Abstract
Over the past few years, a large and ever increasing number of Web sites have incorporated one or more social login platforms and have encouraged users to log in with their Facebook, Twitter, Google, or other social networking identities. Research results suggest that more than two million Web sites have already adopted Facebook’s social login platform, and the number is increasing sharply. Although one might theoretically refrain from such social login features and cross-site interactions, usage statistics show that more than 250 million people might not fully realize the privacy implications of opting-in. To make matters worse, certain Web sites do not offer even the minimum of their functionality unless users meet their demands for information and social interaction. At the same time, in a large number of cases, it is unclear why these sites require all that personal information for their purposes. In this paper, we mitigate this problem by designing and developing a framework for minimum information disclosure in social login interactions with third-party sites. Our example case is Facebook, which combines a very popular single sign-on platform with information-rich social networking profiles. Whenever users want to browse to a Web site that requires authentication or social interaction using a Facebook identity, our system employs, by default, a Facebook session that reveals the minimum amount of information necessary. Users have the option to explicitly elevate that Facebook session in a manner that reveals more or all of the information tied to their social identity. This enables users to disclose the minimum possible amount of personal information during their browsing experience on third-party Web sites.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
OAuth. http://oauth.net/
Start 2012 by taking 2 minutes to clean your apps permissions. http://mypermissions.org/
Sophos—one-stop shop to clean up social media permissions. http://nakedsecurity.sophos.com/2012/01/05/mypermissions-clean-up-social-media-permissions/
Mashable—Check out who has access to your social media accounts. http://mashable.com/2012/01/04/mypermissions/
Symantec Official Blog—Facebook applications accidentally leaking access to third parties. http://www.symantec.com/connect/blogs/facebook-applications-accidentally-leaking-access-third-parties
WebProNews—Million sites have added Facebook’s social plugins since f8. http://www.webpronews.com/2-million-sites-have-added-facebooks-social-plugins-since-f8-2010-09
BuiltWith—Facebook for Websites Usage Trends. http://trends.builtwith.com/javascript/Facebook-for-Websites
Kontaxis, G., Polychronakis, M., Markatos E.P.: SudoWeb: Minimizing information disclosure to third parties in single sign-on platforms. In: Proceedings of the 14th Information Security Conference (ISC), pp. 197–212. Springer, Berlin October (2011)
Facebook for Websites. https://developers.facebook.com/docs/guides/web/
Sign in with Twitter. http://dev.twitter.com/pages/sign_in_with_twitter
Facebook Statistics. https://www.facebook.com/press/info.php?statistics
Facebook Developers—Permissions. https://developers.facebook.com/docs/reference/api/permissions/
Stone, B.: Facebook aims to extend its reach across the web. New York Times (2008) http://www.nytimes.com/2008/12/01/technology/internet/01facebook.html
BuiltWith—OpenID usage statistics. http://trends.builtwith.com/docinfo/OpenID
StatCounter—Top 5 browsers (2011–2012). http://gs.statcounter.com/#browser-ww-weekly-201120-201220
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on computer and communications security, pp. 75–88. ACM (2008)
Meiss, M., Duncan, J., Gonçalves, B., Ramasco, J.J., Menczer, F.: What’s in a session: tracking individual behavior on the web. In: Proceedings of the 20th ACM conference on hypertext and hypermedia, pp. 173–182. ACM (2009)
Ardagna, C.A., De Capitani di Vimercati, S., Foresti, S., Paraboschi, S., Samarati, P.: Supporting privacy preferences in credential-based interactions. In: Proceedings of the 9th annual ACM workshop on Privacy in the electronic society, pp. 83–92. ACM (2010)
Luo, W., Xie, Q., Hengartner, U.: Facecloak: An architecture for user privacy on social networking sites. In Proceedings of the international conference on computational science and engineering, pp. 26–33. IEEE Computer Society (2009)
Felt, A., Evans, D.: Privacy protection for social networking platforms. In: Proceedings of the workshop on web 2.0 security and privacy (2008)
Singh, K., Bhola, S., Lee, W.: xbook: redesigning privacy control in social networking platforms. In: Proceedings of the 18th conference on USENIX security symposium, pp. 249–266. USENIX Association, Berkeley (2009)
OpenID Foundation—OpenID authentication 2.0 specifications. http://openid.net/specs/openid-authentication-2_0.html
Dey, A., Weis, S.: PseudoID: Enhancing privacy in federated login. In: Hot topics in privacy enhancing technologies, pp. 95–107. Springer, Berlin (2010)
The chromium projects—multiple profiles. http://www.chromium.org/user-experience/multi-profiles
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kontaxis, G., Polychronakis, M. & Markatos, E.P. Minimizing information disclosure to third parties in social login platforms. Int. J. Inf. Secur. 11, 321–332 (2012). https://doi.org/10.1007/s10207-012-0173-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-012-0173-6