Artifacts of SSO Privacy Leaks

Single Sign-On Privacy: We Still Know What You Did Last Summer


Information

All artifacts can be found at this URL: https://sso-privacy.me/artifacts. We offer both, the possibility to scan everything yourself or to use our scanned data.

1 - Scanning

This folder contains all the raw results of our scans (Partial-Leak-Scans & Full-Leak-Scans) and our extension code that enables SSO Monitor to scan for privacy leaks (Code). The results collected by SSO Monitor are included unmodified and therefore can rarely contain false positives, which are excluded in the evaluation step.

Scanning for leaks by yourself

To scan for leaks by yourself, please refere to the README.md inside the Code directory.

2 - Evaluation (§5.1 - §5.3)

This folder contains the evaluated data of the detected partial (§5.1), full (§5.2), and escalated leaks (§5.3) as well as the evaluation scripts used to collect the results from the scan artifacts. While the scan artifacts are one json file per page, the evaluation scripts combine the individual results into a single dataset. Partial and full leaks were found by performing scans with SSO-Monitor, and escalated leaks were found by analyzing the HAR files captured during the scan. 

Reproduce the results

To reproduce our results, please refere to the README.md inside the Evaluation Scripts directory.

3 - Geolocation / Categorization / Reputation (§5.4 - §5.5)

We enhanced our insights regarding website geolocation for the camera ready version. This involves expanding our analysis to the entire Tranco 1M dataset, as suggested by reviewers A and C. Please refer to the README.md. All artifacts can be found here.

Additionally, we updated the website categorization and reputation analysis for the camera ready version. Please refer to the README.md. All artifacts can be found here.

4 - SSO Privacy Guard Extension (§6.2)

To effectively defend against all SSO privacy leaks, we introduce SSO Privacy Guard. This Chrome browser extension intercepts all SSO messages and applies both IdP-specific and generic rules on each request to detect SSO AuthRequests. Our approach aims to block these requests by using a strategy that is orthogonal to the Google One Tap SDK.

You can find more information as well as installation instructions inside the README.md

The extension itself is located here.

Download Instructions

We do not recommend downloading all artifacts at once, as the zipping process is done on the fly and many artifacts will be downloaded twice - as a zip and in raw format. Instead, we provide two ways to explore the artifacts. 

  1. ZIP-Files to download specific parts of the artifacts:
    While steps 2, 3, and 4 produced only a few files, the scanning process (step 1) produced over 1 million files. Therefore, we prepared ZIP-Files for specific parts inside this folder. For example, 1-Scanning/Full-Leak-Scans/full-leak-scan-data-facebook-with-consent.zip contains all raw artifacts which were recorded while scanning pages for full leaks by Facebook. The same applies to the partial leak scan. If you want to download all 1.000.000 files for every page we scanned, you can download 1-Scanning/Partial-Leak-Scans/partial-leak-scan-data-top-1m.zip. To download all artifacts from the scanning phase (1) you will need the following files: 

    Partial-Leak-Scans/partial-leak-scan-data-top-1m.zip
    Full-Leak-Scans/full-leak-scan-data-facebook-with-consent.zip
    Full-Leak-Scans/full-leak-scan-data-google-with-consent.zip
    Full-Leak-Scans/full-leak-scan-data-microsoft-with-consent.zip
    Full-Leak-Scans/full-leak-scan-data-newscorpaustralia-with-consent.zip

    To download any other directory than 1-Scanning (or the folder "Code" inside the 1-Scanning directory), you can safely use the download button on the left site or use method 2.
     
  2. Directly in the browser:
    Next to the zip files we provide all artifacts as direct files to open directly in your browser or to download individual. E.g. if you want to check the results of our evaluation (2) you can directly access the artifacts inside the browser.