Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations

Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks

Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On

Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Passport and SAML, where each SP explicitely specifies which IdP he trusts. However, in open systems like OpenID and OpenID Connect, each user may set up his own IdP, and a discovery phase is added to the protocol flow. Thus it is easy for an attacker to set up its own IdP. In this paper we use a novel approach for analyzing SSO authentication schemes by introducing a malicious IdP. With this approach we evaluate one of the most popular and widely deployed SSO protocols - OpenID. We found four novel attack classes on OpenID, which were not covered by previous research, and show their applicability to real-life implementations. As a result, we were able to compromise 11 out of 16 existing OpenID implementations like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks in a open source tool OpenID Attacker, which additionally allows fine-granular testing of all parameters in OpenID implementations. Our research helps to better understand the message flow in the OpenID protocol, trust assumptions in the different components of the system, and implementation issues in OpenID components. It is applicable to other SSO systems like OpenID Connect and SAML. All OpenID implementations have been informed about their vulnerabilities and we supported them in fixing the issues

Analysing the Security of Google's implementation of OpenID Connect

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems

"Sign in with ... Privacy'': Timely Disclosure of Privacy Differences among Web SSO Login Options

The number of login options on web sites has increased since the introduction of web single sign-on (SSO) protocols. Web SSO services allow users to grant web sites or relying parties (RPs) access to their personal profile information from identity provider (IdP) accounts. Many RP sites do not provide sufficient privacy information that could help users make informed login decisions. Moreover, privacy differences in permission requests across login options are largely hidden from users and are time-consuming to manually extract and compare. In this paper, we present an empirical analysis of popular RP implementations supporting three major IdP login options (Facebook, Google, and Apple) and categorize RPs in the top 500 sites into four client-side code patterns. Informed by these RP patterns, we design and implement SSOPrivateEye (SPEye), a browser extension prototype that extracts and displays to users permission request information from SSO login options in RPs covering the three IdPs

Automated Security Testing for Identity Management of Large-scale Digital Infrastructures

Ensuring the security of an organization's digital assets against cyber threats is critical in today's technology-driven world. Regular security testing is one of the measures that can help assess the effectiveness of security controls, identify vulnerabilities, and strengthen the overall cybersecurity posture. Identity Management (IdM) protocols such as Security Assertion Markup Language 2.0, OpenID Connect, and OAuth 2.0 play a crucial role in protecting against identity theft, fraud, and security breaches. Also, following the Best Current Practices introduced by the standards to enhance the security of IdM protocols is essential to minimize the risk of unauthorized access, data breaches, and other security threats and to maintain compliance with regulatory requirements, and build trust with users and stakeholders. However, deploying these protocols can be challenging due to the complexity in designing, developing and implementing cryptographic mechanisms. The implementation of IdM protocols encounters three significant obstacles: fragmented security information, rapidly evolving threat environment, and the need for a controlled testing environment. Security testers must stay up-to-date with emerging threats and establish an appropriate testing infrastructure to guarantee the security and robustness of IdM implementations, while also minimizing the possibility of security incidents that could adversely affect operations. Automated security testing plays a crucial role in addressing security concerns, particularly as the intricate functional aspects of IdM solutions contribute to their complexity. It is essential to prioritize automation to bridge the cybersecurity skills gap among IT professionals. In this thesis, we propose Micro-Id-Gym (MIG), a framework that offers (i) an easy way to configure and reproduce the IdM production environment in a sandbox, allowing hands-on experiences with potentially impactful security tests that may winder availability of services and (ii) automatic security testing of IdM implementations together with suggestions for mitigations to avoid identified vulnerabilities. MIG provides a set of security testing tools for creating, executing, and analyzing security test cases through MIG-L, a declarative test specification language. We have evaluated the effectiveness of MIG by conducting experiments to assess the accuracy in supporting detection of relevant vulnerabilities in the implementation of IdM protocols. We utilized MIG to conduct security analyses across various corporate scenarios and projects, identifying vulnerabilities and responsibly disclosing them through bug bounty programs. Our findings were recognized by the providers, who awarded us both monetary compensation and public recognition. Overall, MIG can help organizations establish a robust and agile security testing strategy, supported by suitable infrastructure and testing procedures, that can ensure the security and resilience of their IdM implementations