Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi1, Fareed Zaffar2, Nektarios Leontiadis3, Zubair Shafiq1 University.

Published byReynard Carr Modified over 5 years ago

Similar presentations

Presentation on theme: "Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi1, Fareed Zaffar2, Nektarios Leontiadis3, Zubair Shafiq1 University."— Presentation transcript:

1 Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks
Shehroze Farooqi1, Fareed Zaffar2, Nektarios Leontiadis3, Zubair Shafiq1 University of Iowa1, Lahore University of Management Sciences2, Facebook3 Shehroze Farooqi

2 Key Contributions Security Issue Measurement Countermeasures
OAuth access token leakage Measurement Abuse of leaked access tokens by collusion networks Countermeasures Mitigation of access token abuse Shehroze Farooqi

3 Outline Security Issue Measurement Countermeasures
OAuth access token leakage Measurement Abuse of leaked access tokens Countermeasures Mitigation of access token abuse Shehroze Farooqi

4 Third-party applications
OAuth Authorization framework OAuth 2.0 [RFC 6749] Enable third-party applications to get restricted access to online services Online services Third-party applications Shehroze Farooqi

5 Single Sign On (SSO) Shehroze Farooqi

6 Access Token An opaque string
Represents authorization issued to the third-party application Provides an alternate of sharing username/password EAACEdEose0cBAAP8fZCGOTmVi5wZAW4pUfZCf1cEEQaCAWEP7AOFqZCVOlesGdVI1ubVYcnbmU59FZAJsjMV65LFxzyVo Shehroze Farooqi

7 OAuth Workflow of Facebook Applications
Server-side flow Client-side flow Shehroze Farooqi

8 OAuth Workflow of Facebook Applications
Server-side flow Client-side flow Shehroze Farooqi

9 OAuth Workflow of Facebook Applications
Server-side flow Client-side flow Shehroze Farooqi

10 Client-side Flow Benefits of the client-side flow
Provides support for the applications without server Cross-platform interoperability Used by many browser-based applications such as games Security issues with client-side flow Applications are susceptible to access token leakage [RFC 6819] Focus on the applications susceptible to access token leakage Shehroze Farooqi

11 Identification of Susceptible Applications
Scanned 100 most popular applications Identified 9 susceptible applications Application name Monthly active users rank Spotify 4 PlayStation Network 57 Deezer 59 Pandora 68 HTC Sense 75 Top 5 susceptible applications Shehroze Farooqi

12 Implications of leaked access tokens
Passive: Steal personal information , location, birth date, work history Active: Conduct malicious activities Spread malware Reputation manipulation e.g., fake likes, fake comments Shehroze Farooqi

13 Outline Security Issue Measurement Countermeasures
OAuth access token leakage Measurement Abuse of leaked access tokens Countermeasures Mitigation of access token abuse Shehroze Farooqi

14 Collusion Networks Users deliberately submit access tokens
In exchange get likes and comments Large scale abuse of leaked access tokens Fake likes, fake comments Exploit top applications with millions of active users E.g., HTC Sense (1 million monthly active users) Identified 50 collusion network websites E.g., hublaa.me, official-liker.net Shehroze Farooqi

15 Install Application Retrieve Access Token Submit Access Token
Shehroze Farooqi

16 Milking Collusion Networks
Deployed honeypot accounts to milk collusion networks Create a dummy post on Facebook Join a collusion network by submitting the access token Regularly submit posts to get likes and comments Automated the process for all collusion networks Shehroze Farooqi

17 Milking Process Steady increase in likes count
Repetition of unique users Diminishing returns f8-autoliker.com Shehroze Farooqi

18 Summary of collected data
Submitted 11K+ posts Received 2.7 Million likes Identified over a million members Collusion network Number of Posts Submitted Number of Likes Membership Size Official-liker.net 1,757 685,88 233,161 Hublaa.me 1,421 496,714 294,949 F8-autolikers.com 1,311 331,923 72,157 All 11,751 2,753,153 1,150,782 Top 3 Collusion Networks Shehroze Farooqi

19 Outline Security Issue Measurement Countermeasures
OAuth access token leakage Measurement Abuse of leaked access tokens Countermeasures Mitigation of access token abuse Shehroze Farooqi

20 Challenges in Proposing Countermeasures
Block susceptible applications Impact legitimate users Disable the client-side flow Applications without server Platform usability False positives Detection accuracy Shehroze Farooqi

21 Proposed Countermeasures
Access token rate limits Honeypot based access token invalidation Temporal clustering IP rate limits Shehroze Farooqi

22 Impact of Countermeasures
Experimental Setup Shehroze Farooqi

23 Impact of Countermeasures
Establishing baseline Shehroze Farooqi

24 Impact of Countermeasures
Reduction in access token rate limit Shehroze Farooqi

25 Impact of Countermeasures
Access token invalidation – Half of all tokens Shehroze Farooqi

26 Impact of Countermeasures
Access token invalidation – All tokens Shehroze Farooqi

27 Impact of Countermeasures
Access token invalidation – Half of new tokens daily Shehroze Farooqi

28 Impact of Countermeasures
Access token invalidation – All new tokens daily Shehroze Farooqi

29 Impact of Countermeasures
Clustering based access token invalidation Shehroze Farooqi

30 Impact of Countermeasures
IP address rate limits Shehroze Farooqi

31 Key Takeaways Countermeasures Security issues in OAuth
Arms race – Proven to be long lasting Robustness Security issues in OAuth Similar access token leakage and abuse on other online services Investigate other OAuth security flaws and potential attacks Shehroze Farooqi

32 Questions? Email: shehroze-farooqi@uiowa.edu
Webpage: Questions? Shehroze Farooqi

Download ppt "Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi1, Fareed Zaffar2, Nektarios Leontiadis3, Zubair Shafiq1 University."

Similar presentations

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Authentication & Kerberos

Authentication & Kerberos
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.

Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
Social Media Attacks By Laura Jung. How the Attacks Start Popularity of these sites with millions of users makes them perfect places for cyber attacks.

Social Media Attacks By Laura Jung. How the Attacks Start Popularity of these sites with millions of users makes them perfect places for cyber attacks.
Juha Siivikko 7.11.2013 SECURITY IN SOCIAL MEDIA.

Juha Siivikko SECURITY IN SOCIAL MEDIA.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
SpotRank : A Robust Voting System for Social News Websites

SpotRank : A Robust Voting System for Social News Websites
Security Evaluation of Pattern Classifiers under Attack.

Security Evaluation of Pattern Classifiers under Attack.

Similar presentations

Ads by Google