In a day and age when you are either griping about security or banging out articles on how to increase code security, it’s hard to believe what I saw with my own eyes today. A large and well-known website was looking for a developer to create a universal registration and login service much like Microsoft Passport. The specification called for “seamless integration capabilities into any given website.“
On the surface, these types of services seem like a wonderful idea that prevents someone from having to type in their personal data from one site to the next. Instead, the user would click on a “sign in” button very similar to the .NET passport, they would enter their credentials and data you decide to share with a vendor is magically shared with this site. Microsoft passport requires a rather interesting partnering process in order to get passport authentication on your site. This is supposed to prevent malicious sites from just implementing the “sign in” button and taking your data when you don’t know better.
The problem comes with “seamless integration” and forged sites. It should come as no surprise that Microsoft also has methods that allow passport screens to be thrown into your website’s layout making the login process seem more seamless than redirecting to the passport website itself. This is a very dangerous idea, however. Think about the scenario where you find a gadget you just have to have and, guess what, it’s on clearance for 25% off on this site. You decide to “register” on this site by clicking the login button. The familiar login screen pops up and you enter you r login information.
Have you spotted the problem yet? A crafty individual could create this site that has the same look and feel as the login website. Instead of allowing you to log in as you thought you might, the malware could display an error that would have you believe the site just isn’t working at the moment. No big deal, you go to another site and forget all about this site. The problem is that you have already transmitted your username and login information to this site and that information is now in the hands of an identity thief, and gives a stranger access to any site that uses your login information.
I remember watching a movie (I think it was “xXx“ with Vin Diesel) where a guy drives up to valet parking and hands over his keys. The valet then proceeded to steel the guy’s car. When it comes to embedding a universal login “block” into any page, it just isn’t safe. Anyone can mock up the interface and make it look identical to the login pages that you know and trust. Before you realize what you’ve done, you’ve given someone the “keys“ to any site that uses your login. Personally, I don’t use the same password in any two places. I certainly don’t like the idea of logging into a website just because their login block looks like something I trust.
Keep this in mind the next time you hit eBay and click the passport “sign in” button.