Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On

TL;DR

This paper introduces a novel approach using malicious IdPs to analyze and attack SSO protocols, revealing new vulnerabilities in OpenID implementations and providing an open-source tool for testing and fixing these issues.

Contribution

It presents a new method for analyzing SSO security by employing malicious IdPs, uncovers four novel attack classes on OpenID, and automates attack discovery with an open-source tool.

Findings

Identified four new attack classes on OpenID

Successfully compromised 11 out of 16 real-world OpenID implementations

Developed an open-source tool for attack discovery and testing

Abstract

Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Passport and SAML, where each SP explicitely specifies which IdP he trusts. However, in open systems like OpenID and OpenID Connect, each user may set up his own IdP, and a discovery phase is added to the protocol flow. Thus it is easy for an attacker to set up its own IdP. In this paper we use a novel approach for analyzing SSO authentication schemes by introducing a malicious IdP. With this approach we evaluate one of the most popular and widely deployed SSO protocols - OpenID. We found four novel attack classes on OpenID, which were not covered by previous research, and show their applicability to real-life implementations. As a result, we were able to compromise 11 out of 16 existing OpenID implementations like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks in a open source tool OpenID Attacker, which additionally allows fine-granular testing of all parameters in OpenID implementations. Our research helps to better understand the message flow in the OpenID protocol, trust assumptions in the different components of the system, and implementation issues in OpenID components. It is applicable to other SSO systems like OpenID Connect and SAML. All OpenID implementations have been informed about their vulnerabilities and we supported them in fixing the issues.