“Signing into One Billion Strangers’ Mobile App Accounts - Security Issues of OAuth-based Single-Sign-On services in the Wild”
The Open Authentication (OAuth2.0) protocol and its variants, e.g. Google’s OpenIDConnect, have been adopted by Online Service Providers worldwide to support Single-Sign-On and authorization operations. Despite numerous security analyses and implementation guidelines, fool-proof integration of OAuth 2.0 with 3rd-party web/mobile applications remains challenging. In this talk, we will share our recent findings on various OAuth-related vulnerabilities among practically deployed systems which can result in massive privacy leaks and large-scale unauthorized access to online services. We will also introduce our ongoing effort in developing automatic scanning and security auditing tools for OAuth deployments in practice.