With the boom of software-as-a-service and social networking, web-based Single Sign-On (SSO) schemes are being deployed by more and more commercial websites to safeguard many web resources. Despite prior research in formal verification, little has been done to analyze the security quality of SSO schemes that are commercially deployed in the real world. Such an analysis faces unique technical challenges, including lack of access to well-documented protocols and code, and the complexity brought in by the rich browser elements (script, Flash, etc.). In this paper, the authors report the first \"Field study\" on popular web SSO systems. They focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic information and identify potential exploit opportunities.