Abstract
Many Chinese websites (relying parties) use OAuth 2.0 as the basis of a single sign-on service to ease password management for users. Many sites support five or more different OAuth 2.0 identity providers, giving users choice in their trust point. However, although OAuth 2.0 has been widely implemented (particularly in China), little attention has been paid to security in practice. In this paper we report on a detailed study of OAuth 2.0 implementation security for ten major identity providers and 60 relying parties, all based in China. This study reveals two critical vulnerabilities present in many implementations, both allowing an attacker to control a victim user’s accounts at a relying party without knowing the user’s account name or password. We provide simple, practical recommendations for identity providers and relying parties to enable them to mitigate these vulnerabilities. The vulnerabilities have been reported to the parties concerned.
Original language | English |
---|---|
Title of host publication | International Conference on Information Security |
Editors | SSM Chow, J Camenisch , LCK Hui , SM Yui |
Place of Publication | Cham |
Publisher | Springer |
Pages | 529-541 |
Number of pages | 13 |
ISBN (Electronic) | 978-3-319-13257-0 |
ISBN (Print) | 978-3-319-13256-3 |
DOIs | |
Publication status | Published - 14 Oct 2014 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 8783 |
ISSN (Print) | 0302-9743 |
Keywords
- user agent
- resource owner
- identity provider
- security assertion markup language
- identity federation
Fingerprint
Dive into the research topics of 'Security Issues in OAuth 2.0 SSO Implementations'. Together they form a unique fingerprint.Profiles
-
Wanpeng Li
Person: Academic