Security Issues of OAuth-based Single-Sign-On services in the Wild


The Open Authentication (OAuth2.0) protocol has been adopted by online service providers worldwide to support Single-Sign-On and authorization operations.  Despite numerous security analyses and implementation guidelines, fool-proof integration of OAuth 2.0 with 3rd-party web/mobile applications remains challenging. In this talk, we will share our recent discovery of various OAuth-related vulnerabilities among practically deployed systems which can result in massive privacy leaks and/or large-scale unauthorized access to online services.  We will also introduce a model-based security testing tool to support automatic scanning and auditing for OAuth implementations and deployments in practice.

Date -
VenueConference Hall 1-2, G/F, Core Building 1, Phase 1, Hong Kong Science Park, Shatin, Hong Kong