Skip to main content
SpringerLink
Log in

Analysing the Security of Google’s Implementation of OpenID Connect

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9721))

Abstract

Many millions of users routinely use Google to log in to relying party (RP) websites supporting Google’s OpenID Connect service. OpenID Connect builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management. OpenID Connect allows an RP to obtain authentication assurances regarding an end user. A number of authors have analysed OAuth 2.0 security, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google’s implementation of OpenID Connect, involving forensic examination of 103 RP websites supporting it. Our study reveals widespread serious vulnerabilities of a number of types, many allowing an attacker to log in to an RP website as a victim user. These issues appear to be caused by a combination of Google’s design of its OpenID Connect service and RP developers making design decisions sacrificing security for ease of implementation. We give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.telerik.com/fiddler.

  2. 2.

    http://portswigger.net/burp/.

  3. 3.

    http://www.thefreedictionary.com.

  4. 4.

    https://developer.android.com/about/dashboards/index.html?utm_source=suzunone.

References

  1. Chappell, D.: Introducing windows cardspace (2006). http://msdn.microsoft.com/en-us/library/aa480189.aspx

  2. Hardt, D.: The OAuth 2.0 authorization framework (2012). http://tools.ietf.org/html/rfc6749

  3. Recordon, D., Fitzpatrick, B.: OpenID Authentication 2.0 – Final (2007). http://openid.net/specs/openid-authentication-2_0.html

  4. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Chuck, M.: OpenID Connect Core 1.0 (2014). http://openid.net/specs/openid-connect-core-1_0.html

  5. Google Inc.: Google OpenID Connect 1.0 (2015). https://developers.google.com/accounts/docs/OpenIDConnect

  6. PayPal Holdings Inc.: PayPal OpenID Connect 1.0 (2014). https://developer.paypal.com/docs/integration/direct/identity/log-in-with-paypal/

  7. Microsoft Inc.: Microsoft OpenID Connect (2014). https://msdn.microsoft.com/en-us/library/azure/dn645541.aspx

  8. Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations (2013). http://tools.ietf.org/html/rfc6749

  9. Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT), 2011, pp. 655–659. IEEE (2011)

    Google Scholar 

  10. Slack, Q., Frostig, R.: Murphi Analysis of OAuth 2.0 Implicit Grant Flow (2011). http://www.stanford.edu/class/cs259/WWW11/

  11. Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: Oauth demystified for mobile application developers. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 892–903. ACM (2014)

    Google Scholar 

  12. Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Heidelberg (2014)

    Google Scholar 

  13. Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) The ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, 16–18 October 2012, pp. 378–390. ACM (2012)

    Google Scholar 

  14. Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy, SP 2012, San Francisco, California, USA, 21–23 May 2012, pp. 365–379. IEEE Computer Society (2012)

    Google Scholar 

  15. Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single Sign-On vulnerabilities. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 495–510. USENIX Association (2014)

    Google Scholar 

  16. GTmetrix: GTmetrix Top 1000 Sites (2015). http://gtmetrix.com/top1000.html

  17. Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA, 8th February–11th February 2009. The Internet Society (2009)

    Google Scholar 

  18. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Krügel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2007, San Diego, California, USA, 28th February–2nd March 2007. The Internet Society (2007)

    Google Scholar 

  19. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Schäfer, W., Dwyer, M.B., Gruhn, V. (eds.) 30th International Conference on Software Engineering (ICSE 2008), Leipzig, Germany, 10–18 May 2008, pp. 171–180. ACM (2008)

    Google Scholar 

  20. Kirda, E., Krügel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Haddad, H. (ed.) Proceedings of the 2006 ACM Symposium on Applied Computing (SAC), Dijon, France, 23–27 April 2006, pp. 330–337. ACM (2006)

    Google Scholar 

  21. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Ning, P., Syverson, P.F., Jha, S. (eds.) Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, 27–31 October 2008, pp. 75–88. ACM (2008)

    Google Scholar 

  22. De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  23. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Second International Conference on Security and Privacy in Communication Networks and the Workshops, SecureComm 2006, Baltimore, MD, 28 August 2006–1 September 2006, pp. 1–10. IEEE (2006)

    Google Scholar 

  24. Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  25. Zeller, W., Felten, E.W.: Cross-Site Request Forgeries: Exploitation and Prevention. Princeton University, Bericht (2008)

    Google Scholar 

  26. Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  27. Google Inc.: Google OpenID 2.0 (2015). https://developers.google.com/accounts/docs/OpenID

  28. Jones, M., Sakimura, N., Bradley, J.: JSON Web Token (JWT) (2014). http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-21

  29. Google Inc.: Google OAuth 2.0 Client-side (2015). https://developers.google.com/identity/protocols/OAuth2UserAgent?hl=es

  30. Bray, T.: Verify ID Tokens (2015). https://www.tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens

  31. Google Inc.: Google OpenID Connect Server-side Flow (2015). https://developers.google.com/+/web/signin/server-side-flow

  32. W3C: HTML5 Web Messaging (2012). http://www.w3.org/TR/2012/WD-webmessaging-20120313/

  33. de Medeiros, B., Agarwal, N., Sakimura, N., Bradley, J., Jones, M.B.: OpenID Connect Session Management (2014). http://openid.net/specs/openid-connect-session-1_0.html

  34. Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52, 83–91 (2009)

    Article  Google Scholar 

  35. Son, S., Shmatikov, V.: The postman always rings twice: attacking and defending postmessage in HTML5 websites. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013. The Internet Society (2013)

    Google Scholar 

  36. Jones, M., Hardt, D. (eds.): The OAuth 2.0 Authorization Framework: Bearer Token Usage (2012). https://tools.ietf.org/html/rfc6750

  37. van Delft, B., Oostdijk, M.: A security analysis of OpenID. In: de Leeuw, E., Fischer-Hübner, S., Fritsch, L. (eds.) IDMAN 2010. IFIP AICT, vol. 343, pp. 73–84. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  38. Google Inc.: OAuth 2.0 Authorization Code Flow (2015). https://developers.google.com/identity/protocols/OAuth2WebServer

  39. Baloch, R.: Android Browser Same Origin Policy Bypass (2014). http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html

  40. Google Inc.: Google OpenID Connect Hybrid Server-side Flow (2014). https://developers.google.com/+/web/signin/

  41. Jackson, D.: Alloy 4.1 (2010). http://alloy.mit.edu/community/

  42. Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011 526 (2011)

    Google Scholar 

  43. Dill, D.L.: The murphi verification system. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 390–393. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  44. Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. J. Comput. Secur. 22, 601–657 (2014)

    Article  MATH  Google Scholar 

  45. Bansal, C., Bhargavan, K., Maffeis, S.: WebSpi and web application models (2011). http://prosecco.gforge.inria.fr/webspi/CSF/

  46. Blanchet, B., Smyth, B.: (ProVerif: Cryptographic protocol verifier in the formal model) http://prosecco.gforge.inria.fr/personal/bblanche/proverif/

  47. Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Bertino, E., Sandhu, R.S., Park, J. (eds.) Fourth ACM Conference on Data and Application Security and Privacy, CODASPY 2014, San Antonio, TX, USA, 03–05 March 2014, pp. 167–170. ACM (2014)

    Google Scholar 

  48. Mladenov, V., Mainka, C., Krautwald, J., Feldmann, F., Schwenk, J.: On the security of modern Single Sign-On protocols: OpenID Connect 1.0. CoRR abs/1508.04324 (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, Egham, UK

    Wanpeng Li & Chris J. Mitchell

Authors
  1. Wanpeng Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chris J. Mitchell
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wanpeng Li .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Pozuelo de Alarcón, Madrid, Spain

    Juan Caballero

  2. Mondragon University, Arrasate, Guipúzcoa, Spain

    Urko Zurutuza

  3. Universidad de Zaragoza, Zaragoza, Spain

    Ricardo J. Rodríguez

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Li, W., Mitchell, C.J. (2016). Analysing the Security of Google’s Implementation of OpenID Connect. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40667-1_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40666-4

  • Online ISBN: 978-3-319-40667-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation