Publication

Abstract : Many users all over the world routinely use open authentication and authorization providers based on OAuth 2.0 framework such as Google, Facebook etc. to sign in to third-party websites (relying party). The authentication (OpenID connect) and authorization (OAuth) protocol based on OAuth 2.0 framework enables the relying party application to authenticate its users and gain access to their protected resources without storing any of the sensitive user credentials such as usernames and passwords. Hence, the implementation of these protocols by the relying parties and identity providers play an important role in security of the user information and their privacy. The risk of attacks on improper implementation of these protocols can cause unauthorized access to the user accounts. In this work, we focused on testing the OAuth implementations done by the relying parties. For the secure implementation of OAuth 2.0 we found that following parameters must be present while generating OAuth request: client_id, state, response_type, redirect_uri and scope. We have analyzed our work with around 75 websites that were using Google as an identity provider to provide access to its users. Out of 75 relying parties, 30% were found vulnerable to CSRF attack due to missing state parameter, 13% used implicit flow which reveals id_token or access_token in the OAuth URL and 2% had secret parameters in OAuth URL. We developed a browser extension which successfully identify and alert its user on these issues.