Abstract
OAuth is the most commonly used access delegation protocol. It enables the connection of different APIs to build increasingly sophisticated applications that enhance and amplify our abilities. Increasingly, OAuth is used in applications where a significant amount of personal data is exposed about users. Despite this privacy risk, in most OAuth flows that a user encounters, there is a lack of fine-grained control over the amount of data that is shared on behalf of users. To mitigate these privacy issues we design and implement utAPIa, a middleware which enforces privacy policies on OAuth delegations. utAPIa allows users to modify API responses that are made on their behalf by filtering unrelated attributes and protecting their sensitive information. To enforce privacy policies, utAPIa uses OAuth’s standardized Rich Authorization Requests (RAR) extension, requiring no modifications to the existing OAuth protocol. We evaluate utAPIa in a proof-of-concept implementation and show the feasibility of our design, which incurs a reasonable performance overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In this paper, the focus is solely on OAuth 2.0, and not on the older and substantially different OAuth 1.0 protocol. Therefore, whenever the term OAuth is used, it refers to version 2.0 of the protocol.
- 2.
- 3.
https://www.authlete.com/. We are grateful to the Authlete team for generously providing us with an academic license for utilizing their APIs.
- 4.
- 5.
We also measured the latency as the relative increase in the request serving. The impact was not perceptible however, due to the minimal computational overhead.
References
Acar, G., Englehardt, S., Narayanan, A.: No boundaries: data exfiltration by third parties embedded on web pages. Proc. Priv. Enhancing Technol. 2020, 220–238 (2020)
Acar, Y., Backes, M., Bugiel, S., Fahl, S., McDaniel, P., Smith, M.: SoK: lessons learned from android security research for appified software platforms. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 433–451 (2016). https://doi.org/10.1109/SP.2016.33
Apple Support: What is Hide My Email?, November 2022. https://support.apple.com/en-us/HT210425. Accessed 21 Aug 2023
Authlete: Authlete 2.3 has been certified for the first FAPI 2.0 certifications (2023). https://www.authlete.com/news/20230509_fapi2-certifications/. Accessed 21 Aug 2023
Balash, D.G., Wu, X., Grant, M., Reyes, I., Aviv, A.J.: Security and privacy perceptions of third-party application access for google accounts. In: 31st USENIX Security Symposium, USENIX Security 2022, , Boston, MA, pp. 3397–3414. USENIX Association, August 2022. https://www.usenix.org/conference/usenixsecurity22/presentation/balash
Bastys, I., Piessens, F., Sabelfeld, A.: Tracking information flow via delayed output - addressing privacy in IoT and emailing apps. In: Nordic Conference on Secure IT Systems (2018)
Bösch, C., Erb, B., Kargl, F., Kopp, H., Pfattheicher, S.: Tales from the dark side: privacy dark strategies and privacy dark patterns. Proc. Priv. Enhancing Technol. 2016, 237–254 (2016)
Bryan, P.C., Nottingham, M.: JavaScript Object Notation (JSON) Patch. RFC 6902, April 2013. https://doi.org/10.17487/RFC6902. https://www.rfc-editor.org/info/rfc6902
Chen, Y., Alhanahnah, M., Sabelfeld, A., Chatterjee, R., Fernandes, E.: Practical data access minimization in Trigger-Action platforms. In: 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, pp. 2929–2945. USENIX Association, August 2022. https://www.usenix.org/conference/usenixsecurity22/presentation/chen-yunang-practical
Chiang, Y.-H., Hsiao, H.-C., Yu, C.-M., Kim, T.H.-J.: On the privacy risks of compromised Trigger-Action platforms. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 251–271. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0_13
Conti, G., Sobiesk, E.: Malicious interface design: exploiting the user. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 271–280. Association for Computing Machinery, New York, NY, USA (2010). https://doi.org/10.1145/1772690.1772719
Dey, A., Weis, S.: PseudoID: enhancing privacy in federated login. In: Hot Topics in Privacy Enhancing Technologies, pp. 95–107 (2010). http://www.pseudoid.net
Dey, A., Weis, S.: PseudoID: enhancing privacy in federated login. In: Hot Topics in Privacy Enhancing Technologies, pp. 95–107 (2010). http://www.pseudoid.net
Dick Hardt (Editor): The OAuth 2.0 Authorization Framework. RFC 6749 (2012). https://doi.org/10.17487/RFC6749. https://www.rfc-editor.org/info/rfc6749
Dimova, Y., van Goethem, T., Joosen, W.: Everybody’s looking for something: a large-scale evaluation on the privacy of OAuth authentication on the web. In: Proceedings on Privacy Enhancing Technologies, pp. 452–467 (2023). https://doi.org/10.56553/popets-2023-0119
Farooqi, S., Musa, M.B., Shafiq, Z., Zaffar, F.: CanaryTrap: detecting data misuse by third-party apps on online social networks. Proc. Priv. Enhancing Technol. 2020, 336–354 (2020)
Felt, A.P., Evans, D.E.: Privacy protection for social networking platforms. In: Web 2.0 Security and Privacy 2008, W2SP 2008 (2008)
Fett, D., Küsters, R., Schmitz, G.: SPRESSO: a secure, privacy-respecting single sign-on system for the web. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 1358–1369. Association for Computing Machinery, New York, NY, USA (2015). https://doi.org/10.1145/2810103.2813726
Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016. Association for Computing Machinery (2016)
Firefox: Firefox Relay (2023). https://relay.firefox.com/. Accessed 21 Aug 2023
Ghasemisharif, M., Ramesh, A., Checkoway, S., Kanich, C., Polakis, J.: O single \(\{\)Sign-Off\(\}\), where art thou? An empirical analysis of single \(\{\)Sign-On\(\}\) account hijacking and session management on the web. In: 27th USENIX Security Symposium, USENIX Security 2018, pp. 1475–1492 (2018)
Greenberg, A.: An absurdly basic bug let anyone grab all of Parler’s data, January 2021. https://www.wired.com/story/parler-hack-data-public-posts-images-video/. Accessed 21 Feb 2023
Guha, S., Tang, K., Francis, P.: NOYB: privacy in online social networks. In: Proceedings of the First Workshop on Online Social Networks, WOSN 2008, pp. 49–54. Association for Computing Machinery, New York, NY, USA (2008). https://doi.org/10.1145/1397735.1397747
Hammann, S., Sasse, R., Basin, D.: Privacy-preserving openID connect. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020, pp. 277–289. Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3320269.3384724
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 639–652. Association for Computing Machinery, New York, NY, USA (2011). https://doi.org/10.1145/2046707.2046780
Google Identity: Using OAuth 2.0 to access Google APIs. https://developers.google.com/identity/protocols/oauth2#expiration. Accessed 21 Aug 2023
Isaak, J., Hanna, M.J.: User data privacy: Facebook, Cambridge Analytica, and privacy protection. Computer 51(8), 56–59 (2018). https://doi.org/10.1109/MC.2018.3191268
Jannett, L., Mladenov, V., Mainka, C., Schwenk, J.: DISTINCT: identity theft using in-browser communications in dual-window single sign-on. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, pp. 1553–1567. Association for Computing Machinery, New York, NY, USA (2022). https://doi.org/10.1145/3548606.3560692
Kalantari, S., Hughes, D., De Decker, B.: Listing the ingredients for IFTTT recipes. In: 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1376–1383 (2022). https://doi.org/10.1109/TrustCom56396.2022.00194
Krebs, B.: USPS site exposed data on 60 million users, November 2018. https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/. Accessed 21 Aug 2023
Malwarebytes Labs: Second colossal Linkedin ‘breach’ in 3 months, almost all users affected, June 2021. https://www.malwarebytes.com/blog/news/2021/06/second-colossal-linkedin-breach-in-3-months-almost-all-users-affected. Accessed 21 Aug 2023
Li, W., Mitchell, C.J., Chen, T.: OAuthGuard: protecting user security and privacy with OAuth 2.0 and OpenID connect. In: Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop, SSR 2019, pp. 35–44. Association for Computing Machinery, New York, NY, USA (2019). https://doi.org/10.1145/3338500.3360331
Lodderstedt, T., Richer, J., Campbell, B.: OAuth 2.0 Rich Authorization Requests. RFC 9396, May 2023. https://doi.org/10.17487/RFC9396. https://www.rfc-editor.org/info/rfc9396
O’Neill, M., Zumerle, D., D’Hoinne, J.: API Security: What You Need to Do to Protect Your APIs, August 2019. https://www.gartner.com/en/documents/3956746
Morkonda, S.G., Chiasson, S., van Oorschot, P.C.: Empirical analysis and privacy implications in OAuth-based single sign-on systems. In: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society, WPES 2021, pp. 195–208. Association for Computing Machinery, New York, NY, USA (2021)
OpenID: OpenID Certification (2023). https://openid.net/certification/. Accessed 21 Aug 2023
Philippaerts, P., Preuveneers, D., Joosen, W.: OAuch: exploring security compliance in the OAuth 2.0 ecosystem. In: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022, pp. 460–481. Association for Computing Machinery, New York, NY, USA (2022). https://doi.org/10.1145/3545948.3545955
Philippaerts, P., Preuveneers, D., Joosen, W.: Revisiting OAuth 2.0 compliance: a two-year follow-up study. In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 521–525. IEEE (2023). https://doi.org/10.1109/EuroSPW59978.2023.00064
Singh, B.: API security: exposed API endpoint leaks over 11 million telco customers’ data, October 2022. https://checkmarx.com/blog/api-security-exposed-api-endpoint-leaks-over-11-million-telco-customers-data/. Accessed 21 Aug 2023
Smullen, D., Feng, Y., Zhang, S., Sadeh, N.: The best of both worlds: mitigating trade-offs between accuracy and user burden in capturing mobile app privacy preferences. Proc. Priv. Enhancing Technol. 2020, 195–215 (2020). https://doi.org/10.2478/popets-2020-0011
Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 378–390. Association for Computing Machinery, New York, NY, USA (2012). https://doi.org/10.1145/2382196.2382238
Sun, S.T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: What makes users refuse web single sign-on? An empirical investigation of OpenID. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS 2011. Association for Computing Machinery (2011). https://doi.org/10.1145/2078827.2078833
Swagger: OpenAPI specification (2021). https://swagger.io/specification/v3. Accessed 21 Aug 2023
Wang, N., Xu, H., Grossklags, J.: Third-party apps on Facebook: privacy and the illusion of control. In: Proceedings of the 5th ACM Symposium on Computer Human Interaction for Management of Information Technology, CHIMIT 2011, Association for Computing Machinery, New York, NY, USA (2011). https://doi.org/10.1145/2076444.2076448
Westers, M., Wich, T., Jannett, L., Mladenov, V., Mainka, C., Mayer, A.: SSO-monitor: fully-automatic large-scale landscape, security, and privacy analyses of single sign-on in the wild. arXiv preprint arXiv:2302.01024 (2023)
Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wagner, D., Beznosov, K.: Android permissions remystified: a field study on contextual integrity. In: 24th USENIX Security Symposium, USENIX Security 2015, pp. 499–514. USENIX Association, Washington, D.C., August 2015. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wijesekera
Zhou, Y., Evans, D.: \(\{\)SSOScan\(\}\): automated testing of web applications for single \(\{\)Sign-On\(\}\) vulnerabilities. In: 23rd USENIX Security Symposium, USENIX Security 2014, pp. 495–510 (2014)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kalantari, S., Philippaerts, P., Dimova, Y., Hughes, D., Joosen, W., De Decker, B. (2024). A User-Centric Approach to API Delegations. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14345. Springer, Cham. https://doi.org/10.1007/978-3-031-51476-0_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-51476-0_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51475-3
Online ISBN: 978-3-031-51476-0
eBook Packages: Computer ScienceComputer Science (R0)