Online Social Networks (OSN), like Facebook, Twitter and LinkedIn, has become an essential part of our daily life. We use them to maintain connections with our friends and get useful information. Besides, we use a lot of 3rd party Apps for amusement or additional functionalities. OSN users must authorize those Apps to access their own data objects, like statuses and photos. This is done via a widely adopted Single-Sign-On protocol called “OAuth 2.0”.
Although various OAuth 2.0 related vulnerabilities have been discovered recently, to our best knowledge, such vulnerabilities are all due to the improper application of OAuth. It was generally believed that the correct use of OAuth 2.0, e.g. by adhering to the guidelines provided in the Internet standards, is secure enough.
However, recent research by Prof. Wing Cheong Lau and his graduate students Mr. Pili Hu and Mr. Ronghai Yang shows that Department of Information Engineering of CUHK shows that OAuth 2.0 is intrinsically vulnerable to a type of so-called application-impersonation-attacks due to OAuth’s provision of multiple authorization flows and token types. Since different applications may have different privileges like access permission rights and rate limits, application impersonation would allow unauthorized privilege escalation. This, in turn, can result in large-scale privacy leaks, as well as the delivery of unauthorized notification messages to the mass. The team’s discovery shows that it is urgent for industrial practitioners to review their API design and enable applications to opt-out from certain specific modes of OAuth2.0 operation. This research also highlights the importance to protect the application as well as the user during the design of the next version of OAuth or other similar Single-Sign-On protocols. The work will be published in the ACM Conference on Online Social Networks (COSN’14) in Oct 2014. In the same conference, this MobiTeC team will also introduce a model-based testing tool which can automatically scan and audit OAuth deployments in practice. Back in August, the team had already presented their early findings to a large audience of cybersecurity practitioners and researchers in the BlackHat USA 2014 conference.
A related interview (http://www.weibo.com/1737187942/BmulJflhP?mod=weibotime) can be found at: http://v.ifeng.com/news/tech/201409/01214414-b601-4604-be4e-1be3d04b62f7.shtml | |