Advertisement

Analysing the Security of Google’s Implementation of OpenID Connect

  • Wanpeng LiEmail author
  • Chris J. Mitchell
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)

Abstract

Many millions of users routinely use Google to log in to relying party (RP) websites supporting Google’s OpenID Connect service. OpenID Connect builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management. OpenID Connect allows an RP to obtain authentication assurances regarding an end user. A number of authors have analysed OAuth 2.0 security, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google’s implementation of OpenID Connect, involving forensic examination of 103 RP websites supporting it. Our study reveals widespread serious vulnerabilities of a number of types, many allowing an attacker to log in to an RP website as a victim user. These issues appear to be caused by a combination of Google’s design of its OpenID Connect service and RP developers making design decisions sacrificing security for ease of implementation. We give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.

References

  1. 1.
    Chappell, D.: Introducing windows cardspace (2006). http://msdn.microsoft.com/en-us/library/aa480189.aspx
  2. 2.
    Hardt, D.: The OAuth 2.0 authorization framework (2012). http://tools.ietf.org/html/rfc6749
  3. 3.
    Recordon, D., Fitzpatrick, B.: OpenID Authentication 2.0 – Final (2007). http://openid.net/specs/openid-authentication-2_0.html
  4. 4.
    Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Chuck, M.: OpenID Connect Core 1.0 (2014). http://openid.net/specs/openid-connect-core-1_0.html
  5. 5.
    Google Inc.: Google OpenID Connect 1.0 (2015). https://developers.google.com/accounts/docs/OpenIDConnect
  6. 6.
    PayPal Holdings Inc.: PayPal OpenID Connect 1.0 (2014). https://developer.paypal.com/docs/integration/direct/identity/log-in-with-paypal/
  7. 7.
    Microsoft Inc.: Microsoft OpenID Connect (2014). https://msdn.microsoft.com/en-us/library/azure/dn645541.aspx
  8. 8.
    Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations (2013). http://tools.ietf.org/html/rfc6749
  9. 9.
    Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT), 2011, pp. 655–659. IEEE (2011)Google Scholar
  10. 10.
    Slack, Q., Frostig, R.: Murphi Analysis of OAuth 2.0 Implicit Grant Flow (2011). http://www.stanford.edu/class/cs259/WWW11/
  11. 11.
    Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: Oauth demystified for mobile application developers. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 892–903. ACM (2014)Google Scholar
  12. 12.
    Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Heidelberg (2014)Google Scholar
  13. 13.
    Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) The ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, 16–18 October 2012, pp. 378–390. ACM (2012)Google Scholar
  14. 14.
    Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy, SP 2012, San Francisco, California, USA, 21–23 May 2012, pp. 365–379. IEEE Computer Society (2012)Google Scholar
  15. 15.
    Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single Sign-On vulnerabilities. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 495–510. USENIX Association (2014)Google Scholar
  16. 16.
    GTmetrix: GTmetrix Top 1000 Sites (2015). http://gtmetrix.com/top1000.html
  17. 17.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA, 8th February–11th February 2009. The Internet Society (2009)Google Scholar
  18. 18.
    Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Krügel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2007, San Diego, California, USA, 28th February–2nd March 2007. The Internet Society (2007)Google Scholar
  19. 19.
    Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Schäfer, W., Dwyer, M.B., Gruhn, V. (eds.) 30th International Conference on Software Engineering (ICSE 2008), Leipzig, Germany, 10–18 May 2008, pp. 171–180. ACM (2008)Google Scholar
  20. 20.
    Kirda, E., Krügel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Haddad, H. (ed.) Proceedings of the 2006 ACM Symposium on Applied Computing (SAC), Dijon, France, 23–27 April 2006, pp. 330–337. ACM (2006)Google Scholar
  21. 21.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Ning, P., Syverson, P.F., Jha, S. (eds.) Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, 27–31 October 2008, pp. 75–88. ACM (2008)Google Scholar
  22. 22.
    De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  23. 23.
    Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Second International Conference on Security and Privacy in Communication Networks and the Workshops, SecureComm 2006, Baltimore, MD, 28 August 2006–1 September 2006, pp. 1–10. IEEE (2006)Google Scholar
  24. 24.
    Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Zeller, W., Felten, E.W.: Cross-Site Request Forgeries: Exploitation and Prevention. Princeton University, Bericht (2008)Google Scholar
  26. 26.
    Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  27. 27.
    Google Inc.: Google OpenID 2.0 (2015). https://developers.google.com/accounts/docs/OpenID
  28. 28.
    Jones, M., Sakimura, N., Bradley, J.: JSON Web Token (JWT) (2014). http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-21
  29. 29.
    Google Inc.: Google OAuth 2.0 Client-side (2015). https://developers.google.com/identity/protocols/OAuth2UserAgent?hl=es
  30. 30.
  31. 31.
    Google Inc.: Google OpenID Connect Server-side Flow (2015). https://developers.google.com/+/web/signin/server-side-flow
  32. 32.
    W3C: HTML5 Web Messaging (2012). http://www.w3.org/TR/2012/WD-webmessaging-20120313/
  33. 33.
    de Medeiros, B., Agarwal, N., Sakimura, N., Bradley, J., Jones, M.B.: OpenID Connect Session Management (2014). http://openid.net/specs/openid-connect-session-1_0.html
  34. 34.
    Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52, 83–91 (2009)CrossRefGoogle Scholar
  35. 35.
    Son, S., Shmatikov, V.: The postman always rings twice: attacking and defending postmessage in HTML5 websites. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013. The Internet Society (2013)Google Scholar
  36. 36.
    Jones, M., Hardt, D. (eds.): The OAuth 2.0 Authorization Framework: Bearer Token Usage (2012). https://tools.ietf.org/html/rfc6750
  37. 37.
    van Delft, B., Oostdijk, M.: A security analysis of OpenID. In: de Leeuw, E., Fischer-Hübner, S., Fritsch, L. (eds.) IDMAN 2010. IFIP AICT, vol. 343, pp. 73–84. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  38. 38.
    Google Inc.: OAuth 2.0 Authorization Code Flow (2015). https://developers.google.com/identity/protocols/OAuth2WebServer
  39. 39.
    Baloch, R.: Android Browser Same Origin Policy Bypass (2014). http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html
  40. 40.
    Google Inc.: Google OpenID Connect Hybrid Server-side Flow (2014). https://developers.google.com/+/web/signin/
  41. 41.
    Jackson, D.: Alloy 4.1 (2010). http://alloy.mit.edu/community/
  42. 42.
    Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011 526 (2011)Google Scholar
  43. 43.
    Dill, D.L.: The murphi verification system. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 390–393. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  44. 44.
    Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. J. Comput. Secur. 22, 601–657 (2014)CrossRefzbMATHGoogle Scholar
  45. 45.
    Bansal, C., Bhargavan, K., Maffeis, S.: WebSpi and web application models (2011). http://prosecco.gforge.inria.fr/webspi/CSF/
  46. 46.
    Blanchet, B., Smyth, B.: (ProVerif: Cryptographic protocol verifier in the formal model) http://prosecco.gforge.inria.fr/personal/bblanche/proverif/
  47. 47.
    Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Bertino, E., Sandhu, R.S., Park, J. (eds.) Fourth ACM Conference on Data and Application Security and Privacy, CODASPY 2014, San Antonio, TX, USA, 03–05 March 2014, pp. 167–170. ACM (2014)Google Scholar
  48. 48.
    Mladenov, V., Mainka, C., Krautwald, J., Feldmann, F., Schwenk, J.: On the security of modern Single Sign-On protocols: OpenID Connect 1.0. CoRR abs/1508.04324 (2015)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Information Security GroupRoyal Holloway, University of LondonEghamUK

Personalised recommendations