ACM Digital Library home
ACM home
Advanced Search
10.1145/2382196.2382238acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications securityOctober 2012 Pages 378–390https://doi.org/10.1145/2382196.2382238
Published:16 October 2012Publication History
  • 105citation
  • 1,848
  • Downloads
Metrics
Total Citations105
Total Downloads1,848
Last 12 Months143
Last 6 weeks51

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
Pages 378–390
PreviousChapterNextChapter

ABSTRACT

Millions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open question. We examine the implementations of three major OAuth identity providers (IdP) (Facebook, Microsoft, and Google) and 96 popular RP websites that support the use of Facebook accounts for login. Our results uncover several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.

References

  1. A. Barth, J. Caballero, and D. Song. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Proceedings of the 30th IEEE Symposium on Security and Privacy, SP '09, pages 360--371, Washington, DC, USA, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08), pages 75--88, New York, NY, USA, 2008. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. Commun. ACM, 52(6):83--91, June 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. J. Bau, E. Bursztein, D. Gupta, and J. Mitchell. State of the art: Automated black-box web application vulnerability testing. In Proceedings of IEEE Symposium on Security and Privacy, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu. The socialbot network: When bots socialize for fame and money. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, pages 93--102, New York, NY, USA, 2011. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. J. Cain. Updated JavaScript SDK and OAuth 2.0 roadmap. https://developers.facebook.com/blog/post/525/, 2011. {Online; accessed 16-April-2012}.Google ScholarGoogle Scholar
  7. R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Proceedings of Foundations of Computer Science, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. S. Chari, C. Jutla, and A. Roy. Universally composable security analysis of OAuth v2.0. Cryptology ePrint Archive, Report 2011/526, 2011.Google ScholarGoogle Scholar
  9. C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. ZOZZLE: Fast and precise in-browser JavaScript malware detection. In Proceedings of the 20th USENIX Conference on Security, Berkeley, CA, USA, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. D. L. Dill, A. J. Drexler, A. J. Hu, and C. H. Yang. Protocol verification as a hardware design aid. In Proceedings of IEEE International Conference on Computer Design, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Facebook, Inc. Facebook authentication for websites. http://developers.facebook.com/, 2010.Google ScholarGoogle Scholar
  12. Facebook, Inc. Facebook platform statistics. http://www.facebook.com/press/info.php?statistics, 2011. {Online; accessed 09-Decembe-2011}.Google ScholarGoogle Scholar
  13. Gigya Inc. Social media for business. http://www.gigya.com/, 2011.Google ScholarGoogle Scholar
  14. Google Inc. AuthSub authentication. http://code.google.com/apis/accounts/docs/AuthSub.html, 2008.Google ScholarGoogle Scholar
  15. Google Inc. The 1000 most-visited sites on the web. http://www.google.com/adplanner/static/top1000/, 2011. {Online; accessed 12-December-2011}.Google ScholarGoogle Scholar
  16. Google, Inc. Google OAuth 2.0. http://code.google.com/apis/accounts/docs/OAuth2Login.html, 2011.Google ScholarGoogle Scholar
  17. E. Hammer-Lahav. OAuth 2.0 (without signatures) is bad for the Web. http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-t%he-web/, 2010. {Online; accessed 01-April-2012}.Google ScholarGoogle Scholar
  18. E. Hammer-Lahav, A. Barth, and B. Adida. HTTP authentication: MAC access authentication. http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00, 2011.Google ScholarGoogle Scholar
  19. E. Hammer-Lahav, D. Recordon, and D. Hardt. The OAuth 2.0 authorization protocol. http://tools.ietf.org/html/draft-ietf-oauth-v2-22, 2011.Google ScholarGoogle Scholar
  20. S. Hanna, E. C. R. Shinz, D. Akhawe, A. Boehmz, P. Saxena, and D. Song. The Emperor's new APIs: On the (in)secure usage of new client-side primitives. In Proceedings of the Web 2.0 Security and Privacy 2010 (W2SP), 2010.Google ScholarGoogle Scholar
  21. P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In Proceedings of the 20th USENIX conference on Security, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. D. Jackson. Alloy 4.1. http://alloy.mit.edu/community/, 2010.Google ScholarGoogle Scholar
  23. M. B. Jones, D. Hardt, and D. Recordon. The OAuth 2.0 protocol: Bearer tokens. http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-06, 2011.Google ScholarGoogle Scholar
  24. A. Lieuallen, A. Boodman, and J. Sundstrm. Greasemonkey Firefox add-on. https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/, 2012.Google ScholarGoogle Scholar
  25. T. Lodderstedt, M. McGloin, and P. Hunt. OAuth 2.0 threat model and security considerations. http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01, 2011.Google ScholarGoogle Scholar
  26. Microsoft Inc. Microsoft Live Connect. http://msdn.microsoft.com/en-us/windowslive/default.aspx, 2010.Google ScholarGoogle Scholar
  27. M. Miculan and C. Urban. Formal analysis of Facebook Connect single sign-on authentication protocol. In Proceedings of 37th International Conference on Current Trends in Theory and Practice of Computer Science, pages 99--116, 2011.Google ScholarGoogle Scholar
  28. Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2009.Google ScholarGoogle Scholar
  29. NIST. National vulnerability database. http://web.nvd.nist.gov/view/vuln/statistics, 2011. {Online; accessed 16-May-2012}.Google ScholarGoogle Scholar
  30. OSVDB. window.onerror error handling URL destination information disclosure. http://osvdb.org/68855 (and 65042).Google ScholarGoogle Scholar
  31. OWASP. Open web application security project top ten project. http://www.owasp.org/, 2010.Google ScholarGoogle Scholar
  32. S. Pai, Y. Sharma, S. Kumar, R. M. Pai, and S. Singh. Formal verification of OAuth 2.0 using Alloy framework. In Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT), pages 655--659, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. D. Recordon and B. Fitzpatrick. OpenID authentication 2.0. http://openid.net/specs/openid-authentication-2_0.html, 2007.Google ScholarGoogle Scholar
  34. W. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In Proceedings of the 18th Conference on USENIX Security Symposium, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. P. Saxena, D. Molnar, and B. Livshits. SCRIPTGARD: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pages 601--614, New York, NY, USA, 2011. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. L. Shepard. Under the covers of OAuth 2.0 at Facebook. http://www.sociallipstick.com/?p=239, 2011. {Online; accessed 31-March-2012}.Google ScholarGoogle Scholar
  37. Skybound Software. GeckoFX: An open-source component for embedding Firefox in .NET applications. http://www.geckofx.org/, 2010.Google ScholarGoogle Scholar
  38. Q. Slack and R. Frostig. OAuth 2.0 implicit grant flow analysis using Murphi. http://www.stanford.edu/class/cs259/WWW11/, 2011.Google ScholarGoogle Scholar
  39. A. K. Sood and R. J. Enbody. Malvertising-exploiting web advertising. Computer Fraud & Security, 2011(4):11--16, 2011.Google ScholarGoogle ScholarCross RefCross Ref
  40. T. Stein, E. Chen, and K. Mangla. Facebook immune system. In Proceedings of the 4th Workshop on Social Network Systems, pages 1--8, New York, NY, USA, 2011. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov. A billion keys, but few locks: The crisis of Web single sign-on. In Proceedings of the New Security Paradigms Workshop (NSPW'10), pages 61--72, September 20-22 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. S.-T. Sun, K. Hawkey, and K. Beznosov. Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov. What makes users refuse web single sign-on? An empirical investigation of OpenID. In Proceedings of Symposium on Usable Privacy and Security (SOUPS'11), July 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. M. Ter Louw and V. Venkatakrishnan. Blueprint: Precise browser-neutral prevention of cross-site scripting attacks. In Proceedings of the 30th IEEE Symposium on Security and Privacy, May 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. W3CSchool. Browser statistics. http://www.w3schools.com/browsers/browsers_stats.asp, 2012. {Online; accessed 16-January-2012}.Google ScholarGoogle Scholar
  46. R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through Facebook and Google: A traffic-guided security study of commercially deployed single-sign-on web services. In Proceedings of the 33th IEEE Symposium on Security and Privacy (accepted), 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. WhiteHat Secuirty. Whitehat website secuirty statistics report. https://www.whitehatsec.com/resource/stats.html, 2011. {Online; accessed 16-May-2012}.Google ScholarGoogle Scholar
  48. Yahoo Inc. Browser-Based Authentication (BBAuth). http://developer.yahoo.com/auth/, December 2008.Google ScholarGoogle Scholar
  49. C. Zhang, C. Huang, K. W. Ross, D. A. Maltz, and J. Li. Inflight modifications of content: Who are the culprits? In Proceedings of the 4th USENIX Conference on Large-scale Exploits and Emergent Threats, LEET'11, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        Get this Publication

        • Published in

          cover image ACM Conferences
          CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security
          October 2012
          1088 pages
          ISBN:9781450316514
          DOI:10.1145/2382196

          Copyright © 2012 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 16 October 2012

          Permissions

          Request permissions about this article.

          Request Permissions

          Author Tags

          Qualifiers

          • research-article

          Acceptance Rates

          Overall Acceptance Rate 592 of 3,304 submissions, 18%

          Upcoming Conference

          CCS '23
          CCS '23: 2022 ACM SIGSAC Conference on Computer and Communications Security
          November 26 - 30, 2023
          Copenhagen , Denmark

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        View Table of Contents
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!