Online citations, reference lists, and bibliographies.

The Devil Is In The (implementation) Details: An Empirical Analysis Of OAuth SSO Systems

San-Tsai Sun, K. Beznosov
Published 2012 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
Millions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open question. We examine the implementations of three major OAuth identity providers (IdP) (Facebook, Microsoft, and Google) and 96 popular RP websites that support the use of Facebook accounts for login. Our results uncover several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.
This paper references
Social media for business
Gaylin Jee (2012)
Microsoft Live Connect
Microsoft Inc (2010)
10.1109/CSNT.2011.141
Formal Verification of OAuth 2.0 Using Alloy Framework
Suhas A. Pai (2011)
10.1109/SP.2009.3
Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves
A. Barth (2009)
Google OAuth 2.0. http://code.google. com/apis/accounts/docs/OAuth2Login
Inc Google (2011)
Greasemonkey Firefox add-on
A. Lieuallen (2012)
Facebook authentication for websites
Inc Facebook (2010)
The OAuth 2.0 Protocol: Bearer Tokens draft-ietf-oauth-v2-bearer-08
David Recordon (2012)
10.1016/S1361-3723(11)70041-0
Malvertising – exploiting web advertising
A. Sood (2011)
Enbody . Malvertising – exploiting web advertising
J. R. (2011)
10.1145/1989656.1989664
Facebook immune system
T. Stein (2011)
10.1109/SP.2012.30
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
10.1145/2076732.2076746
The socialbot network: when bots socialize for fame and money
Yazan Boshmaf (2011)
10.1145/1455770.1455782
Robust defenses for cross-site request forgery
A. Barth (2008)
10.1109/ICCD.1992.276232
Protocol verification as a hardware design aid
D. Dill (1992)
Inflight Modifications of Content: Who Are the Culprits?
Chao Zhang (2011)
OpenID authentication 2.0
D. Recordon (2007)
GeckoFX: An open-source component for embedding Firefox in .NET applications
Skybound Software (2010)
NIST. National vulnerability database
(2011)
The OAuth 2.0 protocol: Bearer tokens. http://tools.ietf.org/ html/draft-ietf-oauth-v2-bearer-06
M B Jones (2011)
Browser statistics
W3cschool (2012)
10.1109/SP.2010.27
State of the Art: Automated Black-Box Web Application Vulnerability Testing
Jason Bau (2010)
The Emperor ’ s New APIs : On the ( In ) Secure Usage of New Client-side Primitives
Steve Hanna (2010)
Whitehat website secuirty statistics report. https: //www.whitehatsec.com/resource/stats.html, 2011. [Online; accessed 16
Whitehat Secuirty (2012)
Updated JavaScript SDK and OAuth 2.0 roadmap. https://developers.facebook.com/blog/post
J Cain (2011)
Greasemonkey Firefox add-on. https://addons. mozilla.org/en-US/firefox/addon/greasemonkey
A Lieuallen (2012)
Alloy 4.1. http://alloy.mit.edu/community
D Jackson (2010)
OSVDB. window.onerror error handling URL destination information disclosure
Browser-Based Authentication (BBAuth)
Yahoo Inc (2008)
Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
Yacin Nadji (2009)
Updated JavaScript SDK and OAuth 2.0
J. Cain (2011)
Blueprint: Precise browser-neutral prevention of cross-site scripting attacks
M Ter Louw (2009)
Static Enforcement of Web Application Integrity Through Strong Typing
William K. Robertson (2009)
10.1145/1516046.1516066
Securing frame communication in browsers
A. Barth (2009)
AuthSub authentication. http://code. google.com/apis/accounts/docs/AuthSub.html
Google Inc (2008)
Under the covers of OAuth 2.0 at Facebook
L. Shepard (2011)
10.1145/2046707.2046776
SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications
P. Saxena (2011)
10.1016/j.cose.2012.02.005
Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures
San-Tsai Sun (2012)
HTTP authentication: MAC access authentication. http://tools.ietf.org/html/ draft-ietf-oauth-v2-http-mac-00
E Hammer-Lahav (2011)
The 1000 most-visited sites on the web. http: //www.google.com/adplanner/static/top1000
Google Inc (2011)
10.1109/SFCS.2001.959888
Universally composable security: a new paradigm for cryptographic protocols
R. Canetti (2001)
Under the covers of OAuth 2.0 at Facebook. http://www.sociallipstick.com/?p=239
L Shepard (2011)
Formal analysis of Facebook Connect Single Sign-On authentication protocol
Caterina Urban (2010)
OAuth 2.0 (without signatures) is bad for the Web. http://hueniverse.com/2010/09/ oauth-2-0-without-signatures-is-bad-for-the-web
E Hammer-Lahav (2010)
The OAuth 2.0 authorization protocol. http: //tools.ietf.org/html/draft-ietf-oauth-v2-22
E Hammer-Lahav (2011)
Facebook platform statistics. http: //www.facebook.com/press/info.php?statistics
Inc Facebook (2011)
Open web application security project top ten project
Owasp (2010)
OpenID authentication 2.0. http://openid.net/specs/ openid-authentication-2_0.html
D Recordon (2007)
OAuth 2.0 implicit grant flow analysis using Murphi
Q Slack (2011)
ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection
Charlie Curtsinger (2011)
Fast and Precise Sanitizer Analysis with BEK
P. Hooimeijer (2011)
HTTP Authentication: MAC Access Authentication
Adam Barth (2011)
10.17487/RFC6819
OAuth 2.0 Threat Model and Security Considerations
T. Lodderstedt (2013)
10.1109/SP.2009.33
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
M. Louw (2009)
Universally Composable Security Analysis of OAuth v2.0
S. Chari (2011)
Venkatakrishnan . Blueprint : Precise browserneutral prevention of cross - site scripting attacks
V. (2009)
Whitehat website secuirty statistics report
WhiteHat Secuirty (2011)
OAuth 2.0 (without signatures) is bad for the Web
E. Hammer-Lahav (2010)
10.1145/1900546.1900556
A billion keys, but few locks: the crisis of web single sign-on
San-Tsai Sun (2010)
The OAuth 2.0 Authorization Protocol: Bearer Tokens draft-ietf-oauth-v2-bearer-10
D. Recordon (2012)
10.1145/2078827.2078833
What makes users refuse web single sign-on?: an empirical investigation of OpenID
San-Tsai Sun (2011)



This paper is referenced by
10.1108/ICS-12-2013-0089
Security evaluation of the OAuth 2.0 framework
Eugene Ferry (2015)
10.1145/3036699.3036709
EARP: Principled Storage, Sharing, and Protection for Mobile Apps
Yuanzhong Xu (2017)
10.1145/2699026.2699131
Information Sharing and User Privacy in the Third-party Identity Management Landscape
Anna Vapen (2015)
10.1145/2991079.2991105
The Achilles heel of OAuth: a multi-platform study of OAuth-based authentication
Huihui Wang (2016)
10.1145/2818000.2818024
Vulnerability Assessment of OAuth Implementations in Android Applications
Hui Wang (2015)
10.22215/etd/2018-12840
Strengthening Password-Based Web Authentication Through Multiple Supplementary Mechanisms
Furkan Alaca (2018)
10.14722/UEOP.2016.23008
Longitudinal Analysis of the Third-party Authentication Landscape
Anna Vapen (2016)
Comparative Analysis and Framework Evaluating Web Single Sign-On Systems
Furkan Alaca (2018)
Protecting Client Browsers with a Principal-based Approach
Yinzhi Cao (2014)
10.3390/FI11030056
On the Need for a General REST-Security Framework
Luigi Lo Iacono (2019)
On the Security of Holder-of-Key Single Sign-On
Andreas Mayer (2014)
10.1007/978-3-319-67531-2_21
SVAuth - A Single-Sign-On Integration Solution with Runtime Verification
Shuo Chen (2017)
All Your Access Tokens Are Belong to Us : Uncovering Large Facebook Collusion Networks Using Honeypots
(2016)
10.1007/978-3-319-11379-1_14
Protecting Web-Based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel
Yinzhi Cao (2014)
10.1145/3319008.3319350
An Empirical Usability Analysis of the Google Authentication API
Chamila Wijayarathna (2019)
10.1007/978-3-319-64483-7_2
Mobile Personal Identity Provider Based on OpenID Connect
Luigi Lo Iacono (2017)
A secure OAuth 2.0 implementation model
Ari-Pekka Koponen (2016)
10.14722/NDSS.2018.23119
Decentralized Action Integrity for Trigger-Action IoT Platforms
E. Fernandes (2018)
10.4338/ACI-2016-10-CR-0171
Implementation of a single sign-on system between practice, research and learning systems.
S. Purkayastha (2017)
10.9790/0661-1545356
Survey on Restful Web Services Using Open Authorization (Oauth)
K. Kanmani (2013)
10.1007/978-3-319-12087-4_23
Environment-Bound SAML Assertions: A Fresh Approach to Enhance the Security of SAML Assertions
Kai Chen (2013)
10.28945/1980
To Social Login or not Login? Exploring Factors Affecting the Decision
Ruti Gafni (2014)
10.1109/PST.2014.6890948
Detection and mitigation of malicious JavaScript using information flow control
Bassam Sayed (2014)
Application Development from Prototype to Beta : A Case Study of the Application SeafarerCV
Ronny Reinhardtsen (2018)
10.1145/3338500.3360331
OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
W. Li (2019)
10.1109/CSF.2012.27
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
10.1109/CSF.2017.20
The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines
Daniel Fett (2017)
10.1109/BIGCOM.2017.50
A Verified Secure Protocol Model of OAuth Dynamic Client Registration
Caimei Wang (2017)
10.1007/978-3-319-18467-8_12
Information Sharing and User Privacy in the Third-Party Identity Management Landscape
Anna Vapen (2015)
OpenStack cloud federation with single sign-on via an Identity Management System
Jitendra Kumar Sharma (2015)
10.1007/978-3-030-37228-6_25
Ticket Transparency: Accountable Single Sign-On with Privacy-Preserving Public Logs
Dawei Chu (2019)
10.1145/2810103.2813726
SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web
Daniel Fett (2015)
See more
Semantic Scholar Logo Some data provided by SemanticScholar