City Research Online

Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations

Li, W., Mitchell, C. J. & Chen, T. ORCID: 0000-0001-8037-1685 (2018). Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations. In: Security Protocols XXVI. Security Protocols 2018. doi: 10.1007/978-3-030-03251-7_3


Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks.

Publication Type: Conference or Workshop Item (UNSPECIFIED)
Additional Information: This is a post-peer-review, pre-copyedit version of a Springer book chapter. The final authenticated version is available online at:
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments: School of Science & Technology > Engineering
[thumbnail of Li2018_Chapter_YourCodeIsMyCodeExploitingACom-2.pdf]
Text - Accepted Version
Download (1MB) | Preview


Add to AnyAdd to TwitterAdd to FacebookAdd to LinkedinAdd to PinterestAdd to Email


Downloads per month over past year

View more statistics

Actions (login required)

Admin Login Admin Login