Abstract
Many millions of users routinely use Google to log in to relying party (RP) websites supporting Google’s OpenID Connect service. OpenID Connect builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management. OpenID Connect allows an RP to obtain authentication assurances regarding an end user. A number of authors have analysed OAuth 2.0 security, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google’s implementation of OpenID Connect, involving forensic examination of 103 RP websites supporting it. Our study reveals widespread serious vulnerabilities of a number of types, many allowing an attacker to log in to an RP website as a victim user. These issues appear to be caused by a combination of Google’s design of its OpenID Connect service and RP developers making design decisions sacrificing security for ease of implementation. We give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chappell, D.: Introducing windows cardspace (2006). http://msdn.microsoft.com/en-us/library/aa480189.aspx
Hardt, D.: The OAuth 2.0 authorization framework (2012). http://tools.ietf.org/html/rfc6749
Recordon, D., Fitzpatrick, B.: OpenID Authentication 2.0 – Final (2007). http://openid.net/specs/openid-authentication-2_0.html
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Chuck, M.: OpenID Connect Core 1.0 (2014). http://openid.net/specs/openid-connect-core-1_0.html
Google Inc.: Google OpenID Connect 1.0 (2015). https://developers.google.com/accounts/docs/OpenIDConnect
PayPal Holdings Inc.: PayPal OpenID Connect 1.0 (2014). https://developer.paypal.com/docs/integration/direct/identity/log-in-with-paypal/
Microsoft Inc.: Microsoft OpenID Connect (2014). https://msdn.microsoft.com/en-us/library/azure/dn645541.aspx
Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations (2013). http://tools.ietf.org/html/rfc6749
Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT), 2011, pp. 655–659. IEEE (2011)
Slack, Q., Frostig, R.: Murphi Analysis of OAuth 2.0 Implicit Grant Flow (2011). http://www.stanford.edu/class/cs259/WWW11/
Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: Oauth demystified for mobile application developers. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 892–903. ACM (2014)
Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Heidelberg (2014)
Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) The ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, 16–18 October 2012, pp. 378–390. ACM (2012)
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy, SP 2012, San Francisco, California, USA, 21–23 May 2012, pp. 365–379. IEEE Computer Society (2012)
Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single Sign-On vulnerabilities. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 495–510. USENIX Association (2014)
GTmetrix: GTmetrix Top 1000 Sites (2015). http://gtmetrix.com/top1000.html
Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA, 8th February–11th February 2009. The Internet Society (2009)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Krügel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2007, San Diego, California, USA, 28th February–2nd March 2007. The Internet Society (2007)
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Schäfer, W., Dwyer, M.B., Gruhn, V. (eds.) 30th International Conference on Software Engineering (ICSE 2008), Leipzig, Germany, 10–18 May 2008, pp. 171–180. ACM (2008)
Kirda, E., Krügel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Haddad, H. (ed.) Proceedings of the 2006 ACM Symposium on Applied Computing (SAC), Dijon, France, 23–27 April 2006, pp. 330–337. ACM (2006)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Ning, P., Syverson, P.F., Jha, S. (eds.) Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, 27–31 October 2008, pp. 75–88. ACM (2008)
De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)
Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Second International Conference on Security and Privacy in Communication Networks and the Workshops, SecureComm 2006, Baltimore, MD, 28 August 2006–1 September 2006, pp. 1–10. IEEE (2006)
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)
Zeller, W., Felten, E.W.: Cross-Site Request Forgeries: Exploitation and Prevention. Princeton University, Bericht (2008)
Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Heidelberg (2015)
Google Inc.: Google OpenID 2.0 (2015). https://developers.google.com/accounts/docs/OpenID
Jones, M., Sakimura, N., Bradley, J.: JSON Web Token (JWT) (2014). http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-21
Google Inc.: Google OAuth 2.0 Client-side (2015). https://developers.google.com/identity/protocols/OAuth2UserAgent?hl=es
Bray, T.: Verify ID Tokens (2015). https://www.tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens
Google Inc.: Google OpenID Connect Server-side Flow (2015). https://developers.google.com/+/web/signin/server-side-flow
W3C: HTML5 Web Messaging (2012). http://www.w3.org/TR/2012/WD-webmessaging-20120313/
de Medeiros, B., Agarwal, N., Sakimura, N., Bradley, J., Jones, M.B.: OpenID Connect Session Management (2014). http://openid.net/specs/openid-connect-session-1_0.html
Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52, 83–91 (2009)
Son, S., Shmatikov, V.: The postman always rings twice: attacking and defending postmessage in HTML5 websites. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013. The Internet Society (2013)
Jones, M., Hardt, D. (eds.): The OAuth 2.0 Authorization Framework: Bearer Token Usage (2012). https://tools.ietf.org/html/rfc6750
van Delft, B., Oostdijk, M.: A security analysis of OpenID. In: de Leeuw, E., Fischer-Hübner, S., Fritsch, L. (eds.) IDMAN 2010. IFIP AICT, vol. 343, pp. 73–84. Springer, Heidelberg (2010)
Google Inc.: OAuth 2.0 Authorization Code Flow (2015). https://developers.google.com/identity/protocols/OAuth2WebServer
Baloch, R.: Android Browser Same Origin Policy Bypass (2014). http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html
Google Inc.: Google OpenID Connect Hybrid Server-side Flow (2014). https://developers.google.com/+/web/signin/
Jackson, D.: Alloy 4.1 (2010). http://alloy.mit.edu/community/
Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011 526 (2011)
Dill, D.L.: The murphi verification system. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 390–393. Springer, Heidelberg (1996)
Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. J. Comput. Secur. 22, 601–657 (2014)
Bansal, C., Bhargavan, K., Maffeis, S.: WebSpi and web application models (2011). http://prosecco.gforge.inria.fr/webspi/CSF/
Blanchet, B., Smyth, B.: (ProVerif: Cryptographic protocol verifier in the formal model) http://prosecco.gforge.inria.fr/personal/bblanche/proverif/
Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Bertino, E., Sandhu, R.S., Park, J. (eds.) Fourth ACM Conference on Data and Application Security and Privacy, CODASPY 2014, San Antonio, TX, USA, 03–05 March 2014, pp. 167–170. ACM (2014)
Mladenov, V., Mainka, C., Krautwald, J., Feldmann, F., Schwenk, J.: On the security of modern Single Sign-On protocols: OpenID Connect 1.0. CoRR abs/1508.04324 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Li, W., Mitchell, C.J. (2016). Analysing the Security of Google’s Implementation of OpenID Connect. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-40667-1_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40666-4
Online ISBN: 978-3-319-40667-1
eBook Packages: Computer ScienceComputer Science (R0)