It’s hard to get a security protocol right. It seems even harder to get its implementations right, even more so when millions use it on daily basis. LERSSE’s Sun-Tsai will present at ACM CCSthis October several critical vulnerabilities he has uncovered in implementation of OAuth 2.0, used by Facebook, Microsoft, Google, and many other identity providers and relying parties. These vulnerabilities allow an attacker to gain unauthorized access to the victim user’s profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.
See the paper for details.