Abstract
More and more websites use OAuth 2.0 protocol to provide SSO services to ease password management for users. Although OAuth 2.0 has been implemented carefully by following many guidelines, still some parts have been ignored. In this paper, we discover a new attack mode for hijacking the account in the OAuth-based SSO system. We conduct an empirical study for the proposed attack on top 500 Chinese websites of Alexa supporting SSO services by 6 IdPs. Our results uncover four vulnerabilities that allow attackers hijack the victim’s account without knowing the user’s username and password. Closer examination reveals that 68.67%, 12.87%, 68.67% and 59.66% of the websites are vulnerable to the four vulnerabilities respectively and 45.49% of the websites can be conducted proposed complete attack. To defend this attack, we provide developers simple practical recommendations to the critical vulnerable nodes.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: Communication Systems and Network Technologies, pp. 655–659. IEEE, Jammu (2011)
Chari, S., Jutla, C., Roy, A.: Universally composable security analysis of OAuth v2.0. Report 2011/526 (2011)
Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1204–1215. ACM, Vienna (2016)
Li, W., Mitchell, C.J., Chen, T.: Mitigation CSRF Attacks on OAuth 2.0 and OpenID Connect. https://arxiv.org/abs/1801.07983
Wang, H., Zhang, Y., Li, J., Gu, D.: The Achilles’ heel of OAuth: a multi-platform study of OAuth-based authentication. In: Proceedings of the 32nd Annual Conference on Computer Security Application, pp. 167–176. ACM, Los Angeles (2016)
Sun, S.T., Beznosov, K.: The devil is the implementation details: an empirical analysis of OAuth SSO system. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378–390. ACM, Raleigh (2012)
The OAuth 2.0 Authorization Framework. https://tools.ietf.org/html/rfc6749
OAuth 2.0 Threat Model and Security Considerations. https://tools.ietf.org/html/rfc6819
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE, Washington, D.C. (2001)
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through Facebook and Google: a traffic-guide security study of commercially deployed single-sign-on services. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 365–379. IEEE, Washington, D.C. (2012)
Wang, H., Zhang, Y., Li, J., Liu, H., Yang, W., Li, B., Gu, D.: Vulnerability assessment of OAuth implementations in android application. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 61–70. ACM, Los Angeles (2015)
Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, pp. 167–170. ACM, San Antonio (2014)
Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 892–903. ACM, Arizona (2014)
Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_34
Slack, Q., Frostig, R.: OAuth 2.0 implicit grant flow analysis using Murphi. http://www.stanford.edu/class/cs259/WWW11/
Dill, D.L.: The Mur \(\upphi \) verification system. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 390–393. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61474-5_86
Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. J. Comput. 22, 601–657 (2014)
Hu, P., Yang, R., Li, Y., Lau, W.C.: Application impersonation: problems of OAuth and API design in online social networks. In: Proceedings of the Second ACM Conference on Online Social Networks, Dublin, pp. 271–278 (2014)
CNVD-2018-01622. http://www.cnvd.org.cn/webinfo/show/4397
Trabelsi, Z.: Hands-on lab exercises implementation of DoS and MiM attacks using ARP cache poisoning. In: Proceedings of the 2011 Information Security Curriculum Development Conference, pp. 74–83. ACM, Kennesaw (2011)
Bull, R., Matthews, J.N., Trumbull, K.A.: VLAN hopping, ARP poisoning and man-in-the-middle attacks in virtualized environments. https://ronnybull.com/assets/docs/bullrl_defcon24_slides.pdf
HTTP\(\_\)referer. https://en.wikipedia.org/wiki/HTTP_referer
Acknowledgments
The authors would like to thank the anonymous reviewers for their helpful comments for improving this paper. This work is supported by the National Key R&D Program of China (2016YFB0801604).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Qiu, K., Liu, Q., Liu, J., Yu, L., Wang, Y. (2018). An Empirical Study of OAuth-Based SSO System on Web. In: Chellappan, S., Cheng, W., Li, W. (eds) Wireless Algorithms, Systems, and Applications. WASA 2018. Lecture Notes in Computer Science(), vol 10874. Springer, Cham. https://doi.org/10.1007/978-3-319-94268-1_33
Download citation
DOI: https://doi.org/10.1007/978-3-319-94268-1_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94267-4
Online ISBN: 978-3-319-94268-1
eBook Packages: Computer ScienceComputer Science (R0)