Advertisement

How Securely Are OAuth/OpenID Connect Implemented in Japan?

  • Takamichi SaitoEmail author
  • Tsubasa Kikuta
  • Rikita Koshiba
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 97)

Abstract

When a website authenticates users, it does so for a so-called social login in electronic commerce (EC) site. A social login is used for a social media account, such as Facebook, Google, and Twitter. In such a case, the website uses OAuth and OpenID Connect. However, the implementation of a website might involve privacy concerns or be vulnerable to the attacks. In this paper, by crawling the login pages of 500 Japanese EC sites and tracing the authentication flows, we investigate the implementation status of social logins and their security against cross-site request forgery. We observed 28 websites that acquired more user permissions from SNS than necessary, or were vulnerable as a result of improper implementation.

Notes

Acknowledgment

This work was supported by JSPS KAKENHI Grant Number 18K11305. We are deeply grateful to Kotaro Maki, Ryohei Hosoya and Satoshi Yashiro for this work.

References

  1. 1.
    RFC5849 The OAuth 1.0 Protocol. https://tools.ietf.org/html/rfc5849
  2. 2.
    RFC6749 The OAuth 2.0 Authorization Framework. https://tools.ietf.org/html/rfc6749
  3. 3.
    RFC6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage. https://tools.ietf.org/html/rfc6750
  4. 4.
    RFC6819 The OAuth 2.0 Thread Model and Security Considerations. https://tools.ietf.org/html/rfc6819
  5. 5.
  6. 6.
    OpenID Connect Core 1.0 incorporating errata set 1. http://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html
  7. 7.
    RFC4648 The Base16, Base32, and Base64 Data Encodings. https://tools.ietf.org/html/rfc4648
  8. 8.
    CWE-352: Cross-Site Request Forgery (CSRF). https://cwe.mitre.org/data/definitions/352.html
  9. 9.
    Threat: CSRF Attack against redirect-URI. https://tools.ietf.org/html/rfc6819#section-4.4.1.8
  10. 10.
    The OAuth 2.0 Authorization Framework 4.1.1. Authorization Request. http://openid-foundation-japan.github.io/rfc6749.ja.html#code-authz-req
  11. 11.
  12. 12.
    Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on Vulnerabilities, pp. 495–510 (2014)Google Scholar
  13. 13.
    Mladenov, V., Mainka, C., Krautwald, J., Feldmann, F., Schwenk, J.: On the security of modern single sign on protocols, OpenID connect 1.0. CoRR, abs/1508.04324 (2015)Google Scholar
  14. 14.
    Urueña, M., Muñoz, A., Larrabeiti, D.: Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimed. Tools Appl. 68(1), 159–176 (2014)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Takamichi Saito
    • 1
    Email author
  • Tsubasa Kikuta
    • 2
  • Rikita Koshiba
    • 2
  1. 1.Meiji UniversityKanagawaJapan
  2. 2.Graduate School of Meiji UniversityKanagawaJapan

Personalised recommendations