Privacy and Security in Online Social Networks - A reflection on the deployment of OAuth 2.0

Recent research by Prof. Wing-cheong Lau and his graduate students Mr. Pili Hu and Mr. Ronghai Yang shows that OAuth 2.0 is intrinsically vulnerable to a new type of so-called Application Impersonation Attacks. Such attacks can result in massive privacy leaks and the delivery of unauthorized notification messages to a large number of online social networking users. This research will be published in the ACM Conference on Online Social Networks (COSN'14) in Oct 2014. In the same conference, the team will also introduce a model-based testing tool which can automatically scan and audit OAuth deployments in practice. Back in August, they had already presented their early findings to a large audience of cybersecurity practitioners and researchers in the BlackHat USA 2014 conference. A related interview can be found at: