Skip to main content
SpringerLink
Log in

Security Issues in OAuth 2.0 SSO Implementations

  • Conference paper
Information Security (ISC 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8783))

Included in the following conference series:

Abstract

Many Chinese websites (relying parties) use OAuth 2.0 as the basis of a single sign-on service to ease password management for users. Many sites support five or more different OAuth 2.0 identity providers, giving users choice in their trust point. However, although OAuth 2.0 has been widely implemented (particularly in China), little attention has been paid to security in practice. In this paper we report on a detailed study of OAuth 2.0 implementation security for ten major identity providers and 60 relying parties, all based in China. This study reveals two critical vulnerabilities present in many implementations, both allowing an attacker to control a victim user’s accounts at a relying party without knowing the user’s account name or password. We provide simple, practical recommendations for identity providers and relying parties to enable them to mitigate these vulnerabilities. The vulnerabilities have been reported to the parties concerned.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Hardt, D.: The OAuth 2.0 authorization framework (2012), http://tools.ietf.org/html/rfc6819

  2. Hanna, S., Shin, R., Akhawe, D., Boehm, A., Saxena, P., Song, D.: The emperor’s new APIs: On the (in)secure usage of new client-side primitives. In: Proc. W2SP 2010 (2010)

    Google Scholar 

  3. Miculan, M., Urban, C.: Formal analysis of Facebook Connect Single Sign-On authentication protocol. In: Proc. SofSem 2011, OKAT, pp. 99–116 (2011)

    Google Scholar 

  4. Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) Proc. CCS 2012, pp. 378–390. ACM (2012)

    Google Scholar 

  5. Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In: Proc. IEEE Symp. on Security and Privacy 2012. IEEE (2012)

    Google Scholar 

  6. Recordon, D., Fitzpatrick, B.: Open ID Authentication 2.0 — Final (2007), http://openid.net/specs/openid-authentication-2_0.html

  7. Morgan, R., Cantor, S., Carmody, S., Hoehn, W., Klingenstein, K.: Federated security: The Shibboleth approach. Educause Quarterly 27, 12–17 (2004)

    Google Scholar 

  8. Scott, C., Kemp, J., Philpott, R., Maler, E.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005), http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

  9. Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations (2013), http://tools.ietf.org/html/rfc6749

  10. Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal vericication of OAuth 2.0 using alloy framework. In: Proc. CSNT 2011, pp. 655–659. IEEE (2011)

    Google Scholar 

  11. Jackson, D.: Alloy 4.1 (2010), http://alloy.mit.edu/community/

  12. Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011, 526 (2011)

    Google Scholar 

  13. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proc. FOCS 2001, pp. 136–145. IEEE Computer Society (2001)

    Google Scholar 

  14. Slack, Q., Frostig, R.: Murphi Analysis of OAuth 2.0 Implicit Grant Flow (2011), http://www.stanford.edu/class/cs259/WWW11/

  15. Dill, D.L.: The murφ verification system. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 390–393. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  16. Burns, J.: Cross site reference forgery: An introduction to a common web application weakness. Security Partners, LLC (2005), http://dl.packetstormsecurity.net/papers/web/XSRF_Paper.pdf

  17. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proc. SecureComm 2006, pp. 1–10. IEEE (2006)

    Google Scholar 

  18. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Ning, P., Syverson, P.F., Jha, S. (eds.) Proc. CCS 2008, pp. 75–88. ACM (2008)

    Google Scholar 

  19. Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Bericht, Princeton University (2008)

    Google Scholar 

  20. Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  21. Shahriar, H., Zulkernine, M.: Client-side detection of cross-site request forgery attacks. In: Proc. ISSRE 2010, pp. 358–367. IEEE Computer Society (2010)

    Google Scholar 

  22. De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  23. Baidu Inc.: Baidu Open Connect (2014), http://developer.baidu.com/wiki/index.php?title=docs/oauth/authorization

  24. China Mobile Communications Corporation: ChinaMobile Open Connect (2014), http://dev.10086.cn/wiki/?p5_01_02

  25. Renren Network: Renren Open Connect (2014), http://wiki.dev.renren.com/wiki/Authentication

  26. Wangyi Inc.: Wangyi Open Connect (2014), http://reg.163.com/help/help_oauth2.html

  27. Taobao Marketplace: Taobao Open Connect (2014), http://open.taobao.com/doc/detail.htm?id=118

  28. Microsoft: Microsoft Live Connect (2014), http://msdn.microsoft.com/en-us/library/live/hh243647.aspx

  29. Sina Corp.: Sina Open Connect (2014), http://open.weibo.com/wiki/Oauth2/authorize

  30. Douban.com: Douban Open Connect (2014), http://developers.douban.com/wiki/?title=oauth2

Download references

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, UK

    Wanpeng Li & Chris J. Mitchell

Authors
  1. Wanpeng Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chris J. Mitchell
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Information Engineering, Chinese University of Hong Kong, Room 808, Ho Sin Hang Engineering Building, Sha Tin, N.T., Hong Kong, China

    Sherman S. M. Chow

  2. IBM Research Zurich, Säumerstrasse 4, 8803, Rüschlikon, Switzerland

    Jan Camenisch

  3. Department of Computer Science, The University of Hong Kong, Chow Yei Ching Building, Pokfulam Road, Hong Kong, China

    Lucas C. K. Hui  & Siu Ming Yiu  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Li, W., Mitchell, C.J. (2014). Security Issues in OAuth 2.0 SSO Implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_34

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-13257-0_34

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-13256-3

  • Online ISBN: 978-3-319-13257-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation