Skip to main content
SpringerLink
Log in
Book cover

International Conference on Broadband and Wireless Computing, Communication and Applications

BWCCA 2019: Advances on Broad-Band Wireless Computing, Communication and Applications pp 800–811Cite as

How Securely Are OAuth/OpenID Connect Implemented in Japan?

  • Conference paper
  • First Online:

  • 1099 Accesses

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 97))

Abstract

When a website authenticates users, it does so for a so-called social login in electronic commerce (EC) site. A social login is used for a social media account, such as Facebook, Google, and Twitter. In such a case, the website uses OAuth and OpenID Connect. However, the implementation of a website might involve privacy concerns or be vulnerable to the attacks. In this paper, by crawling the login pages of 500 Japanese EC sites and tracing the authentication flows, we investigate the implementation status of social logins and their security against cross-site request forgery. We observed 28 websites that acquired more user permissions from SNS than necessary, or were vulnerable as a result of improper implementation.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. RFC5849 The OAuth 1.0 Protocol. https://tools.ietf.org/html/rfc5849

  2. RFC6749 The OAuth 2.0 Authorization Framework. https://tools.ietf.org/html/rfc6749

  3. RFC6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage. https://tools.ietf.org/html/rfc6750

  4. RFC6819 The OAuth 2.0 Thread Model and Security Considerations. https://tools.ietf.org/html/rfc6819

  5. Top Sites in Japan - Alexa. https://www.alexa.com/topsites/countries/JP

  6. OpenID Connect Core 1.0 incorporating errata set 1. http://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html

  7. RFC4648 The Base16, Base32, and Base64 Data Encodings. https://tools.ietf.org/html/rfc4648

  8. CWE-352: Cross-Site Request Forgery (CSRF). https://cwe.mitre.org/data/definitions/352.html

  9. Threat: CSRF Attack against redirect-URI. https://tools.ietf.org/html/rfc6819#section-4.4.1.8

  10. The OAuth 2.0 Authorization Framework 4.1.1. Authorization Request. http://openid-foundation-japan.github.io/rfc6749.ja.html#code-authz-req

  11. TwitterOAuth. https://twitteroauth.com/

  12. Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on Vulnerabilities, pp. 495–510 (2014)

    Google Scholar 

  13. Mladenov, V., Mainka, C., Krautwald, J., Feldmann, F., Schwenk, J.: On the security of modern single sign on protocols, OpenID connect 1.0. CoRR, abs/1508.04324 (2015)

    Google Scholar 

  14. Urueña, M., Muñoz, A., Larrabeiti, D.: Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimed. Tools Appl. 68(1), 159–176 (2014)

    Article  Google Scholar 

Download references

Acknowledgment

This work was supported by JSPS KAKENHI Grant Number 18K11305. We are deeply grateful to Kotaro Maki, Ryohei Hosoya and Satoshi Yashiro for this work.

Author information

Authors and Affiliations

  1. Meiji University, Kanagawa, Japan

    Takamichi Saito

  2. Graduate School of Meiji University, Kanagawa, Japan

    Tsubasa Kikuta & Rikita Koshiba

Authors
  1. Takamichi Saito
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tsubasa Kikuta
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rikita Koshiba
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Takamichi Saito .

Editor information

Editors and Affiliations

  1. Department of Information and Communication Engineering, Fukuoka Institute of Technology, Fukuoka, Japan

    Leonard Barolli

  2. Department of Electronics, University of Antwerp, Antwerp, Belgium

    Peter Hellinckx

  3. Rissho University, Tokyo, Japan

    Tomoya Enokido

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Saito, T., Kikuta, T., Koshiba, R. (2020). How Securely Are OAuth/OpenID Connect Implemented in Japan?. In: Barolli, L., Hellinckx, P., Enokido, T. (eds) Advances on Broad-Band Wireless Computing, Communication and Applications. BWCCA 2019. Lecture Notes in Networks and Systems, vol 97. Springer, Cham. https://doi.org/10.1007/978-3-030-33506-9_73

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-33506-9_73

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-33505-2

  • Online ISBN: 978-3-030-33506-9

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation