Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.1.5

A Study on Vulnerability Prevention Mechanism Due to Logout Problem Using OAuth  

Kim, Jinouk (DigiCAP)
Park, Jungsoo (Soongsil University)
Nguyen-Vu, Long (Soongsil University)
Jung, Souhwan (Soongsil University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.1, 2017 , pp. 5-14 More about this Journal
Abstract
Many web services which use OAuth Protocol offer users to log in using their personal profile information given by resource servers. This method reduces the inconvenience of the users to register for new membership. However, at the time a user finishes using OAuth client web service, even if he logs out of the client web service, the resource server remained in the login state may cause the problem of leaking personal information. In this paper, we propose a solution to mitigate the threat by providing an additional security behavior check: when a user requests to log out of the Web Client service, he or she can make decision whether or not to log out of the resource server via confirmation notification regarding the state of the resource server. By utilizing the proposed method, users who log in through the OAuth Protocol in the public PC environment like department stores, libraries, printing companies, etc. can prevent the leakage of personal information issues that may arise from forgetting to check the other OAuth related services. To verify our study, we implement a Client Web Service that uses OAuth 2.0 protocol and integrate it with our security behavior check. The result shows that with this additional function, users will have a better security when dealing with resource authorization in OAuth 2.0 implementation.
Keywords
OAuth; Access Token; Identity Provider; Threat; Data Privacy;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Eran Hammer, "OAuth 2.0 and the Road to Hell," https://hueniverse.com /2012/07/26/oauth-2-0-and-the-road-to -hell (accessed June 9, 2016).
2 R. Wang, Y. Zhou, Ed., and Y. Gurevich, "Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization," In Proceedings of the 22nd USENIX Security Symposium, pp. 399-414, Aug. 2013.
3 S. Sun and K. Beznosov, "The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems," In Proceedings of ACM Conference on Computer and Communications Security, pp. 378-390, Oct. 2012.
4 T. Lodderstedt, Ed., "OAuth 2.0 Threat Model and Security Considerations," Internet Engineering Task Force (IETF) RFC 6819, Jan. 2013.
5 E. Ferry, and J. O Raw, "Security evaluation of the OAuth 2.0 framework," Information & Computer Security, vol. 23, no. 1, pp. 73-101, 2015.   DOI
6 D. Fett, R. Kusters, and G. Schmitz, "A Comprehensive Formal Security Analysis of OAuth 2.0," Technical Report, pp. 1-90, May 2016.
7 M Jones, Ed., "OAuth 2.0 Mix-Up Mitigation," Internet Engineering Task Force (IETF) draft-jones-oauthmix-up-mitigation-01, Jan. 2016.
8 NaverLogin Guide. "Sign in with NAVER," http://developer.naver.com/ wiki/pages/NaverLogin (accessed June 9, 2016).
9 J. Kim, J. Park, L. Nguyen_Vu and S. Jung, "An Incomplete Logout problem after using OAuth access token for system Login," In Proceedings of APIC-IST 2016, Jun, 2016.
10 T. Lodderstedt, Ed., "OAuth 2.0 Token Revocation," Internet Engineering Task Force (IETF) RFC 7009, Aug, 2013.
11 I. Faynberg, H. Lu, and H. Ristock, "On Dynamic Access Control in Web 2.0 and Beyond: Trends and Technologies," BELL LABS Technical Journal, vol. 16, no. 2, pp. 199-218, Sep. 2011.   DOI
12 D. Fett, R. Kusters, and G. Schmitz, "SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web," In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1358-1369, Oct. 2015.
13 D. Hardt, Ed., "The OAuth 2.0 Authorization Framework," Internet Engineering Task Force (IETF) RFC 6749, Oct. 2012.
14 R. Wang, S. Chen, and X. Wang, "Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-SignOn Web Services," In Proceedings of the IEEE Symposium on Security and Privacy, pp. 365-379, May. 2012.
15 C. Bansal, K. Bhargavan, and S. Maffeis, "Discovering Concrete Attacks on Website Authorization by Formal Analysis," In Proceedings of the IEEE 25th Computer Security Foundations Symposium, pp. 247-262, Jun. 2012.
16 OAuth Community Reports, "User Authentication with OAuth 2.0," http://oauth.net/articles/authentication (accessed June 9, 2016).