Advertisement

Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations

  • Wanpeng LiEmail author
  • Chris J. Mitchell
  • Thomas Chen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11286)

Abstract

Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks.

References

  1. 1.
    Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. J. Comput. Secur. 22(4), 601–657 (2014).  https://doi.org/10.3233/JCS-140503CrossRefGoogle Scholar
  2. 2.
    Bansal, C., Bhargavan, K., Maffeis, S.: WebSpi and web application models (2011). http://prosecco.gforge.inria.fr/webspi/CSF/
  3. 3.
    Blanchet, B., Smyth, B.: ProVerif: cryptographic protocol verifier in the formal model. http://prosecco.gforge.inria.fr/personal/bblanche/proverif/
  4. 4.
    Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011, 526 (2011)Google Scholar
  5. 5.
    Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 3–7 November 2014, Scottsdale, AZ, USA, pp. 892–903. ACM (2014).  https://doi.org/10.1145/2660267.2660323
  6. 6.
    Dill, D.L.: The murphi verification system. In: Alur, R., Henzinger, T.A. (eds.) Computer Aided Verification. LNCS, pp. 390–393. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-61474-5CrossRefGoogle Scholar
  7. 7.
    Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 24–28 October 2016, Vienna, Austria, pp. 1204–1215. ACM (2016).  https://doi.org/10.1145/2976749.2978385
  8. 8.
    Hardt, D. (ed.): RFC 6749: the OAuth 2.0 authorization framework, October 2012. http://tools.ietf.org/html/rfc6749
  9. 9.
    Jackson, D.: Alloy 4.1 (2010). http://alloy.mit.edu/community/
  10. 10.
    Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-13257-0_34CrossRefGoogle Scholar
  11. 11.
    Li, W., Mitchell, C.J.: Analysing the security of Google’s implementation of OpenID connect. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 357–376. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-40667-1_18CrossRefGoogle Scholar
  12. 12.
    Li, W., Mitchell, C.J.: Does the IdP mix-up attack really work? (2016). https://infsec.uni-trier.de/download/oauth-workshop-2016/OSW2016_paper_1.pdf
  13. 13.
    Li, W., Mitchell, C.J., Chen, T.: Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect. CoRR abs/1801.07983 (2018). https://arxiv.org/abs/1801.07983
  14. 14.
    Lodderstedt, T., McGloin, M., Hunt, P.: RFC 6819: OAuth 2.0 threat model and security considerations (2013). http://tools.ietf.org/html/rfc6819
  15. 15.
    Masinter, L., Berners-Lee, T., Fielding, R.T.: RFC 3986: uniform resource identifier (URI): Generic syntax (2005). https://www.ietf.org/rfc/rfc3986.txt
  16. 16.
    OWASP Foundation: Owasp top ten project (2013). https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
  17. 17.
    Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using Alloy framework. In: Proceedings of the International Conference on Communication Systems and Network Technologies, CSNT 2011, pp. 655–659. IEEE (2011)Google Scholar
  18. 18.
    Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Bertino, E., Sandhu, R.S., Park, J. (eds.) Fourth ACM Conference on Data and Application Security and Privacy, CODASPY 2014, 03–05 March 2014, San Antonio, TX, USA, pp. 167–170. ACM (2014).  https://doi.org/10.1145/2557547.2557588
  19. 19.
    Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-20550-2_13CrossRefGoogle Scholar
  20. 20.
    Slack, Q., Frostig, R.: Murphi analysis of OAuth 2.0 implicit grant flow (2011). http://www.stanford.edu/class/cs259/WWW11/
  21. 21.
    Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) the ACM Conference on Computer and Communications Security, CCS 2012, 16–18 October 2012, Raleigh, NC, USA, pp. 378–390. ACM (2012)Google Scholar
  22. 22.
    Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy, SP 2012, 21–23 May 2012, San Francisco, California, USA, pp. 365–379. IEEE Computer Society (2012)Google Scholar
  23. 23.
    Yang, R., Li, G., Lau, W.C., Zhang, K., Hu, P.: Model-based security testing: An empirical study on OAuth 2.0 implementations. In: Chen, X., Wang, X., Huang, X. (eds.) Proceedings of the 11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016, 30 May–3 June 2016, Xi’an, China, pp. 651–662. ACM (2016).  https://doi.org/10.1145/2897845.2897874
  24. 24.
    Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, 20–22 August 2014, San Diego, CA, USA, pp. 495–510. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/zhou

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of Electrical and Electronic EngineeringCity, University of LondonLondonUK
  2. 2.Information Security GroupRoyal Holloway, University of LondonEghamUK

Personalised recommendations