City Research Online

Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations

Li, W., Mitchell, C. J. and Chen, T. ORCID: 0000-0001-8037-1685 (2018). Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations. In: Security Protocols XXVI. Security Protocols 2018. (pp. 24-41). Cham, Switzerland: Springer. ISBN 9783030032500

Abstract

Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks.

Publication Type: Conference or Workshop Item (UNSPECIFIED)
Additional Information: This is a post-peer-review, pre-copyedit version of a Springer book chapter. The final authenticated version is available online at: https://doi.org/10.1007/978-3-030-03251-7_3
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments: School of Mathematics, Computer Science & Engineering > Engineering > Electrical & Electronic Engineering
Date Deposited: 06 Mar 2020 17:36
URI: https://openaccess.city.ac.uk/id/eprint/23862
[img]
Preview
Text - Accepted Version
Download (1MB) | Preview

Export

Downloads

Downloads per month over past year

View more statistics

Actions (login required)

Admin Login Admin Login