Information
All artifacts can be found at this URL: https://sso-privacy.me/artifacts. We offer both, the possibility to scan everything yourself or to use our scanned data.1 - Scanning
This folder contains all the raw results of our scans (Partial-Leak-Scans
& Full-Leak-Scans
) and our extension code that enables SSO Monitor to scan for privacy leaks (Code
). The results collected by SSO Monitor are included unmodified and therefore can rarely contain false positives, which are excluded in the evaluation step.
Scanning for leaks by yourself
To scan for leaks by yourself, please refere to the README.md inside the Code directory.
2 - Evaluation (§5.1 - §5.3)
This folder contains the evaluated data of the detected partial (§5.1), full (§5.2), and escalated leaks (§5.3) as well as the evaluation scripts used to collect the results from the scan artifacts. While the scan artifacts are one json file per page, the evaluation scripts combine the individual results into a single dataset. Partial and full leaks were found by performing scans with SSO-Monitor, and escalated leaks were found by analyzing the HAR files captured during the scan.
Reproduce the results
To reproduce our results, please refere to the README.md inside the Evaluation Scripts directory.3 - Geolocation / Categorization / Reputation (§5.4 - §5.5)
We enhanced our insights regarding website geolocation for the camera ready version. This involves expanding our analysis to the entire Tranco 1M dataset, as suggested by reviewers A and C. Please refer to the README.md. All artifacts can be found here.Additionally, we updated the website categorization and reputation analysis for the camera ready version. Please refer to the README.md. All artifacts can be found here.
4 - SSO Privacy Guard Extension (§6.2)
To effectively defend against all SSO privacy leaks, we introduce SSO Privacy Guard. This Chrome browser extension intercepts all SSO messages and applies both IdP-specific and generic rules on each request to detect SSO AuthRequests. Our approach aims to block these requests by using a strategy that is orthogonal to the Google One Tap SDK.
You can find more information as well as installation instructions inside the README.md
The extension itself is located here.