skip to main content
10.1145/3545948.3545955acmotherconferencesArticle/Chapter ViewAbstractPublication PagesraidConference Proceedingsconference-collections
research-article

OAuch: Exploring Security Compliance in the OAuth 2.0 Ecosystem

Published: 26 October 2022 Publication History

Abstract

The OAuth 2.0 protocol is a popular and widely adopted authorization protocol. It has been proven secure in a comprehensive formal security analysis, yet new vulnerabilities continue to appear in popular OAuth implementations.
This paper sets out to improve the security of the OAuth landscape by measuring how well individual identity providers (IdPs) implement the security specifications defined in the OAuth standard, and by providing detailed and targeted feedback to the operators to improve the compliance of their service. We present a tool, called OAuch, that tests and analyzes IdPs according to the guidelines of the OAuth standards and security best practices.
We evaluate 100 publicly deployed OAuth IdPs using OAuch and aggregate the results to create a unique overview of the current state of practice in the OAuth ecosystem. We determine that, on average, an OAuth IdP does not implement 34% of the security specifications present in the OAuth standards, including 20% of the required specifications.
We then validate the IdPs against the OAuth threat model. The analysis shows that 97 IdPs leave one or more threats completely unmitigated (with an average of 4 unmitigated threats per IdP). No IdPs fully mitigate all threats.
We further validate the results by picking four attack vectors and using the tool’s output to determine which IdPs to attack. The results were highly accurate, with a false positive rate of 1.45% and a false negative rate of 1.48% for the four attack vectors combined.

References

[1]
Devdatta Akhawe, Warren He, Zhiwei Li, Reza Moazzezi, and Dawn Song. 2014. Clickjacking Revisited: A Perceptual View of UI Security. In Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT’14).
[2]
Chetan Bansal, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, and Sergio Maffeis. 2014. Discovering concrete attacks on website authorization by formal analysis. Journal of Computer Security 22, 4 (2014).
[3]
Michele Benolli, Seyed Ali Mirheidari, Elham Arshad, and Bruno Crispo. 2021. The Full Gamut of an Attack: An Empirical Analysis of OAuth CSRF in the Wild. In Proceedings of the 18th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Springer-Verlag, Berlin, Heidelberg, 21–41. https://doi.org/10.1007/978-3-030-80825-9_2
[4]
Stefano Calzavara, Riccardo Focardi, Matteo Maffei, Clara Schneidewind, Marco Squarcina, and Mauro Tempesta. 2018. WPSE: fortifying web protocols via browser-side security monitoring. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18). 1493–1510.
[5]
Suresh Chari, Charanjit S Jutla, and Arnab Roy. 2011. Universally Composable Security Analysis of OAuth v2.0. IACR Cryptol. ePrint Arch. 2011 (2011).
[6]
Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen, Robert Kotcher, and Patrick Tague. 2016. 1000 ways to die in mobile OAuth. In Blackhat USA.
[7]
Eric Y Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. 2014. OAuth demystified for mobile application developers. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). 892–903.
[8]
Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis. 2020. The Cookie Hunter: Automated Black-Box Auditing for Web Authentication and Authorization Flaws. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS’20). Association for Computing Machinery.
[9]
Eugene Ferry, John O’Raw, and Kevin Curran. 2015. Security evaluation of the OAuth 2.0 framework. Information and Computer Security 23 (03 2015).
[10]
Daniel Fett, Pedram Hosseyni, and Ralf Küsters. 2019. An Extensive Formal Security Analysis of the OpenID Financial-Grade API. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’19) (San Francisco, CA).
[11]
Daniel Fett, Ralf Kuesters, and Guido Schmitz. 2014. An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System., 673–688 pages.
[12]
Daniel Fett, Ralf Küsters, and Guido Schmitz. 2016. A Comprehensive Formal Security Analysis of OAuth 2.0. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS’16) (Vienna, Austria). Association for Computing Machinery.
[13]
Daniel Fett, Ralf Küsters, and Guido Schmitz. 2017. The web SSO standard OpenID Connect: In-depth formal security analysis and security guidelines. In Proceedings of the IEEE 30th Computer Security Foundations Symposium (CSF’17). 189–202.
[14]
The OWASP Foundation. 2014. The OWASP Testing Guide 4.0. https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/testing_for_clickjacking_otg-client-009.html. [Online; accessed May 20, 2021].
[15]
M. Ghasemisharif, C. Kanich, and J. Polakis. 2022. Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’22). IEEE Computer Society, Los Alamitos, CA, USA, 1524–1524. https://doi.org/10.1109/SP46214.2022.00095
[16]
Mohammad Ghasemisharif, Amruta Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis. 2018. O Single Sign-off, Where Art Thou? An Empirical Analysis of Single Sign-on Account Hijacking and Session Management on the Web. In Proceedings of the 27th USENIX Conference on Security Symposium (Baltimore, MD, USA) (SEC’18). USENIX Association, USA, 1475–1492.
[17]
Roland Hedberg. 2012. OpenID Connect Deployment Verification Tool. https://kantarainitiative.org/confluence/download/attachments/3408008/Roland%20Hedberg%20-%20Kantara_summit_oic_test_tool.pdf
[18]
Pili Hu and Wing Cheong Lau. 2014. How to Leak a 100-Million-Node Social Graph in Just One Week? A Reflection on OAuth and API Design in Online Social Networks. In BlackHat USA.
[19]
Pili Hu, Ronghai Yang, Yue Li, and Wing Cheong Lau. 2014. Application impersonation: problems of OAuth and API design in online social networks. In Proceedings of the second ACM conference on Online social networks. 271–278.
[20]
Lin-Shung Huang, Alex Moshchuk, Helen J Wang, Stuart Schecter, and Collin Jackson. 2012. Clickjacking: Attacks and defenses. In Proceedings of the 21st USENIX Security Symposium (USENIX Security 12).
[21]
Ari-Pekka Koponen. 2016. A secure OAuth 2.0 implementation model. Master’s thesis. University of Jyväskylä.
[22]
Itzik Kotler and Amit Klein. 2016. Crippling HTTPS with unholy PAC. In BlackHat USA.
[23]
Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS’19).
[24]
Wanpeng Li and Chris J Mitchell. 2014. Security issues in OAuth 2.0 SSO implementations. In Proceedings of the International Conference on Information Security. Springer.
[25]
Wanpeng Li and Chris J Mitchell. 2016. Analysing the Security of Google’s implementation of OpenID Connect. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’16). Springer, 357–376.
[26]
Wanpeng Li, Chris J Mitchell, and Thomas Chen. 2018. Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect. arxiv:1801.07983 [cs.CR]
[27]
Wanpeng Li, Chris J Mitchell, and Thomas Chen. 2018. Mitigating CSRF attacks on OAuth 2.0 Systems. In Proceedings of the 16th Annual Conference on Privacy, Security and Trust (PST’18). 1–5.
[28]
Wanpeng Li, Chris J Mitchell, and Thomas Chen. 2018. Your code is my code: Exploiting a common weakness in OAuth 2.0 implementations. In Proceedings of the Cambridge International Workshop on Security Protocols. Springer.
[29]
Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2019. OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect. In Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop (SSR’19) (London, United Kingdom). Association for Computing Machinery.
[30]
Xinyu Li, Jing Xu, Zhenfeng Zhang, Xiao Lan, and Yuchen Wang. 2020. Modular Security Analysis of OAuth 2.0 in the Three-Party Setting. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P). 276–293. https://doi.org/10.1109/EuroSP48549.2020.00025
[31]
Suhas Pai, Yash Sharma, Sunil Kumar, Radhika M Pai, and Sanjay Singh. 2011. Formal verification of OAuth 2.0 using Alloy framework. In Proceedings of the International Conference on Communication Systems and Network Technologies.
[32]
Tamjid Al Rahat, Yu Feng, and Yuan Tian. 2019. OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). 293–304. https://doi.org/10.1109/ASE.2019.00036
[33]
Tamjid Al Rahat, Yu Feng, and Yuan Tian. 2022. Cerberus: Query-driven Scalable Security Checking for OAuth Service Provider Implementations. (2022).
[34]
Hossain Shahriar and Vamshee Krishna Devendran. 2014. Classification of clickjacking attacks and detection techniques. Information Security Journal: A Global Perspective 23, 4-6(2014), 137–147.
[35]
Mohamed Shehab and Fadi Mohsen. 2014. Towards enhancing the security of OAuth implementations in smart phones. In Proceedings of the IEEE International Conference on Mobile Services. 39–46.
[36]
Ethan Shernan, Henry Carter, Dave Tian, Patrick Traynor, and Kevin Butler. 2015. More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’15). Springer, 239–260.
[37]
San-Tsai Sun and Konstantin Beznosov. 2012. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). 378–390.
[38]
The OWASP Foundation. 2013. OWASP Top 10 - 2013. Technical Report. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
[39]
Hui Wang, Yuanyuan Zhang, Juanru Li, and Dawu Gu. 2016. The Achilles heel of OAuth: a multi-platform study of OAuth-based authentication. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC’16).
[40]
Hui Wang, Yuanyuan Zhang, Juanru Li, Hui Liu, Wenbo Yang, Bodong Li, and Dawu Gu. 2015. Vulnerability assessment of OAuth implementations in Android applications. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC’15).
[41]
Xianbo Wang, Wing Cheong Lau, Ronghai Yang, and Shangcheng Shi. 2019. Make Redirection Evil Again: URL Parser Issues in OAuth. In BlackHat Asia.
[42]
Ronghai Yang, Guanchen Li, Wing Cheong Lau, Kehuan Zhang, and Pili Hu. 2016. Model-Based Security Testing: An Empirical Study on OAuth 2.0 Implementations. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (ASIACCS’16) (Xi’an, China).
[43]
Yuchen Zhou and David Evans. 2014. SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14). 495–510.
[44]
John Bradley, Andrey Labunets, and Daniel Fett. 2020. OAuth 2.0 Security Best Current Practice. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics. [Online; accessed May 20, 2021].
[45]
Brian Campbell, John Bradley, Nat Sakimura, and Torsten Lodderstedt. 2020. OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. https://datatracker.ietf.org/doc/html/rfc8705. [Online; accessed May 20, 2021].
[46]
William Denniss and John Bradley. 2017. OAuth 2.0 for Native Apps. https://datatracker.ietf.org/doc/html/rfc8252. [Online; accessed May 20, 2021].
[47]
William Denniss, John Bradley, Michael Jones, and Hannes Tschofenig. 2019. OAuth 2.0 Device Authorization Grant. https://datatracker.ietf.org/doc/html/rfc8628. [Online; accessed May 20, 2021].
[48]
Dick Hardt. 2012. The OAuth 2.0 Authorization Framework. https://datatracker.ietf.org/doc/html/rfc6749. [Online; accessed May 20, 2021].
[49]
Dick Hardt and Michael Jones. 2012. The OAuth 2.0 Authorization Framework: Bearer Token Usage. https://datatracker.ietf.org/doc/html/rfc6750. [Online; accessed May 20, 2021].
[50]
Michael Jones and Brian Campbell. 2015. OAuth 2.0 Form Post Response Mode. https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html. [Online; accessed May 20, 2021].
[51]
Michael Jones, Brian Campbell, and Chuck Mortimore. 2015. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants. https://datatracker.ietf.org/doc/html/rfc7523. [Online; accessed May 20, 2021].
[52]
Torsten Lodderstedt, Stefanie Dronia, and Marius Scurtescu. 2013. OAuth 2.0 Token Revocation. https://datatracker.ietf.org/doc/html/rfc7009. [Online; accessed May 20, 2021].
[53]
Maciej Machulak and Justin Richer. 2018. User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization. https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html. [Online; accessed May 20, 2021].
[54]
Mark McGloin and Phil Hunt. 2013. OAuth 2.0 Threat Model and Security Considerations. https://datatracker.ietf.org/doc/html/rfc6819. [Online; accessed May 20, 2021].
[55]
Nat Sakimura, John Bradley, and Naveen Agarwal. 2015. Proof Key for Code Exchange by OAuth Public Clients. https://datatracker.ietf.org/doc/html/rfc7636. [Online; accessed May 20, 2021].
[56]
Nat Sakimura, John Bradley, Michael B. Jones, Breno de Medeiros, and Chuck Mortimore. 2014. OpenID Connect. https://openid.net/specs/openid-connect-core-1_0.html. [Online; accessed May 20, 2021].
[57]
The OpenID Foundation. 2022. OpenID Certification. https://openid.net/certification/. [Online; accessed May 20, 2021].
[58]
Daniella Genovese. 2019. Microsoft fixes login vulnerability. https://www.foxbusiness.com/technology/microsoft-vulnerability-login-system. [Online; accessed May 20, 2021].
[59]
Cassio Gomes. 2019. Referer Leakage Vulnerability leads to OAuth token theft. https://hackerone.com/reports/787160. [Online; accessed September 21, 2021].
[60]
Dan Goodin. 2020. Apple fixes bug that could have given hackers full access to user accounts. https://arstechnica.com/information-technology/2020/06/apple-fixes-bug-that-could-have-given-hackers-unauthorized-to-user-accounts/. [Online; accessed May 20, 2021].
[61]
Abeerah Hashim. 2020. 10-Year Old Facebook OAuth Framework Flaw Discovered. https://latesthackingnews.com/2020/03/03/10-year-old-facebook-oauth-framework-flaw-discovered/. [Online; accessed May 20, 2021].
[62]
Swati Khandelwal. 2016. Hacker Reveals How to Hack Any Facebook Account. https://thehackernews.com/2016/03/hack-facebook-account.html. [Online; accessed May 20, 2021].
[63]
Max Moroz. 2017. Race Conditions in OAuth 2 API implementations. https://hackerone.com/reports/55140. [Online; accessed May 20, 2021].

Cited By

View all
  • (2025)Developing the Flexible Conformance Test Execution Platform for OAuth 2.0-based Security ProfilesJournal of Information Processing10.2197/ipsjjip.33.16833(168-183)Online publication date: 2025
  • (2024)A Comparative Survey of Centralised and Decentralised Identity Management Systems: Analysing Scalability, Security, and FeasibilityFuture Internet10.3390/fi1701000117:1(1)Online publication date: 24-Dec-2024
  • (2024)Stealing Trust: Unraveling Blind Message Attacks in Web3 AuthenticationProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670323(555-569)Online publication date: 2-Dec-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses
October 2022
536 pages
ISBN:9781450397049
DOI:10.1145/3545948
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2022

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

RAID 2022

Acceptance Rates

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)136
  • Downloads (Last 6 weeks)15
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Developing the Flexible Conformance Test Execution Platform for OAuth 2.0-based Security ProfilesJournal of Information Processing10.2197/ipsjjip.33.16833(168-183)Online publication date: 2025
  • (2024)A Comparative Survey of Centralised and Decentralised Identity Management Systems: Analysing Scalability, Security, and FeasibilityFuture Internet10.3390/fi1701000117:1(1)Online publication date: 24-Dec-2024
  • (2024)Stealing Trust: Unraveling Blind Message Attacks in Web3 AuthenticationProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670323(555-569)Online publication date: 2-Dec-2024
  • (2024)Enhancing Security Testing for Identity Management Implementations: Introducing Micro-Id-Gym Language and Micro-Id-Gym Testing ToolIEEE Security and Privacy10.1109/MSEC.2024.345027722:6(50-61)Online publication date: 1-Nov-2024
  • (2024)SoK: SSO-MONITOR - The Current State and Future Research Directions in Single Sign-on Security Measurements2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00018(173-192)Online publication date: 8-Jul-2024
  • (2023)Continuous Intrusion: Characterizing the Security of Continuous Integration Services2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179471(1561-1577)Online publication date: May-2023
  • (2023)Revisiting OAuth 2.0 Compliance: A Two-Year Follow-Up Study2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00064(521-525)Online publication date: Jul-2023
  • (2023)Research on vulnerability mining of authentication protocol based on fuzzy simulation2023 IEEE International Symposium on Broadband Multimedia Systems and Broadcasting (BMSB)10.1109/BMSB58369.2023.10211222(1-4)Online publication date: 14-Jun-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media