Sign In

Communications of the ACM

ACM TechNews

Researchers Find Two Flaws in OAuth 2.0


OAuth is used by many social media sites.

University of Trier researchers have discovered vulnerabilities in the OAuth 2.0 authentication protocol that could enable hackers to subvert single sign-on systems.

Credit: SC Magazine UK

University of Trier researchers have discovered several vulnerabilities in the OAuth 2.0 authentication protocol, widely used on social networking sites to authenticate users, which could enable hackers to subvert single sign-on systems.

The two attacks break authorization and authentication in OAuth, and are also present in the new OpenID Connect standard and can be exploited in practice to capture credentials to impersonate a user or access user data.

In the first attack, identity providers (IdP) inadvertently forward user credentials to the relying party (RP) or the attacker. "This severe attack is caused by a logical flaw in the OAuth 2.0 protocol and depends on the presence of malicious identity provider," the researchers note. In order to fix the vulnerability, only HTTP 303 codes should be permitted in OAuth, because the 303 redirect is defined unambiguously to drop the body of an HTTP POST request.

In the second attack, a network attacker can impersonate any victim. "The attacker confuses an RP about which IdP the user chose at the beginning of the login/authorization process in order to acquire an authentication code or access token which can be used to impersonate the user or access user data," the researchers warn.

The man-in-the-middle attack enables a hacker to change user data and fool the RP into treating it as the IdP the user wants.

The researchers say OAuth should include the identity of the IdP in the redirect in some form as a corrective measure.

From SC Magazine (UK)
View Full Article

 

Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Read CACM in a free mobile app!
Access the latest issue, plus archived issues and more
ACM Logo
  • ACM CACM apps available for iPad, iPhone and iPod Touch, and Android platforms
  • ACM Digital Library apps available for iOS, Android, and Windows devices
  • Download an app and sign in to it with your ACM Web Account
Find the app for your mobile device
ACM DL Logo