000000279 001__ 279
000000279 005__ 20130522141940.0
000000279 037__ $$aLERSSE-RefConfPaper-2012-003
000000279 100__ $$aSan-Tsai Sun
000000279 245__ $$aThe Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems
000000279 260__ $$c2012-08-14
000000279 300__ $$a13
000000279 520__ $$aMillions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open question. We examine the implementations of three major OAuth identity providers (IdP) (Facebook, Microsoft, and Google) and 96 popular RP websites that support the use of Facebook accounts for login. Our results uncover several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.
000000279 6531_ $$aOAuth 2.0, Web Single Sign-On, Authentication, issnet
000000279 700__ $$aKonstantin Beznosov
000000279 8560_ $$fsantsais@ece.ubc.ca
000000279 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/279/files/279.pdf$$yTransfer from CDS 0.99.7
000000279 909C4 $$pSan-Tsai Sun and Konstantin Beznosov. The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. In Proceedings of ACM Conference on Computer and Communications Security (CCS'12), October 2012.
000000279 980__ $$aRefConfPaper