Abstract
When a website authenticates users, it does so for a so-called social login in electronic commerce (EC) site. A social login is used for a social media account, such as Facebook, Google, and Twitter. In such a case, the website uses OAuth and OpenID Connect. However, the implementation of a website might involve privacy concerns or be vulnerable to the attacks. In this paper, by crawling the login pages of 500 Japanese EC sites and tracing the authentication flows, we investigate the implementation status of social logins and their security against cross-site request forgery. We observed 28 websites that acquired more user permissions from SNS than necessary, or were vulnerable as a result of improper implementation.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
RFC5849 The OAuth 1.0 Protocol. https://tools.ietf.org/html/rfc5849
RFC6749 The OAuth 2.0 Authorization Framework. https://tools.ietf.org/html/rfc6749
RFC6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage. https://tools.ietf.org/html/rfc6750
RFC6819 The OAuth 2.0 Thread Model and Security Considerations. https://tools.ietf.org/html/rfc6819
Top Sites in Japan - Alexa. https://www.alexa.com/topsites/countries/JP
OpenID Connect Core 1.0 incorporating errata set 1. http://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html
RFC4648 The Base16, Base32, and Base64 Data Encodings. https://tools.ietf.org/html/rfc4648
CWE-352: Cross-Site Request Forgery (CSRF). https://cwe.mitre.org/data/definitions/352.html
Threat: CSRF Attack against redirect-URI. https://tools.ietf.org/html/rfc6819#section-4.4.1.8
The OAuth 2.0 Authorization Framework 4.1.1. Authorization Request. http://openid-foundation-japan.github.io/rfc6749.ja.html#code-authz-req
TwitterOAuth. https://twitteroauth.com/
Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on Vulnerabilities, pp. 495–510 (2014)
Mladenov, V., Mainka, C., Krautwald, J., Feldmann, F., Schwenk, J.: On the security of modern single sign on protocols, OpenID connect 1.0. CoRR, abs/1508.04324 (2015)
Urueña, M., Muñoz, A., Larrabeiti, D.: Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimed. Tools Appl. 68(1), 159–176 (2014)
Acknowledgment
This work was supported by JSPS KAKENHI Grant Number 18K11305. We are deeply grateful to Kotaro Maki, Ryohei Hosoya and Satoshi Yashiro for this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Saito, T., Kikuta, T., Koshiba, R. (2020). How Securely Are OAuth/OpenID Connect Implemented in Japan?. In: Barolli, L., Hellinckx, P., Enokido, T. (eds) Advances on Broad-Band Wireless Computing, Communication and Applications. BWCCA 2019. Lecture Notes in Networks and Systems, vol 97. Springer, Cham. https://doi.org/10.1007/978-3-030-33506-9_73
Download citation
DOI: https://doi.org/10.1007/978-3-030-33506-9_73
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-33505-2
Online ISBN: 978-3-030-33506-9
eBook Packages: EngineeringEngineering (R0)