A security analysis of the OAuth protocol

The OAuth 2.0 authorization protocol standardises delegated authorization on the Web. Popular social networks such as Facebook, Google and Twitter implement their APIs based on the OAuth protocol to enhance user experience of social sign-on and social sharing. The intermediary authorization code can be potentially leaked during the transmission, which then may lead to its abuse. This paper uses an attacker model to study the security vulnerabilities of the OAuth 2.0 protocol. The experimental results show that common attacks such as replay attacks, impersonation attacks and forced-login CSRF attacks are capable of compromising the resources protected by the OAuth 2.0 protocol. The paper presents a systematic analysis of the potential root causes of the disclosed vulnerabilities.