ECE/INI/CS team to publish at ACM CCS 2014


September 29, 2014

A project that began as part of Assistant Research Professor Patrick Tague's Mobile Security course has led to recognition by Facebook and an Association of Computing Machinery (ACM) conference paper. A diverse team from ECE, INI and CS/Music was led by Eric Chen (ECE PhD) and included Yutong Pei (INI MSISTM), Yuan Tian (ECE PhD), Robert Kotcher (CS/Music MS) and Shuo Chen (Senior Researcher for Microsoft Research).
The team reported an Instagram OAuth vulnerability to Facebook where many users regularly use their Facebook credentials to log in to other popular applications.

According to Eric Chen, “OAuth is a popular protocol used for authentication (account login) and authorization (API access delegation). However, since the security properties of authentication significantly differ from those of authorization, different ‘versions’ of the OAuth protocol must be used for each of the two use cases. Unfortunately, many applications often confuse authorization for authentication and deploy the wrong version of the OAuth protocol for their account login. The vulnerability we discovered in Instagram allowed any third-party application that used Facebook login to log into their user’s account on Instagram.”

The team received $5,000 for the award.

The resulting paper “OAuth Demystified for Mobile Application Developers” will be published in the ACM Conference on Computer and Communications Security (CCS 2014).