Single Sign-On Security: An Empirical Study of Sign in with Apple

Single Sign-On Security: An Empirical Study of Sign in with Apple

연구 분야: Safety

학회: International Conference on Ubiquitous Security

The Sign in with Apple leverage the functionalities of the OpenID Connect authentication flow enables End-Users sign in to websites and apps faster and secure using their Apple ID. We designed a CrawlQuestor an authentication script written in python selenium and chrome extension designed in JavaScript that intercept and extract authorization request and response parameters to a Django framework designed database to examined the first 3596 websites which support Sign in with Apple as established by sso-monitor.me. We extracted browser relayed messages exchanges between Relying parties(RPs) and Apple server using the CrawlQuestor. We identified that 24 RPs of 621 that used the web_message response_mode to deliver authorization response were vulnerable to cross-site request forgery(CSRF) attack, whereas 78 of 1916 RPs that used form_post response_mode were also vulnerable to CSRF. These vulnerabilities were caused by architecture design choices by RPs developers and Apple’s insufficient documentations of the authentication framework. We compared our results to that of sso-monitor.me and established that 661 of 3596 that have implemented Sign in with Apple as established by the sso-monitor.me were false positives. Practical techniques to mitigate these attacks were recommended to RP and Apple.