Account hijacking threat attack detection for OAuth2.0 authorization API |
| |
Authors: | LIU Qixu QIU Kaili WANG Yiwen CHEN Yanhui CHEN Langping LIU Chaoge |
| |
Affiliation: | 1. Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;2. School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China |
| |
Abstract: | OAuth2.0 protocol has been widely adopted to simplify user login to third-party applications,at the same time,existing risk of leaking user privacy data,what even worse,causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnerabilities of the OAuth2.0 protocol.A vulnerable API identification method based on differential traffic analysis and an account hijacking verification method based on authorized authentication traffic monitoring was proposed.An account hijacking attack threat detection framework OScan for OAuth2.0 authorization API was designed and implemented.Through a large-scale detection of the 3 853 authorization APIs deployed on the Alexa top 10 000 websites,360 vulnerable APIs were discovered.The further verification showed that 80 websites were found to have threat of account hijacking attack.Compared with similar tools,OScan has significant advantages in covering the number of identity provider,the number of detected relying party,as well as the integrity of risk detection. |
| |
Keywords: | OAuth2 0 protocol application programming interface account hijacking the third-party application |
|
| 点击此处可从《通信学报》浏览原始摘要信息 |
|
点击此处可从《通信学报》下载全文 |
|