[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3548606.3560692acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Open access

DISTINCT: Identity Theft using In-Browser Communications in Dual-Window Single Sign-On

Published: 07 November 2022 Publication History

Abstract

Single Sign-On (SSO) protocols like OAuth 2.0 and OpenID Connect 1.0 are cornerstones of modern web security, and have received much academic attention. Users sign in at a trusted Identity Provider (IdP) that subsequently allows many Service Providers (SPs) to verify the users' identities. Previous research concentrated on the standardized - called textbook SSO in this paper - authentication flows, which rely on HTTP redirects to transfer identity tokens between the SP and IdP. However, modern web applications like single page apps may not be able to execute the textbook flow because they lose the local state in case of HTTP redirects. By using novel browser technologies, such as postMessage, developers designed and implemented SSO protocols that were neither documented nor analyzed thoroughly. We call them dual-window SSO flows.
In this paper, we provide the first comprehensive evaluation of dual-window SSO flows. In particular, we focus on the In-Browser Communication (InBC) used to exchange authentication tokens between SPs and IdPs in iframes and popups. We automate our analysis by developing Distinct - a tool that dynamically analyzes the JavaScript code executing as part of the SSO flow. Distinct translates the flow into a sequence diagram depicting all communicating entities and their exchanged messages, highlights insecure communication channels, and quantifies novel threats in dual-window SSO flows. We found that 56% of the SPs in the Tranco top 1k list support dual-window SSO. Surprisingly, 28% of the SPs implemented dual-window SSO without using official SDKs, leading to identity theft and XSS in 31% of these self-implemented SPs.

References

[1]
Devdatta Akhawe, Adam Barth, Peifung E. Lam, John Mitchell, and Dawn Song. 2010. Towards a Formal Foundation of Web Security. In 2010 23rd IEEE Computer Security Foundations Symposium. IEEE, Edinburgh, United Kingdom, (July 2010), 290--304. isbn: 978--1--4244--7510-0.
[2]
Apple Inc. 2022. Sign in with Apple | Developer Documentation. Retrieved 08/29/2022 from https://developer.apple.com/sign-in-with-apple/.
[3]
Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, Jin Song Dong, and B Guangdong. 2013. AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. In Network and Distributed System Security Symposium (NDSS).
[4]
Adam Barth, Collin Jackson, and John C. Mitchell. 2009. Securing Frame Communication in Browsers. Communications of the ACM, 52, 6, (June 2009), 83--91. issn: 0001-0782, 1557--7317.
[5]
Michele Benolli, Seyed Ali Mirheidari, Elham Arshad, and Bruno Crispo. 2021. The Full Gamut of an Attack: An Empirical Analysis of OAuth CSRF in the Wild. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Volume 12756 LNCS. Springer International Publishing, 21--41. isbn: 9783030808242.
[6]
Eric Y. Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. 2014. OAuth Demystified for Mobile Application Developers. In ACM SIGSAC Conference on Computer and Communications Security. ACM, Scottsdale Arizona USA, (November 3, 2014), 892--903. isbn: 978--1--4503--2957--6. 1145/2660267.2660323.
[7]
2022. Chrome DevTools Protocol | Documentation. Retrieved 08/01/2022 from https://chromedevtools.github.io/devtools-protocol/.
[8]
David G. Balash, Xiaoyuan Wu, Miles Grant, Irwin Reyes, and Adam J. Aviv. 2022. Security and Privacy Perceptions of Third-Party Application Access for Google Accounts. In 31st USENIX Security Symposium (USENIX Security . USENIX Association, Boston, MA, (August 2022), 3397--3414. isbn: 978--1- 939133--31--1.
[9]
Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis. 2020. The Cookie Hunter: Automated Black-Box Auditing for Web Authentication and Authorization Flaws. In ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, Virtual Event, USA, 1953--1970. isbn: 9781450370899.
[10]
Facebook Inc. 2022. Facebook Login | Developer Documentation. Retrieved 08/29/2022 from https://developers.facebook.com/docs/facebook-login.
[11]
Shehroze Farooqi, Fareed Zaffar, Nektarios Leontiadis, and Zubair Shafiq. 2017. Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks. In Internet Measurement Conference (IMC '17). Association for Computing Machinery, New York, NY, USA, (November 1, 2017), 355--368. isbn: 978--1- 4503--5118--8.
[12]
Daniel Fett, Ralf Küesters, and Guido Schmitz. 2015. SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web. In nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15. ACM Press, Denver, Colorado, USA, 1358--1369. isbn: 978--1--4503--3832--5. 2810103.2813726.
[13]
Daniel Fett, Ralf Küsters, and Guido Schmitz. 2016. A Comprehensive Formal Security Analysis of OAuth 2.0. In ACM SIGSAC Conference on Computer and Communications Security (CCS '16). Association for Computing Machinery, Vienna, Austria, 1204--1215. isbn: 9781450341394.
[14]
Daniel Fett, Ralf Küsters, and Guido Schmitz. 2014. An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System. In 2014 IEEE Symposium on Security and Privacy. IEEE, San Jose, CA, (May 2014), 673--688. isbn: 978--1--4799--4686-0.
[15]
Daniel Fett, Ralf Küsters, and Guido Schmitz. 2017. The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE, 189-- 202.
[16]
M. Ghasemisharif, C. Kanich, and J. Polakis. 2022. Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, (May 2022), 1524--1524.
[17]
Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis. 2018. O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on theWeb. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, (August 2018), 1475--1492. isbn: 978--1--939133-04--5.
[18]
Google LLC. 2022. Google Identity | Developer Documentation. Retrieved 08/29/2022 from https://developers.google.com/identity.
[19]
C. Guan, Y. Li, and K. Sun. 2017. Your Neighbors are Listening: Evaluating Post- Message Use in OAuth. In 2017 IEEE Symposium on Privacy-Aware Computing (PAC). (August 2017), 210--211.
[20]
Chong Guan, Kun Sun, Lingguang Lei, Pingjian Wang, Yuewu Wang, and Wei Chen. 2018. DangerNeighbor Attack: Information Leakage via postMessage Mechanism in HTML5. Computers & Security, 80, (July 28, 2018), 291--305. issn: 01674048.
[21]
Chong Guan, Kun Sun, Zhan Wang, and WenTao Zhu. 2016. Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure. In th ACM on Asia Conference on Computer and Communications Security. ACM, Xi'an China, (May 30, 2016), 629--640. isbn: 978--1--4503--4233--9.
[22]
Sven Hammann, Ralf Sasse, and David Basin. 2020. Privacy-Preserving OpenID Connect. In th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20). Association for Computing Machinery, Taipei, Taiwan, 277-- 289. isbn: 9781450367509.
[23]
Steve Hanna, Eui Chul, Richard Shin, Devdatta Akhawe, Arman Boehm, Prateek Saxena, and Dawn Song. 2010. The Emperor's New APIs: On the (In)Secure Usage of New Client-side Primitives. csberkeleyedu, (January 2010).
[24]
Dick Hardt. 2012. The OAuth 2.0 Authorization Framework. RFC 6749. (October 2012). https://rfc-editor.org/rfc/rfc6749.txt.
[25]
Pili Hu, Ronghai Yang, Yue Li, and Wing Cheong Lau. 2014. Application Impersonation: Problems of OAuth and API Design in Online Social Networks. In Second Edition of the ACM Conference on Online Social Networks - COSN '14. ACM Press, Dublin, Ireland, 271--278. isbn: 978--1--4503--3198--2. 2660460.2660463.
[26]
Jacob Ideskog and Travis Spencer. 2021. OAuth 2.0 Assisted Token. Internet- Draft draft-ideskog-assisted-token-05. Internet Engineering Task Force, (March 8, 2021). 20 pages. https://datatracker.ietf.org/doc/html/draft-ideskog-assistedtoken- 05.
[27]
Artur Janc and MikeWest. 2020. Oh, the Places You'll Go! Finding OurWay Back from theWeb Platform's Ill-conceived Jaunts. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE. IEEE, (September 2020), 673--680.
[28]
Hugo Jonker, Jelmer Kalkman, Benjamin Krumnow, Marc Sleegers, and Alan Verresen. 2018. Shepherd: Enabling Automatic and Large-Scale Login Security Studies. CoRR, abs/1808.00840. arXiv: 1808.00840.
[29]
Lukas Knittel, Christian Mainka, Marcus Niemietz, Dominik Trevor Noß, and Jörg Schwenk. 2021. XSinator.Com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks inWeb Browsers. In ACM SIGSAC Conference on Computer and Communications Security (CCS '21). Association for Computing Machinery, Virtual Event, Republic of Korea, 1771--1788. isbn: 9781450384544.
[30]
G. Kong, N. Agarwal, and W. Denniss. 2015. OAuth 2.0 IDP-IFrame-Based Implicit Flow. Internet-Draft draft-guibinkong-oauth-idp-iframe-00. Internet Engineering Task Force, (November 21, 2015). 21 pages. http://lists.openid.net/ pipermail/openid-specs-ab/Week-of-Mon-20151116/005865.html.
[31]
Frederic Lardinois. 2014. Mozilla stops developing its persona sign-in system due to low adoption. (March 2014). Retrieved 08/01/2022 from https : //techcrunch.com/2014/03/08/mozilla-stops-developing-its-persona-sign-insystem- because-of-low-adoption/.
[32]
Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy'ski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In th Annual Network and Distributed System Security Symposium (NDSS 2019). (February 2019). 2019.23386.
[33]
Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 Million Flows Later - Large-scale Detection of DOM-based XSS. In ACM SIGSAC Conference on Computer & Communications Security - CCS '13. ACM Press, Berlin, Germany, 1193--1204. isbn: 978--1--4503--2477--9.
[34]
Wanpeng Li and Chris J Mitchell. 2016. Analysing the Security of Google's implementation of OpenID Connect. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 357--376.
[35]
Wanpeng Li and Chris J. Mitchell. 2014. Security Issues in OAuth 2.0 SSO Implementations. In Information Security (Lecture Notes in Computer Science). Sherman S. M. Chow, Jan Camenisch, Lucas C. K. Hui, and Siu Ming Yiu, editors. Volume 8783. Springer International Publishing, Cham, 529--541. isbn: 978--3--319--13257-0.
[36]
Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2018. Mitigating CSRF attacks on OAuth 2.0 Systems. In 2018 16th Annual Conference on Privacy, Security and Trust (PST), 1--5.
[37]
Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2019. OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect. In th ACM Workshop on Security Standardisation Research Workshop. Association for Computing Machinery, (November 2019), 35--44. isbn: 9781450368322. arXiv: 1901.08960.
[38]
Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2018. Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations. In Conference: 2018 16th Annual Conference on Privacy, Security and Trust (PST). Volume 11286 LNCS. Springer Verlag, 24--41. isbn: 9783030032500. 03251--7_3.
[39]
Guannan Liu, Xing Gao, and HainingWang. 2021. An Investigation of Identity- Account Inconsistency in Single Sign-On. In Web Conference 2021. ACM, Ljubljana Slovenia, (April 19, 2021), 105--117. isbn: 978--1--4503--8312--7. 3442381.3450085.
[40]
Torsten Lodderstedt, John Bradley, Andrey Labunets, and Daniel Fett. 2021. OAuth 2.0 Security Best Current Practice. Internet-Draft draft-ietf-oauth-securitytopics- 18. Internet Engineering Task Force, (April 13, 2021). 53 pages. https: //datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-18.
[41]
Torsten Lodderstedt, Mark McGloin, and Phil Hunt. 2013. OAuth 2.0 Threat Model and Security Considerations. RFC 6819. (January 2013). RFC6819. https://rfc-editor.org/rfc/rfc6819.txt.
[42]
Christian Mainka, Vladislav Mladenov, Florian Feldmann, Julian Krautwald, and Jörg Schwenk. 2014. Your Software at My Service: Security Analysis of SaaS Single Sign-on Solutions in the Cloud. In th Edition of the ACM Workshop on Cloud Computing Security (CCSW '14). Association for Computing Machinery, New York, NY, USA, 93--104. isbn: 978--1--4503--3239--2. 2664172.
[43]
Christian Mainka, Vladislav Mladenov, Tim Guenther, and Jörg Schwenk. 2015. Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite. Open Identity Summit, 251, (October 2015), 117--131. issn: 16175468.
[44]
Christian Mainka, Vladislav Mladenov, and Jörg Schwenk. 2016. Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P), 321--336.
[45]
Christian Mainka, Vladislav Mladenov, Tobias Wich, and Jörg Schwenk. 2017. SoK: Single Sign-On Security -- An Evaluation of OpenID Connect. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P), 251--266.
[46]
MDN. 2021. Broadcast Channel API. Retrieved 10/28/2021 from https://developer. mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API.
[47]
MDN. 2021. Channel Messaging API. Retrieved 10/28/2021 from https : / / developer.mozilla.org/en-US/docs/Web/API/Channel_Messaging_API.
[48]
MDN. 2021. Creating and triggering events. (October 14, 2021). Retrieved 10/28/2021 from https://developer.mozilla.org/en- US/docs/Web/Events/ Creating_and_triggering_events.
[49]
MDN. 2022. Proxy. MDN Web Docs. Retrieved 08/01/2022 from https : / / developer. mozilla . org / en - US/ docs /Web / JavaScript / Reference / Global _ Objects/Proxy.
[50]
MDN. 2020. Same-Origin Policy. MDN Web Docs. Retrieved 09/26/2020 from https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy.
[51]
MDN. 2021. Window.postMessage(). Retrieved 10/28/2021 from https://developer. mozilla.org/en-US/docs/Web/API/Window/postMessage.
[52]
Gordon Meiser, Pierre Laperdrix, and Ben Stock. 2021. Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication. In 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS '21). Association for Computing Machinery, Virtual Event, Hong Kong, 110--122. isbn: 9781450382878.
[53]
Vladislav Mladenov, Christian Mainka, and Jörg Schwenk. 2016. On the Security of Modern Single Sign-On Protocols -- Second-Order Vulnerabilities in OpenID Connect, (January 7, 2016).
[54]
Srivathsan G. Morkonda, Sonia Chiasson, and Paul C. van Oorschot. 2021. Empirical Analysis and Privacy Implications in OAuth-Based Single Sign-On Systems. In 20th Workshop on Workshop on Privacy in the Electronic Society (WPES '21). Association for Computing Machinery, Virtual Event, Republic of Korea, 195--208. isbn: 9781450385275.
[55]
OWASP. 2021. Zed Attack Proxy (ZAP). Retrieved 12/02/2021 from https : //www.zaproxy.org/.
[56]
Portswigger. 2021.DOMInvader. Retrieved 12/02/2021 from https://portswigger. net/burp/documentation/desktop/tools/dom-invader/messages-view.
[57]
Tamjid Al Rahat, Yu Feng, and Yuan Tian. 2019. OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, (November 2019), 293--304. isbn: 978--1--7281--2508--4.
[58]
N. Sakimura, J. Bradley, M. Jones, B. de Medeiros, and C. Mortimore. 2014. OpenID Connect Core 1.0 incorporating errata set 1. (November 8, 2014). Retrieved 10/27/2021 from https://openid.net/specs/openid- connect- core- 1_0.html.
[59]
Youssef Sammouda. 2020. Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it. (December 31, 2020). Retrieved 08/29/2022 from https://ysamm.com/?p=510.
[60]
Giada Sciarretta, Roberto Carbone, Silvio Ranise, and Alessandro Armando. 2017. Anatomy of the Facebook Solution for Mobile Single Sign-on: Security Assessment and Improvements. Computers & Security, 71, (November 2017), 71--86. issn: 01674048.
[61]
Ethan Shernan, Henry Carter, Dave Tian, Patrick Traynor, and Kevin Butler. 2015. More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In Detection of Intrusions and Malware, and Vulnerability Assessment (Lecture Notes in Computer Science). Magnus Almgren, Vincenzo Gulisano, and Federico Maggi, editors. Volume 9148. Springer International Publishing, Cham, 239--260. isbn: 978--3--319--20550--2. 3--319--20550--2_13.
[62]
Shangcheng Shi, Xianbo Wang, and Wing Cheong Lau. 2019. MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications. In ACM Asia Conference on Computer and Communications Security. ACM, New York, NY, USA, (July 2019), 269--282. isbn: 9781450367523.
[63]
Sooel Son and Vitaly Shmatikov. 2013. The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24--27, 2013. The Internet Society.
[64]
Marius Steffens and Ben Stock. 2020. PMForce: Systematically Analyzing post- Message Handlers at Scale. In ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, New York, NY, USA, 493--505. isbn: 978--1--4503--7089--9.
[65]
Thomas Steiner. 2021. Trust Is Good, Observation Is Better: Intersection Observer V2. web.dev. (February 26, 2021). Retrieved 06/28/2021 from https : //web.dev/intersectionobserver-v2/.
[66]
Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, (August 2017), 971--987. isbn: 978--1--931971--40--9.
[67]
Avinash Sudhodanan, Soheil Khodayari, and Juan Caballero. 2020. Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks. (January 31, 2020). arXiv: 1908.02204 [cs]. Retrieved 05/21/2021 from http: //arxiv.org/abs/1908.02204.
[68]
San-Tsai Sun and Konstantin Beznosov. 2012. The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems. In 2012 ACM Conference on Computer and Communications Security (CCS '12). Association for Computing Machinery, Raleigh, North Carolina, USA, 378--390. isbn: 9781450316514.
[69]
Terjanq. 2022. Terjanq/same-origin-XSS: Same origin XSS challenge. Retrieved 08/16/2022 from https://github.com/terjanq/same-origin-xss.
[70]
Hui Wang, Yuanyuan Zhang, Juanru Li, and Dawu Gu. 2016. The Achilles Heel of OAuth: A Multi-Platform Study of OAuth-Based Authentication. In 32nd Annual Conference on Computer Security Applications (ACSAC '16). Association for Computing Machinery, Los Angeles, California, USA, 167--176. isbn: 9781450347716.
[71]
Rui Wang, Shuo Chen, and XiaoFeng Wang. 2012. Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. In 33th IEEE Symposium on Security and Privacy (S&P 2012). IEEE, editor.
[72]
Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, David Evans, and Yuri Gurevich. 2013. Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C., (August 2013), 399--314. isbn: 978--1--931971-03--4.
[73]
HanlinWei, Behnaz Hassanshahi, Guangdong Bai, Padmanabhan Krishnan, and Kostyantyn Vorobyov. 2021. MoScan: A Model-Based Vulnerability Scanner for Web Single Sign-On Services. In ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, Virtual Denmark, (July 11, 2021), 678--681. isbn: 978--1--4503--8459--9.
[74]
Toru Yamaguchi, Nat Sakimura, and Nov Matake. 2015. OAuth 2.0 Web Message Response Mode. Internet-Draft draft-sakimura-oauth-wmrm-00. Internet Engineering Task Force, (October 18, 2015). 17 pages. https://datatracker.ietf. org/doc/html/draft-sakimura-oauth-wmrm-00.
[75]
Ronghai Yang, Guanchen Li, Wing Cheong Lau, Kehuan Zhang, and Pili Hu. 2016. Model-based Security Testing: an Empirical Study on OAuth 2.0 Implementations. In ACM on Asia Conference on Computer and Communications Security - ASIA CCS '16. ACM Press, Xi'an, China, 651--662. isbn: 978--1--4503- 4233--9.
[76]
Yuchen Zhou and David Evans. 2014. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, (August 2014), 495--510. isbn: 978--1--931971--15--7.
[77]
Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. 2017. AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services. In ACM SIGSAC Conference on Computer and Communications Security. ACM, Dallas Texas USA, (October 30, 2017), 799--813. isbn: 978--1--4503--4946--8.
[78]
Karsten Meyer zu Selhausen and Daniel Fett. 2022. OAuth 2.0 Authorization Server Issuer Identification. RFC 9207. (March 2022). https://www.rfc-editor.org/info/rfc9207.
[79]
Ivan Zuzak, Marko Ivankovic, and Ivan Budiselic. 2011. A Classification Framework for Web Browser Cross-Context Communication. arXiv:1108.4770 [cs], (August 2011). arXiv: 1108.4770 [cs].

Cited By

View all
  • (2024)Stealing Trust: Unraveling Blind Message Attacks in Web3 AuthenticationProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670323(555-569)Online publication date: 2-Dec-2024
  • (2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
  • (2024)SoK: SSO-MONITOR - The Current State and Future Research Directions in Single Sign-on Security Measurements2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00018(173-192)Online publication date: 8-Jul-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
November 2022
3598 pages
ISBN:9781450394505
DOI:10.1145/3548606
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike International 4.0 License.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

  1. identity
  2. oauth
  3. openid connect
  4. single sign-on
  5. web security

Qualifiers

  • Research-article

Funding Sources

Conference

CCS '22
Sponsor:

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)386
  • Downloads (Last 6 weeks)58
Reflects downloads up to 19 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Stealing Trust: Unraveling Blind Message Attacks in Web3 AuthenticationProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670323(555-569)Online publication date: 2-Dec-2024
  • (2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
  • (2024)SoK: SSO-MONITOR - The Current State and Future Research Directions in Single Sign-on Security Measurements2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00018(173-192)Online publication date: 8-Jul-2024
  • (2024)An explainable nature-inspired cyber attack detection system in Software-Defined IoT applicationsExpert Systems with Applications10.1016/j.eswa.2024.123853250(123853)Online publication date: Sep-2024
  • (2024)Analyzing Excessive Permission Requests in Google Workspace Add-OnsEngineering of Complex Computer Systems10.1007/978-3-031-66456-4_18(323-345)Online publication date: 29-Sep-2024
  • (2023)SSOLogin: A framework for automated web privacy measurement with SSO loginsProceedings of the 18th Asian Internet Engineering Conference10.1145/3630590.3630599(69-77)Online publication date: 12-Dec-2023

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media