Professor, Graduate Student Develop Tool to Protect Web Users

Most Internet users know that practicing good online hygiene —never clicking on spam, choosing strong passwords and setting up two-factor authentication — is essential for protecting their personal information. They typically don’t know, however, that unless the developers of the websites they visit take similar precautions, they could still be at risk. That’s because Web developers increasingly embed third-party scripts, some reputable and others less so, in an effort to make website design more efficient.

These scripts serve a variety of purposes. Some, like single sign-on scripts, make browsing the Web more convenient. Others inject ads that enable the site to earn revenue or track users. Professor David Evans and graduate student Yuchen Zhou are developing tools that can help busy developers deploy these services safely.

In the case of single sign-on services, there are at least two causes for the vulnerabilities. The first is flaws in the software development kits that these organizations distribute to developers. Dave and Yuchen and collaborators at Microsoft took an exhaustive look at three such kits, identifying bugs that could produce vulnerabilities. Facebook awarded them with three $1,500 “bug bounties” for their work.

The second and more common cause is developers who lack the knowledge to securely integrate the services. “Either the documentation is not clear or the developers fail to follow it correctly,” Yuchen says.

Dave and Yuchen’s response was to build a tool — SSOScan — that can automatically review a site for vulnerabilities caused by using Facebook’s single sign-on. A developer simply enters the website URL and receives an analysis within a short period of time.

These vulnerabilities are common. Yuchen ran SSOScan on the top 20,000 U.S. websites. Of the sites that used Facebook’s single sign-on, 20 percent had at least one type of security vulnerability.