OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect

by   Wanpeng Li, et al.

Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.


page 1

page 2

page 3

page 4


Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect

Many millions of users routinely use their Google, Facebook and Microsof...

Attacks on Onion Discovery and Remedies via Self-Authenticating Traditional Addresses

Onion addresses encode their own public key. They are thus self-authenti...

Understanding Tor Usage with Privacy-Preserving Measurement

The Tor anonymity network is difficult to measure because, if not done c...

Click Spam Prevention Model for On-Line Advertisement

This paper shows a vulnerability of the pay-per-click accounting of Goog...

SSOPrivateEye: Timely Disclosure of Single Sign-On Privacy Design Differences

The number of login options on websites has increased since the introduc...

SSO-Monitor: Fully-Automatic Large-Scale Landscape, Security, and Privacy Analyses of Single Sign-On in the Wild

Single Sign-On (SSO) shifts the crucial authentication process on a webs...

When Textbook RSA is Used to Protect the Privacy of Hundreds of Millions of Users

We evaluate Tencent's QQ Browser, a popular mobile browser in China with...

Please sign up or login with your details

Forgot password? Click here to reset