San-Tsai Sun

The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems

Millions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open question. We examine the implementations of three major OAuth identity providers (IdP) (Facebook, Microsoft, and Google) and 96 popular RP websites that support the use of Facebook accounts for login. Our results uncover several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim users profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.

Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures

OpenID 2.0 is a user-centric Web single sign-on protocol with over one billion OpenID-enabled user accounts, and tens of thousands of supporting websites. While the security of the protocol is clearly critical, so far its security analysis has only been done in a partial and ad-hoc manner. This paper presents the results of a systematic analysis of the protocol using both formal model checking and an empirical evaluation of 132 popular websites that support OpenID. Our formal analysis reveals that the protocol does not guarantee the authenticity and integrity of the authentication request, and it lacks contextual bindings among the protocol messages and the browser. The results of our empirical evaluation suggest that many OpenID-enabled websites are vulnerable to a series of cross-site request forgery attacks (CSRF) that either allow an attacker to stealthily force a victim user to sign into the OpenID supporting website and launch subsequent CSRF attacks (81%), or force a victim to sign in as the attacker in order to spoof the victims personal information (77%). With additional capabilities (e.g., controlling a wireless access point), the adversary can impersonate the victim on 80% of the evaluated websites, and manipulate the victims profile attributes by forging the extension parameters on 45% of those sites. Based on the insights from this analysis, we propose and evaluate a simple and scalable mitigation technique for OpenID-enabled websites, and an alternative man-in-the-middle defense mechanism for deployments of OpenID without SSL.

Investigating Users’ Perspectives of Web Single Sign-On: Conceptual Gaps and Acceptance Model

OpenID and OAuth are open and simple Web SSO protocols that have been adopted by major service providers, and millions of supporting Web sites. However, the average user’s perception of Web SSO is still poorly understood. Through several user studies, this work investigates users’ perceptions and concerns when using Web SSO for authentication. We found that our participants had several misconceptions and concerns that impeded their adoption. This ranged from their inadequate mental models of Web SSO, to their concerns about personal data exposure, and a reduction in perceived Web SSO value due to the employment of password management practices. Informed by our findings, we offer a Web SSO technology acceptance model, and suggest design improvements.

OpenIDemail enabled browser: towards fixing the broken web single sign-on triangle

Current Web single sign-on (SSO) solutions impose a cognitive burden on web users and do not provide content-hosting and service providers (CSPs) with sufficient incentives to become relying parties (RPs). We propose a browser-based Web SSO solution that requires minimal user interaction and provide RPs with clear value propositions to motivate their adoption. Our approach builds OpenID support into web browsers, hides OpenID identifiers from users by using their existing email accounts, extends the OpenID protocol to perform authentication directly by browsers, and introduces an OpenIDAuth HTTP access authentication scheme to convey authenticated identities automatically into websites that support OpenID for authentication. Our solution embeds an intuitive and consistent login experience for web users in the browser; to motivate adoption by RPs, it provides them with instant marketable leads and the potential for gradual engagement of site visitors.

Android Rooting: Methods, Detection, and Evasion

Android rooting enables device owners to freely customize their own devices and run useful apps that require root privileges. While useful, rooting weakens the security of Android devices and opens the door for malware to obtain privileged access easily. Thus, several rooting prevention mechanisms have been introduced by vendors, and sensitive or high-value mobile apps perform rooting detection to mitigate potential security exposures on rooted devices. However, there is a lack of understanding whether existing rooting prevention and detection methods are effective. To fill this knowledge gap, we studied existing Android rooting methods and performed manual and dynamic analysis on 182 selected apps, in order to identify current rooting detection methods and evaluate their effectiveness. Our results suggest that these methods are ineffective. We conclude that reliable methods for detecting rooting must come from integrity-protected kernels or trusted execution environments, which are difficult to bypass.

Secure Web 2.0 Content Sharing Beyond Walled Gardens

Web 2.0 users need usable mechanisms for sharing their content with each other in a controlled manner across boundaries of content-hosting or application-service providers (CSPs). In this paper, we describe the architecture, design, and implementation of a proposed system for Web 2.0 content sharing across CSPs. With our approach, users use their existing email account to login to CSPs, and content owners use their email-based contact-lists to specify access policies. Users are assumed to be equipped only with a Web browser and CSPs do not need to change their existing access-control mechanisms. In addition, policy statements are URI-addressable, and the same access policies can be reused and enforced across CSPs.

OpenID-enabled browser: towards usable and secure web single sign-on

OpenID is an open and promising Web single sign-on solution; however, the interaction flows provided by OpenID are inconsistent, counter-intuitive, and vulnerable to phishing attacks. In this work, we investigated the challenges web users face when using OpenID for authentication, and designed a phishing-resistant, privacy-preserving browser add-on to provide a consistent and intuitive single sign-on user experience for the average web users.

Open Problems in Web 2.0 User Content Sharing

Users need useful mechanisms for sharing their Web 2.0 content with each other in a controlled manner across boundaries of content-hosting and service providers (CSPs). In this paper, we discuss open problems and research opportunities in the domain of Web 2.0 content sharing among users. We explore issues in the categories of user needs, current sharing solutions provided by CSPs, and distributed access-control related technologies. For each open problem, we discuss existing and potential solutions, and point out areas for future work.

Towards Enabling Web 2.0 Content Sharing beyond Walled Gardens

Web 2.0 users have many choices of content-hosting or application-service providers (CSPs). It can be difficult for a user to share content with a set of real-life friends and associates; intended viewers of the content may have different CSP memberships than the content sharer. Web 2.0 users need usable mechanisms for sharing their content with each other in a controlled manner across boundaries of CSPs. In this position paper, we discuss the problem users face and propose a solution that builds upon the existing secret-link mechanism. Our proposed solution does not require users to setup another account on each CSP to view shared content and does not require any special software being installed. The mechanisms for content hosting and sharing are separated; CSPs do not need to change their existing access-control mechanisms.