How Securely Are OAuth/OpenID Connect Implemented in Japan?

Abstract

When a website authenticates users, it does so for a so-called social login in electronic commerce (EC) site. A social login is used for a social media account, such as Facebook, Google, and Twitter. In such a case, the website uses OAuth and OpenID Connect. However, the implementation of a website might involve privacy concerns or be vulnerable to the attacks. In this paper, by crawling the login pages of 500 Japanese EC sites and tracing the authentication flows, we investigate the implementation status of social logins and their security against cross-site request forgery. We observed 28 websites that acquired more user permissions from SNS than necessary, or were vulnerable as a result of improper implementation.