ABSTRACT
Millions of users routinely use Google to log in to websites supporting the standardised protocols OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.
- Chetan Bansal, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, and Sergio Maffeis. 2014. Discovering concrete attacks on website authorization by formal analysis. Journal of Computer Security, Vol. 22, 4 (2014), 601--657. https://doi.org/10.3233/JCS-140503Google ScholarDigital Library
- Chetan Bansal, Karthikeyan Bhargavan, and S. Maffeis. 2011. WebSpi and web application models. (2011). http://prosecco.gforge.inria.fr/webspi/CSF/.Google Scholar
- Adam Barth, Collin Jackson, and John C Mitchell. 2008. Robust defenses for cross-site request forgery. In Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27-31, 2008, Peng Ning, Paul F. Syverson, and Somesh Jha (Eds.). ACM, 75--88.Google ScholarDigital Library
- Bruno Blanchet and Ben Smyth. [n.d.]. ProVerif: Cryptographic protocol verifier in the formal model.( [n.,d.]). http://prosecco.gforge.inria.fr/personal/bblanche/proverif/.Google Scholar
- Stefano Calzavara, Riccardo Focardi, Matteo Maffei, Clara Schneidewind, Marco Squarcina, and Mauro Tempesta. 2018. WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring. In 27th USENIX Security Symposium (USENIX Security 18). 1493--1510.Google Scholar
- Suresh Chari, Charanjit S Jutla, and Arnab Roy. 2011. Universally Composable Security Analysis of OAuth v2.0. IACR Cryptology ePrint Archive, Vol. 2011 (2011), 526.Google Scholar
- Eric Y. Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. 2014. OAuth Demystified for Mobile Application Developers. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3--7, 2014, Gail-Joon Ahn, Moti Yung, and Ninghui Li (Eds.). ACM, 892--903. https://doi.org/10.1145/2660267.2660323Google ScholarDigital Library
- David L Dill. 1996. The Murphi Verification System. In Computer Aided Verification, 8th International Conference, CAV '96, New Brunswick, NJ, USA, July 31 -- August 3, 1996, Proceedings (Lecture Notes in Computer Science),, Rajeev Alur and Thomas A. Henzinger (Eds.), Vol. 1102. Springer, 390--393.Google Scholar
- Daniel Fett, Ralf Kü sters, and Guido Schmitz. 2016. A Comprehensive Formal Security Analysis of OAuth 2.0. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM, 1204--1215. https://doi.org/10.1145/2976749.2978385Google ScholarDigital Library
- Daniel Fett, Ralf Küsters, and Guido Schmitz. 2017. The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines. arXiv preprint arXiv:1704.08539 (2017).Google Scholar
- Roy Fielding, Jim Gettys, Jeffrey Mogul, Henrik Frystyk, Larry Masinter, Paul Leach, and Tim Berners-Lee. 1999. RFC 2616: Hypertext transfer protocol--HTTP/1.1. https://tools.ietf.org/html/rfc2616.Google Scholar
- Dick Hardt (editor). 2012. RFC 6749: The OAuth 2.0 Authorization Framework. (October 2012). http://tools.ietf.org/html/rfc6749.Google Scholar
- 2010. Alloy 4.1. (2010). http://alloy.mit.edu/community/.Google Scholar
- Wanpeng Li and Chris J. Mitchell. 2014. Security Issues in OAuth 2.0 SSO Implementations. In Information Security -- 17th International Conference, ISC 2014, Hong Kong, China, October 12-14, 2014. Proceedings (Lecture Notes in Computer Science),, Sherman S. M. Chow, Jan Camenisch, Lucas Chi Kwong Hui, and Siu-Ming Yiu (Eds.), Vol. 8783. Springer, 529--541. https://doi.org/10.1007/978-3-319-13257-0_34Google Scholar
- Wanpeng Li and Chris J. Mitchell. 2016a. Analysing the Security of Google's Implementation of OpenID Connect. In Detection of Intrusions and Malware, and Vulnerability Assessment -- 13th International Conference, DIMVA 2016, San Sebastiá n, Spain, July 7--8, 2016, Proceedings (Lecture Notes in Computer Science),, Juan Caballero, Urko Zurutuza, and Ricardo J. Rodr'i guez (Eds.), Vol. 9721. Springer, 357--376. https://doi.org/10.1007/978-3-319-40667-1_18Google Scholar
- Wanpeng Li and Chris J. Mitchell. 2016b. Does the IdP Mix-Up attack really work? (2016). https://infsec.uni-trier.de/download/oauth-workshop-2016/OSW2016_paper_1.pdf.Google Scholar
- Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2018a. Mitigating CSRF attacks on OAuth 2.0 Systems. In 16th Annual Conference on Privacy, Security and Trust, PST 2018, Belfast, Northern Ireland, Uk, August 28--30, 2018,, Kieran McLaughlin, Ali A. Ghorbani, Sakir Sezer, Rongxing Lu, Liqun Chen, Robert H. Deng, Paul Miller, Stephen Marsh, and Jason Nurse (Eds.). IEEE, 1--5. https://doi.org/10.1109/PST.2018.8514180Google ScholarCross Ref
- Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2018b. Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations. In Security Protocols XXVI - 26th International Workshop, Cambridge, UK, March 19--21, 2018, Revised Selected Papers (Lecture Notes in Computer Science), Vashek Matyá s, Petr Svenda, Frank Stajano, Bruce Christianson, and Jonathan Anderson (Eds.), Vol. 11286. Springer, 24--41. https://doi.org/10.1007/978-3-030-03251-7_3Google Scholar
- Torsten Lodderstedt, Mark McGloin, and Phil Hunt. 2013. RFC 6819: OAuth 2.0 Threat Model and Security Considerations. (2013). http://tools.ietf.org/html/rfc6819.Google Scholar
- Suhas Pai, Yash Sharma, Sunil Kumar, Radhika M Pai, and Sanjay Singh. 2011. Formal Verification of OAuth 2.0 Using Alloy Framework. In Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT), 2011. IEEE, 655--659.Google ScholarDigital Library
- Nat Sakimura, John Bradley, Michael Jones, Breno de Medeiros, and Mortimore Chuck. 2014. OpenID Connect Core 1.0. (2014). http://openid.net/specs/openid-connect-core-1_0.html.Google Scholar
- Mohamed Shehab and Fadi Mohsen. 2014. Securing OAuth implementations in smart phones. In Fourth ACM Conference on Data and Application Security and Privacy, CODASPY'14, San Antonio, TX, USA -- March 03 - 05, 2014, Elisa Bertino, Ravi S. Sandhu, and Jaehong Park (Eds.). ACM, 167--170. https://doi.org/10.1145/2557547.2557588Google ScholarDigital Library
- Quinn Slack and Roy Frostig. 2011. Murphi Analysis of OAuth 2.0 Implicit Grant Flow. (2011). http://www.stanford.edu/class/cs259/WWW11/.Google Scholar
- San-Tsai Sun and Konstantin Beznosov. 2012. The Devil is in the (Implementation) details: An Empirical Analysis of OAuth SSO Systems. In the ACM Conference on Computer and Communications Security, CCS '12, Raleigh, NC, USA, October 16-18, 2012,, Ting Yu, George Danezis, and Virgil D. Gligor (Eds.). ACM, 378--390.Google ScholarDigital Library
- Rui Wang, Shuo Chen, and XiaoFeng Wang. 2012. Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. In IEEE Symposium on Security and Privacy, SP 2012, 21-23 May 2012, San Francisco, California, USA. IEEE Computer Society, 365--379.Google ScholarDigital Library
- Ronghai Yang, Wing Cheong Lau, and Shangcheng Shi. 2017. Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols. In Applied Cryptography and Network Security - 15th International Conference, ACNS 2017, Kanazawa, Japan, July 10-12, 2017, Proceedings (Lecture Notes in Computer Science), Dieter Gollmann, Atsuko Miyaji, and Hiroaki Kikuchi (Eds.), Vol. 10355. Springer, 313--335. https://doi.org/10.1007/978-3-319-61204-1_16Google Scholar
- Ronghai Yang, Guanchen Li, Wing Cheong Lau, Kehuan Zhang, and Pili Hu. 2016. Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi'an, China, May 30 - June 3, 2016,, Xiaofeng Chen, XiaoFeng Wang, and Xinyi Huang (Eds.). ACM, 651--662. https://doi.org/10.1145/2897845.2897874Google ScholarDigital Library
- Yuchen Zhou and David Evans. 2014 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014,, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 495--510. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/zhouGoogle Scholar
Index Terms
- OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
Recommendations
Privacy-Preserving OpenID Connect
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications SecurityOpenID Connect is the most widely used Internet protocol for delegated authentication today. It provides single sign-on functionality for users who use their account with an identity provider to authenticate to different services, called relying ...
Trust-based identity sharing for token grants
ICCSP '19: Proceedings of the 3rd International Conference on Cryptography, Security and PrivacyAuthentication and authorization are two key elements of a software application. In modern day, OAuth 2.0 framework and OpenID Connect protocol are widely adopted standards fulfilling these requirements. These protocols are implemented into ...
UnlimitID: Privacy-Preserving Federated Identity Management using Algebraic MACs
WPES '16: Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic SocietyUnlimitID is a method for enhancing the privacy of commodity OAuth and applications such as OpenID Connect, using anonymous attribute-based credentials based on algebraic Message Authentication Codes (aMACs). OAuth is one of the most widely used ...
Comments