The OAuth 2.0 protocol has been adopted by mainstream Single-Sign-On services to support user authentication and authorization for 3rd party applications. Using OAuth 2.0, an identity provider (IdP) (e.g. Facebook) can grant data access privileges by issuing an "access token" to a third-party application (App) (e.g. Priceline) upon approval by the user. The App can then use the access token to retrieve the protected user data hosted by the IdP and thus assume the identity of the authorizing user without knowing his/ her log-in credential. Unfortunately, the rapid adoption of SSO services has also resulted in the proliferation of insecure implementations and corresponding vulnerabilities. To tackle these problems, we have developed a series of new techniques and publicly-available software tools to enable large-scale systematic security testing and code analysis for discovering critical vulnerabilities on SSO systems.
MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications
As the open standard for authorization, OAuth 2.0 enables endusers to grant third-party applications the data access right to their private resources stored on the service provider. Driven by the broad adoption of OAuth and the boom of mobile apps, many prestigious Identity Providers (IdPs), e.g., Facebook and Sina Weibo, have recently tailored OAuth to support SSO for third-party mobile apps. It is worth to note that OAuth was initially designed to provide secure authorization service for web applications. The protocol is actually re-purposed for authentication when used for SSO in mobile platforms. Although the security testing for real-world SSO deployments has attracted considerable attention in recent years , existing work either focuses on websites or relies on the manual discovery of specific and previously known vulnerabilities. As such, we design and implement MoSSOT (Mobile SSO Tester), an automated blackbox security testing tool for Android applications utilizing the SSO services from three mainstream service providers.
(Source code available in GitHub)Publications:
Make Redirection Evil Again: URL Parser Issues in OAuth
Since 2012, OAuth 2.0 has been widely deployed by online service providers worldwide. Security-related headlines related to OAuth showed up from time to time, and most problems were caused by incorrect implementations of the protocol. The User-Agent Redirection mechanism in OAuth is one of the weaker links as it is difficult for developers and operators to realize, understand and implement all the subtle but critical requirements properly. In this talk, we begin by tracing the history of the security community’s understanding of OAuth redirection threats. The resultant evolution of the OAuth specification, as well as the best current practice on its implementation, will also be discussed. We then introduce new OAuth redirection attack techniques which exploit the interaction of URL parsing problems with redirection handling in mainstream browsers or mobile apps. In particular, some attacks leverage our newly discovered URL interpretation bugs in mainstream browsers or Android platform (The latter were independently discovered and have been patched recently). Our empirical study on 50 OAuth service providers worldwide found that numerous top-tiered providers with over 10,000 OAuth client apps and 10’s of millions of end-users are vulnerable to this new attack with severe impact. In particular, it enables the attacker to hijack 3rd party (Relying party) application accounts, gain access to sensitive private information, or even perform privileged actions on behalf of the victim users.
Publications:
Vetting Single Sign-On SDK Implementations via Symbolic Reasoning
S3KVetter is designed to check the logical correctness and identify vulnerabilities of Single Sign-On (SSO) Software Development Kits (SDKs). Single Sign-On protocols like OAuth2.0 and OpenID Connect have been widely adopted to simplify user authentication and service authorization for third-party applications. Mainstream identity providers, such as Facebook and Google, have developed SDKs to facilitate the implementation of SSO for 3rd-party application developers. These SDKs have become a critical foundation for web services. Despite its importance, little effort has been devoted to a systematic testing on the implementations of SSO SDKs, especially in the public domain. To this end, S3KVetter leverages dynamic symbolic execution to track feasible execution paths and the associated predicates of the SSO SDK.
(Source code available in GitHub)Publications:
Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols
Although the OAuth2.0 protocol was originally designed to serve the authorization need for websites, mainstream identity providers like Google and Facebook have made significant changes on this protocol to support authentication for mobile apps. Prior research mainly focuses on how the features of mobile operating systems can affect the OAuth security. However, little has been done to analyze whether these significant modifications of the protocol call-flow can be well understood and implemented by app developers. Towards this end, we report a field-study on the Android OAuth2.0-based single-sign-on systems. In particular, we perform an in-depth static code analysis on three identity provider apps including Facebook, Google and Sina as well as their official SDKs to understand their OAuth-related transactions. We then dynamically test 600 top-ranked US and Chinese Android apps. Apart from various types of existing vulnerabilities, we also discover three previously unknown security flaws among these first-tier identity providers and a large number of popular 3rd-party apps. For example, 41% apps under study are susceptible to a newly discovered profile attack, which unlike prior works, enables remote account hijacking without any need to trick or interact with the victim. The prevalence of vulnerabilities further motivates us to propose/implement an alternative, fool-proof OAuth SDK for one of the affected IdPs to automatically prevent from these vulnerabilities. To facilitate the adoption of our proposed fixes, our solution requires minimal code changes by the 3rd-party-developers of the affected mobile apps.
Publications:
Model-based Security Testing: an Empirical Study on OAuth 2.0 Implementations
Motivated by the prevalence of OAuth-related vulnerabilities in the wild, large-scale security testing of real-world OAuth 2.0 implementations have received increasing attention lately. However, these existing works either rely on manual discovery of new vulnerabilities in OAuth 2.0 implementations or perform automated testing for specific, previously-known vulnerabilities across a large number of OAuth implementations. In this work, we propose an adaptive model-based testing framework to perform automated, large-scale security assessments for OAuth 2.0 implementations in practice. Key advantages of our approach include (1) its ability to identify existing vulnerabilities and discover new ones in an automated manner; (2) improved testing coverage as all possible execution paths within the scope of the model will be checked and (3) its ability to cater for the implementation differences of practical OAuth systems/ applications, which enables the analyst to offload the manual efforts for large-scale testing of OAuth implementations. We have designed and implemented OAuthTester to realize our proposed framework. Using OAuthTester, we examine the implementations of 4 major Identity Providers as well as 500 top-ranked US and Chinese websites which use the OAuth-based Single-Sign-On service provided by the formers. Our empirical findings demonstrate the efficacy of adaptive model-based testing on OAuth 2.0 deployments at scale. More importantly, OAuthTester not only manages to rediscover various existing vulnerabilities but also identify several previously unknown security flaws and new exploits for a large number of real-world applications implementing OAuth 2.0.
Publications:
Application Impersonation: Problems of OAuth and API Design in Online Social Networks
OAuth 2.0 protocol has enjoyed wide adoption by Online Social Network (OSN) providers since its inception. Although the security guideline of OAuth 2.0 is well discussed in RFC6749 and RFC6819, many real-world attacks due to the implementation speciVcs of OAuth 2.0 in various OSNs have been discovered. To our knowledge, previously discovered loopholes are all based on the misuse of OAuth and many of them rely on provider side or application side vulnerabilities/ faults beyond the scope of the OAuth protocol. It was generally believed that correct use of OAuth 2.0 is secure. In this paper, we show that OAuth 2.0 is intrinsically vulnerable to App impersonation attack due to its provision of multiple authorization Wows and token types. We start by reviewing and analyzing the OAuth 2.0 protocol and some common API design problems found in many 1st-tiered OSNs. We then propose the App impersonation attack and investigate its impact on 12 major OSN providers. We demonstrate that, App impersonation via OAuth 2.0, when combined with additional API design features/ deVciencies, make largescale exploit and privacy-leak possible. For example, it becomes possible for an attacker to completely crawl a 200-million-user OSN within just one week and harvest data objects like the status list and friend list which are expected, by its users, to be private among only friends. We also propose Vxes that can be readily deployed to tackle the OAuth2.0-based App impersonation problem.
Publications: