Department Gathering

“Signing into One Billion Strangers’ Mobile App Accounts – Security Issues of OAuth-based Single-Sign-On services in the Wild”

Prof. Lau Wing-Cheong

11 May,2016
11:30am – 12:00pm
Room 1009, William M.W. Mong Engineering Building

The Open Authentication (OAuth2.0) protocol and its variants, e.g. Google’s OpenIDConnect, have been adopted by Online Service Providers worldwide to support Single-Sign-On and authorization operations. Despite numerous security analyses and implementation guidelines, fool-proof integration of OAuth 2.0 with 3rd-party web/mobile applications remains challenging. In this talk, we will share our recent findings on various OAuth-related vulnerabilities among practically deployed systems which can result in massive privacy leaks and large-scale unauthorized access to online services. We will also introduce our ongoing effort in developing automatic scanning and security auditing tools for OAuth deployments in practice.