How Securely Are OAuth/OpenID Connect Implemented in Japan?
When a website authenticates users, it does so for a so-called social login in electronic commerce (EC) site. A social login is used for a social media account, such as Facebook, Google, and Twitter. In such a case, the website uses OAuth and OpenID Connect. However, the implementation of a website might involve privacy concerns or be vulnerable to the attacks. In this paper, by crawling the login pages of 500 Japanese EC sites and tracing the authentication flows, we investigate the implementation status of social logins and their security against cross-site request forgery. We observed 28 websites that acquired more user permissions from SNS than necessary, or were vulnerable as a result of improper implementation.
This work was supported by JSPS KAKENHI Grant Number 18K11305. We are deeply grateful to Kotaro Maki, Ryohei Hosoya and Satoshi Yashiro for this work.
- 1.RFC5849 The OAuth 1.0 Protocol. https://tools.ietf.org/html/rfc5849
- 2.RFC6749 The OAuth 2.0 Authorization Framework. https://tools.ietf.org/html/rfc6749
- 3.RFC6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage. https://tools.ietf.org/html/rfc6750
- 4.RFC6819 The OAuth 2.0 Thread Model and Security Considerations. https://tools.ietf.org/html/rfc6819
- 5.Top Sites in Japan - Alexa. https://www.alexa.com/topsites/countries/JP
- 6.OpenID Connect Core 1.0 incorporating errata set 1. http://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html
- 7.RFC4648 The Base16, Base32, and Base64 Data Encodings. https://tools.ietf.org/html/rfc4648
- 8.CWE-352: Cross-Site Request Forgery (CSRF). https://cwe.mitre.org/data/definitions/352.html
- 9.Threat: CSRF Attack against redirect-URI. https://tools.ietf.org/html/rfc6819#section-18.104.22.168
- 10.The OAuth 2.0 Authorization Framework 4.1.1. Authorization Request. http://openid-foundation-japan.github.io/rfc6749.ja.html#code-authz-req
- 11.TwitterOAuth. https://twitteroauth.com/
- 12.Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on Vulnerabilities, pp. 495–510 (2014)Google Scholar
- 13.Mladenov, V., Mainka, C., Krautwald, J., Feldmann, F., Schwenk, J.: On the security of modern single sign on protocols, OpenID connect 1.0. CoRR, abs/1508.04324 (2015)Google Scholar