Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On
Christian Mainka, Vladislav Mladenov, Jörg Schwenk
IEEE European Symposium on Security and Privacy (EuroS&P 2016)
Abstract
Single Sign-On (SSO) systems simplify login procedures by using an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for centralized SSO systems like Kerberos, where each SP explicitely specifies which single IdP it trusts. However, a typical use case for SPs like Salesforce is that each customer is allowed to configure his own IdP. A malicious IdP should however only be able to compromise the security of those accounts on the SP for which it was configured. If different accounts can be compromised, this must be considered as a serious attack.
Additionally, in open systems like OpenID and OpenID Connect, the IdP for each customer account is dynamically detected in a discovery phase. Our research goal was to test if this phase can be used to trick a SP into using a malicious IdP for legitimate user accounts. Thus, by introducing a malicious IdP we evaluate in detail the popular and widely deployed SSO protocol OpenID. We found two novel classes of attacks, ID Spoofing (IDS) and Key Confusion (KC), on OpenID, which were not covered by previous research. Both attack classes allow compromising the security of all accounts on a vulnerable SP, even if those accounts were not allowed to use the malicious IdP.
As a result, we were able to compromise 12 out the most popular 17 existing OpenID implementations, including Sourceforge, Drupal, ownCloud and JIRA. We developed an open source tool OpenID Attacker, which enables the fully automated and fine granular testing of OpenID implementa tions. Our research helps to better understand the message flow in the OpenID protocol, the trust assumptions in the different components of the system, and implementation issues in OpenID components. All OpenID implementations have been informed about their vulnerabilities and we supported them in fixing the issues. One year after our reports, we have evaluated 70 online websites. Some of them have upgraded their libraries and were safe from our attacks, but 26% were still vulnerable.
[Paper PDF]