All your Google and Facebook logins are belong to us: A case for single sign-off

The websites of the modern Web integrate content from multiple parties to provide an enriched user experience. The so-called single sign-on forms part of this integration whereby a relying website enables a user to use her credentials on a third-party provider (such as Google or Facebook) to authenticate with itself and, if desired, authorize itself to use her resources on the provider. The user benefits by not remembering credentials for different websites separately and by allowing controlled use of her resources with a provider by other website. However, we observe that the current protocols for single sign-on do not have any provision of what we call single sign-off: once the user logs out of a relying website, the user still remains signed into the provider website. This can leave the user vulnerable if she forgets to sign out of the provider website after signing out of the relying website on a shared computer. We manually analyze the top twenty websites using Facebook or Google providers and conclude that the above problem is widespread. All but one website do not even warn the user with regard to this problem.