{"title":"如何向facebook应用程序授予更少的权限","authors":"Gianpiero Costantino, F. Martinelli, D. Sgandurra","doi":"10.1109/ISIAS.2013.6947733","DOIUrl":null,"url":null,"abstract":"Single Sign-On (SSO) is an authentication procedure that allows users to adopt the same credentials to access multiple services. On the other hand, OAuth 2.0 is a protocol that enables authorized applications to access data that are stored in a resource server. A practical example of the adoption of SSO with OAuth 2.0 is given by all the websites or applications that use the “Log in with Facebook” procedure to authenticate users already registered with Facebook. In this paper, we propose a mechanism that exploits a weakness of OAuth 2.0 and a missing control of the website to show how it is possible to register a user by reducing the number of scopes that the website requires with the “Log in with Facebook” procedure. Finally, we illustrate two examples that exploit the proposed mechanism and provide a solution to address the problem.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"75 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"How to grant less permissions to facebook applications\",\"authors\":\"Gianpiero Costantino, F. Martinelli, D. Sgandurra\",\"doi\":\"10.1109/ISIAS.2013.6947733\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Single Sign-On (SSO) is an authentication procedure that allows users to adopt the same credentials to access multiple services. On the other hand, OAuth 2.0 is a protocol that enables authorized applications to access data that are stored in a resource server. A practical example of the adoption of SSO with OAuth 2.0 is given by all the websites or applications that use the “Log in with Facebook” procedure to authenticate users already registered with Facebook. In this paper, we propose a mechanism that exploits a weakness of OAuth 2.0 and a missing control of the website to show how it is possible to register a user by reducing the number of scopes that the website requires with the “Log in with Facebook” procedure. Finally, we illustrate two examples that exploit the proposed mechanism and provide a solution to address the problem.\",\"PeriodicalId\":370107,\"journal\":{\"name\":\"2013 9th International Conference on Information Assurance and Security (IAS)\",\"volume\":\"75 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 9th International Conference on Information Assurance and Security (IAS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISIAS.2013.6947733\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 9th International Conference on Information Assurance and Security (IAS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISIAS.2013.6947733","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
摘要
单点登录(SSO)是一种身份验证过程,允许用户使用相同的凭据访问多个服务。另一方面,OAuth 2.0是一种允许授权应用程序访问存储在资源服务器中的数据的协议。所有使用“login with Facebook”过程对已经在Facebook注册的用户进行身份验证的网站或应用程序都给出了一个使用OAuth 2.0采用SSO的实际示例。在本文中,我们提出了一种机制,利用OAuth 2.0的弱点和对网站的缺失控制来展示如何通过减少“登录Facebook”过程中网站所需的范围数量来注册用户。最后,我们举例说明了利用所提出的机制并提供解决问题的解决方案的两个示例。
How to grant less permissions to facebook applications
Single Sign-On (SSO) is an authentication procedure that allows users to adopt the same credentials to access multiple services. On the other hand, OAuth 2.0 is a protocol that enables authorized applications to access data that are stored in a resource server. A practical example of the adoption of SSO with OAuth 2.0 is given by all the websites or applications that use the “Log in with Facebook” procedure to authenticate users already registered with Facebook. In this paper, we propose a mechanism that exploits a weakness of OAuth 2.0 and a missing control of the website to show how it is possible to register a user by reducing the number of scopes that the website requires with the “Log in with Facebook” procedure. Finally, we illustrate two examples that exploit the proposed mechanism and provide a solution to address the problem.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
