skip to main content
10.1145/2660460.2660463acmconferencesArticle/Chapter ViewAbstractPublication PagescosnConference Proceedingsconference-collections
research-article

Application impersonation: problems of OAuth and API design in online social networks

Published: 01 October 2014 Publication History

Abstract

OAuth 2.0 protocol has enjoyed wide adoption by Online Social Network (OSN) providers since its inception. Although the security guideline of OAuth 2.0 is well discussed in RFC6749 and RFC6819, many real-world attacks due to the implementation specifics of OAuth 2.0 in various OSNs have been discovered. To our knowledge, previously discovered loopholes are all based on the misuse of OAuth and many of them rely on provider side or application side vulnerabilities/ faults beyond the scope of the OAuth protocol. It was generally believed that correct use of OAuth 2.0 is secure. In this paper, we show that OAuth 2.0 is intrinsically vulnerable to App impersonation attack due to its provision of multiple authorization flows and token types. We start by reviewing and analyzing the OAuth 2.0 protocol and some common API design problems found in many 1st tiered OSNs. We then propose the App impersonation attack and investigate its impact on 12 major OSN providers. We demonstrate that, App impersonation via OAuth 2.0, when combined with additional API design features/ deficiencies, make large-scale exploit and privacy-leak possible. For example, it becomes possible for an attacker to completely crawl a 200-million-user OSN within just one week and harvest data objects like the status list and friend list which are expected, by its users, to be private among only friends. We also propose fixes that can be readily deployed to tackle the OAuth2.0-based App impersonation problem.

References

[1]
E. Hammer-Lahav, "The oauth 1.0 protocol," April 2010. RFC5849.
[2]
D. Hardt, "The oauth 2.0 authorization framework," October 2012. RFC6749.
[3]
T. Lodderstedt, M. McGloin, and P. Hunt, "Oauth 2.0 threat model and security considerations," January 2013. RFC6819.
[4]
M. Jones and D. Hardt, "The oauth 2.0 authorization framework: Bearer token usage," October 2012. RFC6750.
[5]
E. Hammer-Lahav, "HTTP authentication: MAC access authentication," Feb 2012.
[6]
S. Chari, C. S. Jutla, and A. Roy, "Universally composable security analysis of oauth v2.0," IACR Cryptology ePrint Archive, vol. 2011, p. 526, 2011.
[7]
R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich, "Explicating sdks: Uncovering assumptions underlying secure authentication and authorization," tech. rep., Microsoft Research Technical Report MSR-TR-2013, 2013.
[8]
S. Pai, Y. Sharma, S. Kumar, R. M. Pai, and S. Singh, "Formal verification of oauth 2.0 using alloy framework," in Communication Systems and Network Technologies (CSNT), 2011 International Conference on, pp. 655--659, IEEE, 2011.
[9]
C. Bansal, K. Bhargavan, and S. Maffeis, "Discovering concrete attacks on website authorization by formal analysis," in Computer Security Foundations Symposium (CSF), 2012 IEEE 25th, pp. 247--262, IEEE, 2012.
[10]
R. Wang, S. Chen, and X. Wang, "Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services," in Security and Privacy (SP), 2012 IEEE Symposium on, pp. 365--379, IEEE, 2012.
[11]
S.-T. Sun and K. Beznosov, "The devil is in the (implementation) details: an empirical analysis of oauth sso systems," in Proceedings of the 2012 ACM conference on Computer and communications security, pp. 378--390, ACM, 2012.
[12]
G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong, "Authscan: Automatic extraction of web authentication protocols from implementations," in Network and Distributed System Security Symposium, 2013.
[13]
R. Gross and A. Acquisti, "Information revelation and privacy in online social networks," in Proceedings of the 2005 ACM workshop on Privacy in the electronic society, 2005.
[14]
M. Madejski, M. Johnson, and S. M. Bellovin, "A study of privacy settings errors in an online social network," in PERCOM Workshops, 2012.
[15]
M. Madejski, M. L. Johnson, and S. M. Bellovin, "The failure of online social network privacy settings," Tech. Rep. CUCS-010--11, Department of Computer Science, Columbia University, 2011.
[16]
Y. Liu, K. P. Gummadi, B. Krishnamurthy, and A. Mislove, "Analyzing Facebook privacy settings: user expectations vs. reality," in IMC, 2011.
[17]
Y. Wang, G. Norcie, S. Komanduri, A. Acquisti, P. G. Leon, and L. F. Cranor, "I regretted the minute i pressed share: A qualitative study of regrets on facebook," in Proceedings of the Seventh Symposium on Usable Privacy and Security, p. 10, ACM, 2011.
[18]
A. Felt and D. Evans, "Privacy protection for social networking apis," W2SP, 2008.
[19]
A. Narayanan and V. Shmatikov, "De-anonymizing social networks," in Security and Privacy, 2009 30th IEEE Symposium on, pp. 173--187, IEEE, 2009.
[20]
R. Dey, C. Tang, K. Ross, and N. Saxena, "Estimating age privacy leakage in online social networks," in IEEE INFOCOM, p. 3118, 2012.
[21]
C. Wilson, B. Boe, A. Sala, K. P. Puttaswamy, and B. Y. Zhao, "User interactions in social networks and their implications," in EuroSys, 2009.
[22]
J. Jiang, C. Wilson, X. Wang, P. Huang, W. Sha, Y. Dai, and B. Zhao, "Understanding latent interactions in online social networks," in IMC, 2010.
[23]
Anonymous, "Crawling Renren by ID space enumeration." unpublished (Private Communication), 2010.

Cited By

View all
  • (2023)Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat CaseProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607236(727-743)Online publication date: 16-Oct-2023
  • (2023)API Behavior Anomaly Detection Method Based on Deep Learning and Adaptive Clustering2023 5th International Conference on Frontiers Technology of Information and Computer (ICFTIC)10.1109/ICFTIC59930.2023.10456177(926-931)Online publication date: 17-Nov-2023
  • (2022)Cyberbullying Behaviors in Online Travel Community: Members’ Perceptions and Sustainability in Online CommunitySustainability10.3390/su1409522014:9(5220)Online publication date: 26-Apr-2022
  • Show More Cited By

Index Terms

  1. Application impersonation: problems of OAuth and API design in online social networks

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      COSN '14: Proceedings of the second ACM conference on Online social networks
      October 2014
      288 pages
      ISBN:9781450331982
      DOI:10.1145/2660460
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 01 October 2014

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. api design in osn
      2. app impersonation attack
      3. oauth 2.0
      4. single sign on
      5. social network privacy

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      COSN'14
      Sponsor:
      COSN'14: Conference on Online Social Networks
      October 1 - 2, 2014
      Dublin, Ireland

      Acceptance Rates

      COSN '14 Paper Acceptance Rate 25 of 87 submissions, 29%;
      Overall Acceptance Rate 69 of 307 submissions, 22%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)6
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 15 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2023)Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat CaseProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607236(727-743)Online publication date: 16-Oct-2023
      • (2023)API Behavior Anomaly Detection Method Based on Deep Learning and Adaptive Clustering2023 5th International Conference on Frontiers Technology of Information and Computer (ICFTIC)10.1109/ICFTIC59930.2023.10456177(926-931)Online publication date: 17-Nov-2023
      • (2022)Cyberbullying Behaviors in Online Travel Community: Members’ Perceptions and Sustainability in Online CommunitySustainability10.3390/su1409522014:9(5220)Online publication date: 26-Apr-2022
      • (2022)DISTINCTProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560692(1553-1567)Online publication date: 7-Nov-2022
      • (2022)OAuch: Exploring Security Compliance in the OAuth 2.0 EcosystemProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545955(460-481)Online publication date: 26-Oct-2022
      • (2021)An Investigation of Identity-Account Inconsistency in Single Sign-OnProceedings of the Web Conference 202110.1145/3442381.3450085(105-117)Online publication date: 19-Apr-2021
      • (2021)Holder-of-key threshold access token for anonymous data resources2021 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC53001.2021.9631259(1-7)Online publication date: 5-Sep-2021
      • (2021)SGX-UAM: A Secure Unified Access Management Scheme With One Time Passwords via Intel SGXIEEE Access10.1109/ACCESS.2021.30637709(38029-38042)Online publication date: 2021
      • (2021)How does fake news spread? Understanding pathways of disinformation spread through APIsPolicy & Internet10.1002/poi3.268Online publication date: 26-Sep-2021
      • (2020)Web OAuth-based SSO Systems SecurityProceedings of the 3rd International Conference on Networking, Information Systems & Security10.1145/3386723.3387888(1-7)Online publication date: 31-Mar-2020
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media