An empirical study of oauth-based SSO system on web

Abstract

More and more websites use OAuth 2.0 protocol to provide SSO services to ease password management for users. Although OAuth 2.0 has been implemented carefully by following many guidelines, still some parts have been ignored. In this paper, we discover a new attack mode for hijacking the account in the OAuth-based SSO system. We conduct an empirical study for the proposed attack on top 500 Chinese websites of Alexa supporting SSO services by 6 IdPs. Our results uncover four vulnerabilities that allow attackers hijack the victim’s account without knowing the user’s username and password. Closer examination reveals that 68.67%, 12.87%, 68.67% and 59.66% of the websites are vulnerable to the four vulnerabilities respectively and 45.49% of the websites can be conducted proposed complete attack. To defend this attack, we provide developers simple practical recommendations to the critical vulnerable nodes.