How Securely Are OAuth/OpenID Connect Implemented in Japan?

Takamichi Saito, Tsubasa Kikuta, Rikita Koshiba

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

When a website authenticates users, it does so for a so-called social login in electronic commerce (EC) site. A social login is used for a social media account, such as Facebook, Google, and Twitter. In such a case, the website uses OAuth and OpenID Connect. However, the implementation of a website might involve privacy concerns or be vulnerable to the attacks. In this paper, by crawling the login pages of 500 Japanese EC sites and tracing the authentication flows, we investigate the implementation status of social logins and their security against cross-site request forgery. We observed 28 websites that acquired more user permissions from SNS than necessary, or were vulnerable as a result of improper implementation.

Original languageEnglish
Title of host publicationLecture Notes in Networks and Systems
PublisherSpringer
Pages800-811
Number of pages12
DOIs
Publication statusPublished - 1 Jan 2020

Publication series

NameLecture Notes in Networks and Systems
Volume97
ISSN (Print)2367-3370
ISSN (Electronic)2367-3389

Fingerprint

Websites
Electronic commerce
Authentication

Cite this

Saito, T., Kikuta, T., & Koshiba, R. (2020). How Securely Are OAuth/OpenID Connect Implemented in Japan? In Lecture Notes in Networks and Systems (pp. 800-811). (Lecture Notes in Networks and Systems; Vol. 97). Springer. https://doi.org/10.1007/978-3-030-33506-9_73
Saito, Takamichi ; Kikuta, Tsubasa ; Koshiba, Rikita. / How Securely Are OAuth/OpenID Connect Implemented in Japan?. Lecture Notes in Networks and Systems. Springer, 2020. pp. 800-811 (Lecture Notes in Networks and Systems).
@inbook{ad9f1f79666a4abdac106db0843aafa3,
title = "How Securely Are OAuth/OpenID Connect Implemented in Japan?",
abstract = "When a website authenticates users, it does so for a so-called social login in electronic commerce (EC) site. A social login is used for a social media account, such as Facebook, Google, and Twitter. In such a case, the website uses OAuth and OpenID Connect. However, the implementation of a website might involve privacy concerns or be vulnerable to the attacks. In this paper, by crawling the login pages of 500 Japanese EC sites and tracing the authentication flows, we investigate the implementation status of social logins and their security against cross-site request forgery. We observed 28 websites that acquired more user permissions from SNS than necessary, or were vulnerable as a result of improper implementation.",
author = "Takamichi Saito and Tsubasa Kikuta and Rikita Koshiba",
year = "2020",
month = "1",
day = "1",
doi = "10.1007/978-3-030-33506-9_73",
language = "English",
series = "Lecture Notes in Networks and Systems",
publisher = "Springer",
pages = "800--811",
booktitle = "Lecture Notes in Networks and Systems",

}

Saito, T, Kikuta, T & Koshiba, R 2020, How Securely Are OAuth/OpenID Connect Implemented in Japan? in Lecture Notes in Networks and Systems. Lecture Notes in Networks and Systems, vol. 97, Springer, pp. 800-811. https://doi.org/10.1007/978-3-030-33506-9_73

How Securely Are OAuth/OpenID Connect Implemented in Japan? / Saito, Takamichi; Kikuta, Tsubasa; Koshiba, Rikita.

Lecture Notes in Networks and Systems. Springer, 2020. p. 800-811 (Lecture Notes in Networks and Systems; Vol. 97).

Research output: Chapter in Book/Report/Conference proceedingChapter

TY - CHAP

T1 - How Securely Are OAuth/OpenID Connect Implemented in Japan?

AU - Saito, Takamichi

AU - Kikuta, Tsubasa

AU - Koshiba, Rikita

PY - 2020/1/1

Y1 - 2020/1/1

N2 - When a website authenticates users, it does so for a so-called social login in electronic commerce (EC) site. A social login is used for a social media account, such as Facebook, Google, and Twitter. In such a case, the website uses OAuth and OpenID Connect. However, the implementation of a website might involve privacy concerns or be vulnerable to the attacks. In this paper, by crawling the login pages of 500 Japanese EC sites and tracing the authentication flows, we investigate the implementation status of social logins and their security against cross-site request forgery. We observed 28 websites that acquired more user permissions from SNS than necessary, or were vulnerable as a result of improper implementation.

AB - When a website authenticates users, it does so for a so-called social login in electronic commerce (EC) site. A social login is used for a social media account, such as Facebook, Google, and Twitter. In such a case, the website uses OAuth and OpenID Connect. However, the implementation of a website might involve privacy concerns or be vulnerable to the attacks. In this paper, by crawling the login pages of 500 Japanese EC sites and tracing the authentication flows, we investigate the implementation status of social logins and their security against cross-site request forgery. We observed 28 websites that acquired more user permissions from SNS than necessary, or were vulnerable as a result of improper implementation.

UR - http://www.scopus.com/inward/record.url?scp=85074726786&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-33506-9_73

DO - 10.1007/978-3-030-33506-9_73

M3 - Chapter

AN - SCOPUS:85074726786

T3 - Lecture Notes in Networks and Systems

SP - 800

EP - 811

BT - Lecture Notes in Networks and Systems

PB - Springer

ER -

Saito T, Kikuta T, Koshiba R. How Securely Are OAuth/OpenID Connect Implemented in Japan? In Lecture Notes in Networks and Systems. Springer. 2020. p. 800-811. (Lecture Notes in Networks and Systems). https://doi.org/10.1007/978-3-030-33506-9_73