Online citations, reference lists, and bibliographies.

The Devil Is In The (implementation) Details: An Empirical Analysis Of OAuth SSO Systems

San-Tsai Sun, K. Beznosov
Published 2012 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Millions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open question. We examine the implementations of three major OAuth identity providers (IdP) (Facebook, Microsoft, and Google) and 96 popular RP websites that support the use of Facebook accounts for login. Our results uncover several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.
This paper references
Social media for business
Gaylin Jee (2012)
Microsoft Live Connect
Microsoft Inc (2010)
Formal Verification of OAuth 2.0 Using Alloy Framework
Suhas A. Pai (2011)
Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves
A. Barth (2009)
Google OAuth 2.0. com/apis/accounts/docs/OAuth2Login
Inc Google (2011)
Greasemonkey Firefox add-on
A. Lieuallen (2012)
Facebook authentication for websites
Inc Facebook (2010)
The OAuth 2.0 Protocol: Bearer Tokens draft-ietf-oauth-v2-bearer-08
David Recordon (2012)
Malvertising – exploiting web advertising
A. Sood (2011)
Enbody . Malvertising – exploiting web advertising
J. R. (2011)
Facebook immune system
T. Stein (2011)
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
The socialbot network: when bots socialize for fame and money
Yazan Boshmaf (2011)
Robust defenses for cross-site request forgery
A. Barth (2008)
Protocol verification as a hardware design aid
D. Dill (1992)
Inflight Modifications of Content: Who Are the Culprits?
Chao Zhang (2011)
OpenID authentication 2.0
D. Recordon (2007)
GeckoFX: An open-source component for embedding Firefox in .NET applications
Skybound Software (2010)
NIST. National vulnerability database
The OAuth 2.0 protocol: Bearer tokens. html/draft-ietf-oauth-v2-bearer-06
M B Jones (2011)
Browser statistics
W3cschool (2012)
State of the Art: Automated Black-Box Web Application Vulnerability Testing
Jason Bau (2010)
The Emperor ’ s New APIs : On the ( In ) Secure Usage of New Client-side Primitives
Steve Hanna (2010)
Whitehat website secuirty statistics report. https: //, 2011. [Online; accessed 16
Whitehat Secuirty (2012)
Updated JavaScript SDK and OAuth 2.0 roadmap.
J Cain (2011)
Greasemonkey Firefox add-on. https://addons.
A Lieuallen (2012)
Alloy 4.1.
D Jackson (2010)
OSVDB. window.onerror error handling URL destination information disclosure
Browser-Based Authentication (BBAuth)
Yahoo Inc (2008)
Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
Yacin Nadji (2009)
Updated JavaScript SDK and OAuth 2.0
J. Cain (2011)
Blueprint: Precise browser-neutral prevention of cross-site scripting attacks
M Ter Louw (2009)
Static Enforcement of Web Application Integrity Through Strong Typing
William K. Robertson (2009)
Securing frame communication in browsers
A. Barth (2009)
AuthSub authentication. http://code.
Google Inc (2008)
Under the covers of OAuth 2.0 at Facebook
L. Shepard (2011)
SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications
P. Saxena (2011)
Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures
San-Tsai Sun (2012)
HTTP authentication: MAC access authentication. draft-ietf-oauth-v2-http-mac-00
E Hammer-Lahav (2011)
The 1000 most-visited sites on the web. http: //
Google Inc (2011)
Universally composable security: a new paradigm for cryptographic protocols
R. Canetti (2001)
Under the covers of OAuth 2.0 at Facebook.
L Shepard (2011)
Formal analysis of Facebook Connect Single Sign-On authentication protocol
Caterina Urban (2010)
OAuth 2.0 (without signatures) is bad for the Web. oauth-2-0-without-signatures-is-bad-for-the-web
E Hammer-Lahav (2010)
The OAuth 2.0 authorization protocol. http: //
E Hammer-Lahav (2011)
Facebook platform statistics. http: //
Inc Facebook (2011)
Open web application security project top ten project
Owasp (2010)
OpenID authentication 2.0. openid-authentication-2_0.html
D Recordon (2007)
OAuth 2.0 implicit grant flow analysis using Murphi
Q Slack (2011)
ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection
Charlie Curtsinger (2011)
Fast and Precise Sanitizer Analysis with BEK
P. Hooimeijer (2011)
HTTP Authentication: MAC Access Authentication
Adam Barth (2011)
OAuth 2.0 Threat Model and Security Considerations
T. Lodderstedt (2013)
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
M. Louw (2009)
Universally Composable Security Analysis of OAuth v2.0
S. Chari (2011)
Venkatakrishnan . Blueprint : Precise browserneutral prevention of cross - site scripting attacks
V. (2009)
Whitehat website secuirty statistics report
WhiteHat Secuirty (2011)
OAuth 2.0 (without signatures) is bad for the Web
E. Hammer-Lahav (2010)
A billion keys, but few locks: the crisis of web single sign-on
San-Tsai Sun (2010)
The OAuth 2.0 Authorization Protocol: Bearer Tokens draft-ietf-oauth-v2-bearer-10
D. Recordon (2012)
What makes users refuse web single sign-on?: an empirical investigation of OpenID
San-Tsai Sun (2011)

This paper is referenced by
Security evaluation of the OAuth 2.0 framework
Eugene Ferry (2015)
EARP: Principled Storage, Sharing, and Protection for Mobile Apps
Yuanzhong Xu (2017)
Information Sharing and User Privacy in the Third-party Identity Management Landscape
Anna Vapen (2015)
The Achilles heel of OAuth: a multi-platform study of OAuth-based authentication
Huihui Wang (2016)
Vulnerability Assessment of OAuth Implementations in Android Applications
Hui Wang (2015)
Strengthening Password-Based Web Authentication Through Multiple Supplementary Mechanisms
Furkan Alaca (2018)
Longitudinal Analysis of the Third-party Authentication Landscape
Anna Vapen (2016)
Comparative Analysis and Framework Evaluating Web Single Sign-On Systems
Furkan Alaca (2018)
Protecting Client Browsers with a Principal-based Approach
Yinzhi Cao (2014)
On the Need for a General REST-Security Framework
Luigi Lo Iacono (2019)
On the Security of Holder-of-Key Single Sign-On
Andreas Mayer (2014)
SVAuth - A Single-Sign-On Integration Solution with Runtime Verification
Shuo Chen (2017)
All Your Access Tokens Are Belong to Us : Uncovering Large Facebook Collusion Networks Using Honeypots
Protecting Web-Based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel
Yinzhi Cao (2014)
An Empirical Usability Analysis of the Google Authentication API
Chamila Wijayarathna (2019)
Mobile Personal Identity Provider Based on OpenID Connect
Luigi Lo Iacono (2017)
A secure OAuth 2.0 implementation model
Ari-Pekka Koponen (2016)
Decentralized Action Integrity for Trigger-Action IoT Platforms
E. Fernandes (2018)
Implementation of a single sign-on system between practice, research and learning systems.
S. Purkayastha (2017)
Survey on Restful Web Services Using Open Authorization (Oauth)
K. Kanmani (2013)
Environment-Bound SAML Assertions: A Fresh Approach to Enhance the Security of SAML Assertions
Kai Chen (2013)
To Social Login or not Login? Exploring Factors Affecting the Decision
Ruti Gafni (2014)
Detection and mitigation of malicious JavaScript using information flow control
Bassam Sayed (2014)
Application Development from Prototype to Beta : A Case Study of the Application SeafarerCV
Ronny Reinhardtsen (2018)
OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
W. Li (2019)
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines
Daniel Fett (2017)
A Verified Secure Protocol Model of OAuth Dynamic Client Registration
Caimei Wang (2017)
Information Sharing and User Privacy in the Third-Party Identity Management Landscape
Anna Vapen (2015)
OpenStack cloud federation with single sign-on via an Identity Management System
Jitendra Kumar Sharma (2015)
Ticket Transparency: Accountable Single Sign-On with Privacy-Preserving Public Logs
Dawei Chu (2019)
SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web
Daniel Fett (2015)
See more
Semantic Scholar Logo Some data provided by SemanticScholar