Abstract
Many Chinese websites (relying parties) use OAuth 2.0 as the basis of a single sign-on service to ease password management for users. Many sites support five or more different OAuth 2.0 identity providers, giving users choice in their trust point. However, although OAuth 2.0 has been widely implemented (particularly in China), little attention has been paid to security in practice. In this paper we report on a detailed study of OAuth 2.0 implementation security for ten major identity providers and 60 relying parties, all based in China. This study reveals two critical vulnerabilities present in many implementations, both allowing an attacker to control a victim user’s accounts at a relying party without knowing the user’s account name or password. We provide simple, practical recommendations for identity providers and relying parties to enable them to mitigate these vulnerabilities. The vulnerabilities have been reported to the parties concerned.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Hardt, D.: The OAuth 2.0 authorization framework (2012), http://tools.ietf.org/html/rfc6819
Hanna, S., Shin, R., Akhawe, D., Boehm, A., Saxena, P., Song, D.: The emperor’s new APIs: On the (in)secure usage of new client-side primitives. In: Proc. W2SP 2010 (2010)
Miculan, M., Urban, C.: Formal analysis of Facebook Connect Single Sign-On authentication protocol. In: Proc. SofSem 2011, OKAT, pp. 99–116 (2011)
Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) Proc. CCS 2012, pp. 378–390. ACM (2012)
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In: Proc. IEEE Symp. on Security and Privacy 2012. IEEE (2012)
Recordon, D., Fitzpatrick, B.: Open ID Authentication 2.0 — Final (2007), http://openid.net/specs/openid-authentication-2_0.html
Morgan, R., Cantor, S., Carmody, S., Hoehn, W., Klingenstein, K.: Federated security: The Shibboleth approach. Educause Quarterly 27, 12–17 (2004)
Scott, C., Kemp, J., Philpott, R., Maler, E.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005), http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations (2013), http://tools.ietf.org/html/rfc6749
Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal vericication of OAuth 2.0 using alloy framework. In: Proc. CSNT 2011, pp. 655–659. IEEE (2011)
Jackson, D.: Alloy 4.1 (2010), http://alloy.mit.edu/community/
Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011, 526 (2011)
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proc. FOCS 2001, pp. 136–145. IEEE Computer Society (2001)
Slack, Q., Frostig, R.: Murphi Analysis of OAuth 2.0 Implicit Grant Flow (2011), http://www.stanford.edu/class/cs259/WWW11/
Dill, D.L.: The murφ verification system. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 390–393. Springer, Heidelberg (1996)
Burns, J.: Cross site reference forgery: An introduction to a common web application weakness. Security Partners, LLC (2005), http://dl.packetstormsecurity.net/papers/web/XSRF_Paper.pdf
Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proc. SecureComm 2006, pp. 1–10. IEEE (2006)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Ning, P., Syverson, P.F., Jha, S. (eds.) Proc. CCS 2008, pp. 75–88. ACM (2008)
Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Bericht, Princeton University (2008)
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)
Shahriar, H., Zulkernine, M.: Client-side detection of cross-site request forgery attacks. In: Proc. ISSRE 2010, pp. 358–367. IEEE Computer Society (2010)
De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)
Baidu Inc.: Baidu Open Connect (2014), http://developer.baidu.com/wiki/index.php?title=docs/oauth/authorization
China Mobile Communications Corporation: ChinaMobile Open Connect (2014), http://dev.10086.cn/wiki/?p5_01_02
Renren Network: Renren Open Connect (2014), http://wiki.dev.renren.com/wiki/Authentication
Wangyi Inc.: Wangyi Open Connect (2014), http://reg.163.com/help/help_oauth2.html
Taobao Marketplace: Taobao Open Connect (2014), http://open.taobao.com/doc/detail.htm?id=118
Microsoft: Microsoft Live Connect (2014), http://msdn.microsoft.com/en-us/library/live/hh243647.aspx
Sina Corp.: Sina Open Connect (2014), http://open.weibo.com/wiki/Oauth2/authorize
Douban.com: Douban Open Connect (2014), http://developers.douban.com/wiki/?title=oauth2
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Li, W., Mitchell, C.J. (2014). Security Issues in OAuth 2.0 SSO Implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_34
Download citation
DOI: https://doi.org/10.1007/978-3-319-13257-0_34
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13256-3
Online ISBN: 978-3-319-13257-0
eBook Packages: Computer ScienceComputer Science (R0)