{"title":"How to grant less permissions to facebook applications","authors":"Gianpiero Costantino, F. Martinelli, D. Sgandurra","doi":"10.1109/ISIAS.2013.6947733","DOIUrl":null,"url":null,"abstract":"Single Sign-On (SSO) is an authentication procedure that allows users to adopt the same credentials to access multiple services. On the other hand, OAuth 2.0 is a protocol that enables authorized applications to access data that are stored in a resource server. A practical example of the adoption of SSO with OAuth 2.0 is given by all the websites or applications that use the “Log in with Facebook” procedure to authenticate users already registered with Facebook. In this paper, we propose a mechanism that exploits a weakness of OAuth 2.0 and a missing control of the website to show how it is possible to register a user by reducing the number of scopes that the website requires with the “Log in with Facebook” procedure. Finally, we illustrate two examples that exploit the proposed mechanism and provide a solution to address the problem.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"75 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 9th International Conference on Information Assurance and Security (IAS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISIAS.2013.6947733","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
Single Sign-On (SSO) is an authentication procedure that allows users to adopt the same credentials to access multiple services. On the other hand, OAuth 2.0 is a protocol that enables authorized applications to access data that are stored in a resource server. A practical example of the adoption of SSO with OAuth 2.0 is given by all the websites or applications that use the “Log in with Facebook” procedure to authenticate users already registered with Facebook. In this paper, we propose a mechanism that exploits a weakness of OAuth 2.0 and a missing control of the website to show how it is possible to register a user by reducing the number of scopes that the website requires with the “Log in with Facebook” procedure. Finally, we illustrate two examples that exploit the proposed mechanism and provide a solution to address the problem.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
