Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations

  • Wanpeng LiEmail author
  • Chris J. Mitchell
  • Thomas Chen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11286)


Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks.


  1. 1.
    Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. J. Comput. Secur. 22(4), 601–657 (2014). Scholar
  2. 2.
    Bansal, C., Bhargavan, K., Maffeis, S.: WebSpi and web application models (2011).
  3. 3.
    Blanchet, B., Smyth, B.: ProVerif: cryptographic protocol verifier in the formal model.
  4. 4.
    Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011, 526 (2011)Google Scholar
  5. 5.
    Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 3–7 November 2014, Scottsdale, AZ, USA, pp. 892–903. ACM (2014).
  6. 6.
    Dill, D.L.: The murphi verification system. In: Alur, R., Henzinger, T.A. (eds.) Computer Aided Verification. LNCS, pp. 390–393. Springer, Heidelberg (1996). Scholar
  7. 7.
    Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 24–28 October 2016, Vienna, Austria, pp. 1204–1215. ACM (2016).
  8. 8.
    Hardt, D. (ed.): RFC 6749: the OAuth 2.0 authorization framework, October 2012.
  9. 9.
    Jackson, D.: Alloy 4.1 (2010).
  10. 10.
    Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Cham (2014). Scholar
  11. 11.
    Li, W., Mitchell, C.J.: Analysing the security of Google’s implementation of OpenID connect. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 357–376. Springer, Cham (2016). Scholar
  12. 12.
    Li, W., Mitchell, C.J.: Does the IdP mix-up attack really work? (2016).
  13. 13.
    Li, W., Mitchell, C.J., Chen, T.: Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect. CoRR abs/1801.07983 (2018).
  14. 14.
    Lodderstedt, T., McGloin, M., Hunt, P.: RFC 6819: OAuth 2.0 threat model and security considerations (2013).
  15. 15.
    Masinter, L., Berners-Lee, T., Fielding, R.T.: RFC 3986: uniform resource identifier (URI): Generic syntax (2005).
  16. 16.
    OWASP Foundation: Owasp top ten project (2013).
  17. 17.
    Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using Alloy framework. In: Proceedings of the International Conference on Communication Systems and Network Technologies, CSNT 2011, pp. 655–659. IEEE (2011)Google Scholar
  18. 18.
    Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Bertino, E., Sandhu, R.S., Park, J. (eds.) Fourth ACM Conference on Data and Application Security and Privacy, CODASPY 2014, 03–05 March 2014, San Antonio, TX, USA, pp. 167–170. ACM (2014).
  19. 19.
    Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Cham (2015). Scholar
  20. 20.
    Slack, Q., Frostig, R.: Murphi analysis of OAuth 2.0 implicit grant flow (2011).
  21. 21.
    Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) the ACM Conference on Computer and Communications Security, CCS 2012, 16–18 October 2012, Raleigh, NC, USA, pp. 378–390. ACM (2012)Google Scholar
  22. 22.
    Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy, SP 2012, 21–23 May 2012, San Francisco, California, USA, pp. 365–379. IEEE Computer Society (2012)Google Scholar
  23. 23.
    Yang, R., Li, G., Lau, W.C., Zhang, K., Hu, P.: Model-based security testing: An empirical study on OAuth 2.0 implementations. In: Chen, X., Wang, X., Huang, X. (eds.) Proceedings of the 11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016, 30 May–3 June 2016, Xi’an, China, pp. 651–662. ACM (2016).
  24. 24.
    Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, 20–22 August 2014, San Diego, CA, USA, pp. 495–510. USENIX Association (2014).

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of Electrical and Electronic EngineeringCity, University of LondonLondonUK
  2. 2.Information Security GroupRoyal Holloway, University of LondonEghamUK

Personalised recommendations