say who we are and verify it in a secure and machine-sensible way?
In real life we have very decentralized identity management system in a form of national identity cards, driving licenses, and so on. To verify who we are, all we need to do is to show our ID; if the picture on the card matches our facial characteristics, the verification is successful. This does not work in the digital world in terms of availability of optical recognition systems.
Unfortunately, mainstream technology hasn’t reached that level of maturity yet, and even if it does some day, sooner or later someone will find a way to get around it—just like in the real world. Today’s physical identity management systems really work because their core authentication and authorization characteristics do not rely on what we have to say about ourselves; they rely on what others have to say about us. The authenticator in this case is a third-party organization or a person who matches our facial characteristics with the ones from the picture. Although this system seems to be very insecure and easy to bypass, the reality is that it works most of the time and it does scale very well.
In the Web 2.0 era, we notice several types of systems that cultivate similar types of functionalities but with a twist. Among them we have services such as OpenID, Microsoft’s CardSpace, Sxip, YADIS, and so on. To one degree or another, all are based on the idea that the identity verifier must be a third-party organization, also known as an identity provider.
In the Web 2.0 era, we talk about identity-centric architectures, in which users are in full control of their online selves. We also discuss the idea of using a single sign-on for all services that we visit. In simple words, the Web 2.0 era provides a mechanism for login only once, while having the ability to identify who we are as much as we want.
However, as the saying goes, "With great power comes great responsibility." There are problems with this approach, as there always will be. A centralized identity management system sounds good from administrative point of view, but this is not exactly how it is looked at when it comes to security and privacy issues. Single sign-on, identity-centric systems will be broken into in the future as easy as criminals break into social network profiles today. However, the impact is great for a number of reasons. The most obvious one is that once a user-centric identity is lost, it may as well be lost forever. Call it identity theft on steroids. It is probably the worst thing can happen to your online self.
How do attackers break into identity-centric services? The truth is that the technology and the attacker vectors are here today, ready to be exploited. The most dangerous types of attacks that Identity 2.0 providers will soon face are also the ones that endanger Web 2.0 services today, including cross-site scripting, cross-site request forgeries, phishing attacks, and (last but not least) backend injection and simple dictionary attacks.
Cross-site scripting, also known as XSS, is an attack vector that quickly got a lot of popularity with the rise of Web 2.0 and the AJAX technology. XSS works in situations in which attackers need to circumvent the browser security settings, also known as the same origin policies, to get access to unauthorized data using the browser as a proxy. The same origin policies prohibit sites that are retrieved from different domains/origins to access each other. This is done on purpose for several reasons.
In practice, every website that the user is authenticated with stores cookies within the current session that usually expire when the user shuts down the browser. These cookies are used to establish states with otherwise stateless web applications. If websites can access each other, they also can read the cookie and as such perform actions on behalf of the user.
Cross-site scripting is an injection attack in which attackers supply malicious code as part of a GET or POST request. It is sent to the attacked application and is then rendered as part of the remotely delivered HTML page. This attack is perfect for stealing session identifiers or creating massive worm outbreaks like the Sammy worm that crippled MySpace on October 4, 2005.
In terms of identity-centric services, cross-site scripting will still be the number one attack, especially with the introduction of single sign-on. Firefox 3, which is expected to be released soon, will introduce support for micro formats, among which is support for OpenID identity management systems. This means that users will be logged into their identity provider as soon as they open the browser. Unfortunately, if they happen to visit a malicious website that contains an exploit of cross-site scripting vulnerability found on a page from the identity provider origin that is used by the user, attackers could inject malicious code within that scope and hijack the user’s online identity.
Cross-site scripting holes are easy to find and almost as easy to cause. However, they are just one of the many things attackers are able to do.