Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi1, Fareed Zaffar2, Nektarios Leontiadis3, Zubair Shafiq1 University.

Slides:



Advertisements
Similar presentations
HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
Advertisements

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Authentication & Kerberos
Web Services, SOA and Security May 11, 2009 Michael Burnett.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
Authors: Thomas Ristenpart, et at.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
Social Media Attacks By Laura Jung. How the Attacks Start Popularity of these sites with millions of users makes them perfect places for cyber attacks.
Juha Siivikko SECURITY IN SOCIAL MEDIA.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
SpotRank : A Robust Voting System for Social News Websites
Security Evaluation of Pattern Classifiers under Attack.
Web Attacks— Offense… The Whole Story Yuri & The Cheeseheads Mark Glubisz, Jason Kemble, Yuri Serdyuk, Kandyce Giordano.
The Challenges of Online Identity Assurance in a Judicial Setting Alison Knight, Supervisors: Prof. Steve Saxby (Law) & Dr. Mark Weal (ECS) Law ILAWS dog.
Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino.
Leveraging Asset Reputation Systems to Detect and Prevent Fraud and Abuse at LinkedIn Jenelle Bray Staff Data Scientist Strata + Hadoop World New York,
2009 Eighth International Conference on Networks 1 Speaker : Chang, Kun-Hsiang.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)
What is Social Networking? Grouping of individuals into specifics groups like a community or a subdivision. Online social networking websites are commonly.
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
Adxstudio Portals Training
Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal, Eric Dingle, Jean-Philippe, Gravel Panayiotis, Mavrommatis Niels, Provos.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Source: ACSAC 2011 Authors: Dongwan Shin, Rodrigo Lopes Report: Minhao Wu.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Under the Shadow of sunshine
Application Communities
Social Media Attacks.
Port Knocking Benjamin DiYanni.
Public Key Infrastructure (PKI)
Critical Security Controls
Chapter 7: Identifying Advanced Attacks
Simple Authentication for the Web
Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow
Practical Censorship Evasion Leveraging Content Delivery Networks
Lesson Objectives Aims You should be able to:
Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham,
ICT Communications Lesson 1: Using the Internet and the World Wide Web
Cyber Attacks on Businesses 43% of cyber attacks target small business Only 14% of small business rate their ability to mitigate cyber risk highly.
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
SAMMS Secure Authorized Monitored Messaging System
Automatic and Precise Client-Side Protection against CSRF Attacks
European Citizens’ Initiative, Commission regulation proposal Focus on IT aspects Jérôme Stefanini DIGIT.B.2 05/06/2018.
Your Digital Footprint
Agenda OAuth Concepts Programming OAuth.
X-Road as a Platform to Exchange MyData
CVE.
Binghui Wang, Le Zhang, Neil Zhenqiang Gong
Protecting Against Common Web Application Vulnerabilities
Wireless Spoofing Attacks on Mobile Devices
Cross Site Request Forgery (CSRF)
Presentation transcript:

Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi1, Fareed Zaffar2, Nektarios Leontiadis3, Zubair Shafiq1 University of Iowa1, Lahore University of Management Sciences2, Facebook3 Shehroze Farooqi

Key Contributions Security Issue Measurement Countermeasures OAuth access token leakage Measurement Abuse of leaked access tokens by collusion networks Countermeasures Mitigation of access token abuse Shehroze Farooqi

Outline Security Issue Measurement Countermeasures OAuth access token leakage Measurement Abuse of leaked access tokens Countermeasures Mitigation of access token abuse Shehroze Farooqi

Third-party applications OAuth Authorization framework OAuth 2.0 [RFC 6749] Enable third-party applications to get restricted access to online services Online services Third-party applications Shehroze Farooqi

Single Sign On (SSO) Shehroze Farooqi

Access Token An opaque string Represents authorization issued to the third-party application Provides an alternate of sharing username/password EAACEdEose0cBAAP8fZCGOTmVi5wZAW4pUfZCf1cEEQaCAWEP7AOFqZCVOlesGdVI1ubVYcnbmU59FZAJsjMV65LFxzyVo Shehroze Farooqi

OAuth Workflow of Facebook Applications Server-side flow Client-side flow Shehroze Farooqi

OAuth Workflow of Facebook Applications Server-side flow Client-side flow Shehroze Farooqi

OAuth Workflow of Facebook Applications Server-side flow Client-side flow Shehroze Farooqi

Client-side Flow Benefits of the client-side flow Provides support for the applications without server Cross-platform interoperability Used by many browser-based applications such as games Security issues with client-side flow Applications are susceptible to access token leakage [RFC 6819] Focus on the applications susceptible to access token leakage Shehroze Farooqi

Identification of Susceptible Applications Scanned 100 most popular applications Identified 9 susceptible applications Application name Monthly active users rank Spotify 4 PlayStation Network 57 Deezer 59 Pandora 68 HTC Sense 75 Top 5 susceptible applications Shehroze Farooqi

Implications of leaked access tokens Passive: Steal personal information Email, location, birth date, work history Active: Conduct malicious activities Spread malware Reputation manipulation e.g., fake likes, fake comments Shehroze Farooqi

Outline Security Issue Measurement Countermeasures OAuth access token leakage Measurement Abuse of leaked access tokens Countermeasures Mitigation of access token abuse Shehroze Farooqi

Collusion Networks Users deliberately submit access tokens In exchange get likes and comments Large scale abuse of leaked access tokens Fake likes, fake comments Exploit top applications with millions of active users E.g., HTC Sense (1 million monthly active users) Identified 50 collusion network websites E.g., hublaa.me, official-liker.net Shehroze Farooqi

Install Application Retrieve Access Token Submit Access Token Shehroze Farooqi

Milking Collusion Networks Deployed honeypot accounts to milk collusion networks Create a dummy post on Facebook Join a collusion network by submitting the access token Regularly submit posts to get likes and comments Automated the process for all collusion networks Shehroze Farooqi

Milking Process Steady increase in likes count Repetition of unique users Diminishing returns f8-autoliker.com Shehroze Farooqi

Summary of collected data Submitted 11K+ posts Received 2.7 Million likes Identified over a million members Collusion network Number of Posts Submitted Number of Likes Membership Size Official-liker.net 1,757 685,88 233,161 Hublaa.me 1,421 496,714 294,949 F8-autolikers.com 1,311 331,923 72,157 All 11,751 2,753,153 1,150,782 Top 3 Collusion Networks Shehroze Farooqi

Outline Security Issue Measurement Countermeasures OAuth access token leakage Measurement Abuse of leaked access tokens Countermeasures Mitigation of access token abuse Shehroze Farooqi

Challenges in Proposing Countermeasures Block susceptible applications Impact legitimate users Disable the client-side flow Applications without server Platform usability False positives Detection accuracy Shehroze Farooqi

Proposed Countermeasures Access token rate limits Honeypot based access token invalidation Temporal clustering IP rate limits Shehroze Farooqi

Impact of Countermeasures Experimental Setup Shehroze Farooqi

Impact of Countermeasures Establishing baseline Shehroze Farooqi

Impact of Countermeasures Reduction in access token rate limit Shehroze Farooqi

Impact of Countermeasures Access token invalidation – Half of all tokens Shehroze Farooqi

Impact of Countermeasures Access token invalidation – All tokens Shehroze Farooqi

Impact of Countermeasures Access token invalidation – Half of new tokens daily Shehroze Farooqi

Impact of Countermeasures Access token invalidation – All new tokens daily Shehroze Farooqi

Impact of Countermeasures Clustering based access token invalidation Shehroze Farooqi

Impact of Countermeasures IP address rate limits Shehroze Farooqi

Key Takeaways Countermeasures Security issues in OAuth Arms race – Proven to be long lasting Robustness Security issues in OAuth Similar access token leakage and abuse on other online services Investigate other OAuth security flaws and potential attacks Shehroze Farooqi

Questions? Email: shehroze-farooqi@uiowa.edu Webpage: www.sites.google.com/site/shehrozefarooqi/ Questions? Shehroze Farooqi

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.