The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
Date: October 2012
Publication: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12
Page(s): 378 - 390
Source 1: http://css.csail.mit.edu/6.858/2012/readings/oauth-sso.pdf
Source 2: http://dx.doi.org/10.1145/2382196.2382238 - Subscription or payment required
Abstract or Summary:
Millions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open question. We examine the implementations of three major OAuth identity providers (IdP) (Facebook, Microsoft, and Google) and 96 popular RP websites that support the use of Facebook accounts for login. Our results uncover several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.