Facebook awards UT Internet Security Researcher $40,000

Cason Hunwick

A UT researcher received $40,000 from Facebook for advancing research in online security.

Wing Cheong Lau, a UT-Austin electrical and computer engineering graduate and associate professor at the Chinese University of Hong Kong, conducted research which identified previously unknown vulnerabilities in single sign-on technology.

According to Lau, single sign-on is a way to make creating new accounts easier for users. Instead of making countless new passwords, with an SSO service, all you need is one login to access multiple accounts, Lau said.

“From the user point of view, (SSO) makes it simpler — you don’t have to remember tons of logins and passwords, each of them with different requirements,” Lau said.

The technology caught on when social apps became popular, Lau said. Everyone started joining the same platforms, so it made sense for developers to offer a more convenient login system.

Lau said this convenience comes at a price. SSO installation is complicated. Providers, developers and other parties have hands in using the software.

Developers install SSO software from providers like Google and Facebook, Lau said. However, any mistakes in this process can lead to serious consequences — vulnerabilities that hackers can exploit.

“The system is very complex,” Lau said. “There are too many parties involved … and as long as someone does not have the necessary technical resources, bad things can happen.”

“Bad things” includes hackers stealing credit card information and invading messenger apps. Attackers can even gain access to billions of accounts with a single hack.

“We analyzed a hotel booking app, and because of the insecure implementation of SSO, an attacker could use your credit card to book a hotel … or they can know your whereabouts,” Lau said. “People can also look into your private chats on messenger apps.”

Facebook and other providers, in light of security controversies, are working to reduce their vulnerability. Lau’s automated testing tool checks SSO systems for errors and helps communicate vulnerabilities in security.

“When we find out that there’s a bug, we inform the provider (such as Google or Facebook) and they respond to us fairly quickly and try to fix things … because security matters, since they are the ones whose names will show up in the headlines,” Lau said.

SSO has many benefits for tech companies because it allows them to grow and strengthen their networks.

“By getting users to login to different applications with their Google or Facebook identity, it actually gives those companies strength by giving them access to more data,” according to Lau.

Logging in with Google into a new game, for example, allows Google to know which games you like to play on your phone, and they can use that data to target advertising, Lau said. He added that with each new login, providers accumulate more and more data.

“Some users may trust big names like Google and Facebook and feel more comfortable using that information to sign into apps with less credibility,” Lau said. “But sometimes that credibility goes too far.”

Lau added that trust in the providers is also a key factor with SSO.

“A big problem for users and single sign-on is a misplace of trust,” Lau said. “You think Facebook and Google are reasonable … those providers might be doing the right thing. But providers can only do so much to ensure user security.”

For their work, Lau and his team were awarded third place in the 2018 Internet Defense Prize from Facebook research at the 27th USENIX Security Symposium hosted in Baltimore, Maryland. Facebook provided $200,000 in total prize money.