Security Issues in OAuth 2.0 SSO Implementations

Abstract. Many Chinese websites (relying parties) use OAuth 2.0 as the basis of a single sign-on service to ease password management for users. Many sites support five or more different OAuth 2.0 identity providers, giving users choice in their trust point. However, although OAuth 2.0 has been widely implemented (particularly in China), little attention has been paid to security in practice. In this paper we report on a detailed study of OAuth 2.0 implementation security for ten major identity providers and 60 relying parties, all based in China. This study reveals two critical vulnerabilities present in many implementations, both allowing an attacker to control a victim user’s accounts at a relying party without knowing the user’s account name or password. We provide sim-ple, practical recommendations for identity providers and relying parties to enable them to mitigate these vulnerabilities. The vulnerabilities have been reported to the parties concerned.

Analysing the Security of Google's implementation of OpenID Connect

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems

The correlations with identity companion automorphism, of finite Desarguesian planes

AbstractAs a first step towards the general classification of correlations of finite Desarguesian planes, we present, up to isomorphism, all the correlations with identity companion automorphism which are not polarities, of such planes

BrowserAudit: Automated testing of browser security features

The security of the client side of a web application relies on browser features such as cookies, the same-origin policy and HTTPS. As the client side grows increasingly powerful and sophisticated, browser vendors have stepped up their offering of security mechanisms which can be leveraged to protect it. These are often introduced experimentally and informally and, as adoption increases, gradually become standardised (e.g., CSP, CORS and HSTS). Considering the diverse landscape of browser vendors, releases, and customised versions for mobile and embedded devices, there is a compelling need for a systematic assessment of browser security. We present BrowserAudit, a tool for testing that a deployed browser enforces the guarantees implied by the main standardised and experimental security mechanisms. It includes more than 400 fully-automated tests that exercise a broad range of security features, helping web users, application developers and security researchers to make an informed security assessment of a deployed browser. We validate BrowserAudit by discovering both fresh and known security-related bugs in major browsers. Copyright is held by the owner/author(s)

Use of specific Green's functions for solving direct problems involving a heterogeneous rigid frame porous medium slab solicited by acoustic waves

A domain integral method employing a specific Green's function (i.e., incorporating some features of the global problem of wave propagation in an inhomogeneous medium) is developed for solving direct and inverse scattering problems relative to slab-like macroscopically inhomogeneous porous obstacles. It is shown how to numerically solve such problems, involving both spatially-varying density and compressibility, by means of an iterative scheme initialized with a Born approximation. A numerical solution is obtained for a canonical problem involving a two-layer slab.Comment: submitted to Math.Meth.Appl.Sc

Shapes, contact angles, and line tensions of droplets on cylinders

Using an interface displacement model we calculate the shapes of nanometer-size liquid droplets on homogeneous cylindrical surfaces. We determine effective contact angles and line tensions, the latter defined as excess free energies per unit length associated with the two contact lines at the ends of the droplet. The dependences of these quantities on the cylinder radius and on the volume of the droplets are analyzed.Comment: 26 pages, RevTeX, 10 Figure

Defining the Structural Parameters That Confer Anticonvulsant Activity by the Site-by-Site Modification of ( R )- N ′-Benzyl 2-Amino-3-methylbutanamide

Primary Amino Acid Derivatives (PAADs) (N′-benzyl 2-substituted 2-amino acetamides) are structurally related to Functionalized Amino Acids (FAAs) (N′-benzyl 2- substituted 2-acetamido acetamides) but differ by the absence of the terminal N-acetyl group. Both classes exhibit potent anticonvulsant activities in the maximal electroshock seizure animal model and the reported structure-activity relationships (SARs) of PAADs and FAAs differ in significant ways. Recently, we documented that PAAD efficacy was associated with a hydrocarbon moiety at the C(2)-carbon, while in the FAAs, a substituted heteroatom one atom removed from the C(2)-center was optimal. Previously in this issue, we showed that PAAD activity was dependent upon the electronic properties of the 4′-N′-benzylamide substituent, while FAA activity was insensitive to electronic changes at this site. In this study, we prepared analogs of (R)-N′-benzyl 2-amino-3-methylbutanamide to identify the structural components for maximal anticonvulsant activity. We demonstrated that the SAR of PAADs and FAAs diverged at the terminal amide site and that PAADs had considerably more structural latitude in the types of units that could be incorporated at this position, suggesting that these compounds function according to different mechanism(s)

Non-typeable Haemophilus influenzae protein vaccine in adults with COPD:A phase 2 clinical trial

Loss of airway microbial diversity is associated with non-typeable Haemophilus influenzae (NTHi) infection and increased risk of exacerbation in chronic obstructive pulmonary disease (COPD). We assessed the safety and immunogenicity of an investigational vaccine containing NTHi antigens, recombinant protein D (PD) and combined protein E and Pilin A (PE-PilA), and AS01 adjuvant in adults with moderate/-severe COPD and prior exacerbations. In this phase 2, observer-blind, controlled trial (NCT02075541), 145 COPD patients aged 40-80 years randomly (1:1) received two doses of NTHi vaccine or placebo 60 days apart, on top of standard care. Reactogenicity in the 7-day post-vaccination period was higher following NTHi vaccine than placebo. Most solicited adverse events (AEs) were mild/moderate. At least one unsolicited AE was reported during the 30-day post-vaccination period by 54.8% of NTHi vaccine and 51.4% of placebo recipients. One serious AE (placebo group) was assessed by the investigator as vaccine-related. Anti-PD, anti-PE and anti-PiIA geometric mean antibody concentrations increased up to 30 days after each NTHi vaccine dose, waned thereafter, but remained higher than baseline (non-overlapping confidence intervals) up to 13 months post-dose 2. The frequency of specific CD4(+) T cells increased following two doses of NTHi vaccine and remained higher than baseline. Exploratory analysis showed a statistically non-significant lower yearly rate of moderate/severe exacerbations in the NTHi vaccine group than following placebo (1.49 versus 1.73) in the one-year period post-dose 2, with estimated vaccine efficacy of 13.3% (95% confidence interval -24.2 to 39.5; p = 0.44). The NTHi vaccine had an acceptable safety and reactogenicity profile and good immunogenicity in adults with COPD