OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect. / Li, Wanpeng; Mitchell, Chris J; Chen, Tom.

Proceedings of the Security Standardisation Research Conference 2019 (SSR 2019, an ACM CCS 2019 Workshop), London, November 11 2019. ACM, 2019.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Forthcoming

Standard

OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect. / Li, Wanpeng; Mitchell, Chris J; Chen, Tom.

Proceedings of the Security Standardisation Research Conference 2019 (SSR 2019, an ACM CCS 2019 Workshop), London, November 11 2019. ACM, 2019.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Li, W, Mitchell, CJ & Chen, T 2019, OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect. in Proceedings of the Security Standardisation Research Conference 2019 (SSR 2019, an ACM CCS 2019 Workshop), London, November 11 2019. ACM. https://doi.org/10.1145/3338500.3360331

APA

Li, W., Mitchell, C. J., & Chen, T. (Accepted/In press). OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect. In Proceedings of the Security Standardisation Research Conference 2019 (SSR 2019, an ACM CCS 2019 Workshop), London, November 11 2019 ACM. https://doi.org/10.1145/3338500.3360331

Vancouver

Li W, Mitchell CJ, Chen T. OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect. In Proceedings of the Security Standardisation Research Conference 2019 (SSR 2019, an ACM CCS 2019 Workshop), London, November 11 2019. ACM. 2019 https://doi.org/10.1145/3338500.3360331

Author

Li, Wanpeng ; Mitchell, Chris J ; Chen, Tom. / OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect. Proceedings of the Security Standardisation Research Conference 2019 (SSR 2019, an ACM CCS 2019 Workshop), London, November 11 2019. ACM, 2019.

BibTeX

@inproceedings{71e1ca6bf08c4ca5b9d9544315ac4b90,
title = "OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect",
abstract = "Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.",
author = "Wanpeng Li and Mitchell, {Chris J} and Tom Chen",
year = "2019",
month = "9",
day = "2",
doi = "10.1145/3338500.3360331",
language = "English",
booktitle = "Proceedings of the Security Standardisation Research Conference 2019 (SSR 2019, an ACM CCS 2019 Workshop), London, November 11 2019",
publisher = "ACM",

}

RIS

TY - GEN

T1 - OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect

AU - Li, Wanpeng

AU - Mitchell, Chris J

AU - Chen, Tom

PY - 2019/9/2

Y1 - 2019/9/2

N2 - Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.

AB - Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.

UR - https://arxiv.org/abs/1901.08960

U2 - 10.1145/3338500.3360331

DO - 10.1145/3338500.3360331

M3 - Conference contribution

BT - Proceedings of the Security Standardisation Research Conference 2019 (SSR 2019, an ACM CCS 2019 Workshop), London, November 11 2019

PB - ACM

ER -