@inproceedings{d893bd2a8ce2469abe28ac91c0ed48a8,
title = "Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations",
abstract = "Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user{\textquoteright}s OAuth 2.0 code (a token representing a right to access user data) without the user{\textquoteright}s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks.",
author = "Wanpeng Li and Mitchell, {Chris J.} and Thomas Chen",
note = "Cambridge International Workshop on Security Protocols: Security Protocols 2018: Security Protocols XXVI ",
year = "2018",
month = nov,
day = "24",
doi = "10.1007/978-3-030-03251-7_3",
language = "English",
isbn = "978-3-030-03250-0",
series = "Lecture Notes in Computer Science",
publisher = "Springer ",
pages = "24--41",
editor = "V. Maty{\'a}{\v s} and P. {\v S}venda and F. Stajano and B. Christianson",
booktitle = "Security Protocols XXVI",
}