For some reason this only just now occurred to me: What’s to stop some web site from carefully crafting an imitation of the Google “you need to sign in again” UI, storing your Google password, and storing from the other side the auth cookie from Google, so that it can then poke around through 100% of your Google content including any other site you’ve signed into with the same SSO login?

This is such a fundamental flaw in the whole concept that it’s obviously occurred to people and they’ve had time to come up with something to prevent it, but I can’t see how you could prevent it. Have I missed something? You might have a non-Google URL in the address bar during the faked sign-in, or you could use varying degrees of deception to attempt to make the address bar look legit, but I’d honestly be surprised if more than 20% of people even check the address bar every time they sign in to SSO. I don’t.

So what’s to make this not work?

  • @RedditWandererEnglish
    16 months ago

    Companies will include an image of your choosing when you enter your credentials to know it’s really the host, and that can’t be faked really. Obviously people don’t notice and a fake website is often enough, but there is a mechanism.

    • mozzOP
      26 months ago
      1. Google Oauth currently doesn’t do that
      2. We’re doing man-in-the-middle under my proposed scenario anyway (we have to, to defeat 2FA and get a real Oauth token.) It’s trivial to show the user the Google-provided image of the user’s choosing.