Skip to main content
SpringerLink
Log in

A User-Centric Approach to API Delegations

Enforcing Privacy Policies on OAuth Delegations

  • Conference paper
  • First Online:
Computer Security – ESORICS 2023 (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14345))

Included in the following conference series:

  • 305 Accesses

Abstract

OAuth is the most commonly used access delegation protocol. It enables the connection of different APIs to build increasingly sophisticated applications that enhance and amplify our abilities. Increasingly, OAuth is used in applications where a significant amount of personal data is exposed about users. Despite this privacy risk, in most OAuth flows that a user encounters, there is a lack of fine-grained control over the amount of data that is shared on behalf of users. To mitigate these privacy issues we design and implement utAPIa, a middleware which enforces privacy policies on OAuth delegations. utAPIa allows users to modify API responses that are made on their behalf by filtering unrelated attributes and protecting their sensitive information. To enforce privacy policies, utAPIa uses OAuth’s standardized Rich Authorization Requests (RAR) extension, requiring no modifications to the existing OAuth protocol. We evaluate utAPIa in a proof-of-concept implementation and show the feasibility of our design, which incurs a reasonable performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In this paper, the focus is solely on OAuth 2.0, and not on the older and substantially different OAuth 1.0 protocol. Therefore, whenever the term OAuth is used, it refers to version 2.0 of the protocol.

  2. 2.

    https://docs.aiohttp.org/.

  3. 3.

    https://www.authlete.com/. We are grateful to the Authlete team for generously providing us with an academic license for utilizing their APIs.

  4. 4.

    https://pypi.org/project/jsonpatch/.

  5. 5.

    We also measured the latency as the relative increase in the request serving. The impact was not perceptible however, due to the minimal computational overhead.

References

  1. Acar, G., Englehardt, S., Narayanan, A.: No boundaries: data exfiltration by third parties embedded on web pages. Proc. Priv. Enhancing Technol. 2020, 220–238 (2020)

    Article  Google Scholar 

  2. Acar, Y., Backes, M., Bugiel, S., Fahl, S., McDaniel, P., Smith, M.: SoK: lessons learned from android security research for appified software platforms. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 433–451 (2016). https://doi.org/10.1109/SP.2016.33

  3. Apple Support: What is Hide My Email?, November 2022. https://support.apple.com/en-us/HT210425. Accessed 21 Aug 2023

  4. Authlete: Authlete 2.3 has been certified for the first FAPI 2.0 certifications (2023). https://www.authlete.com/news/20230509_fapi2-certifications/. Accessed 21 Aug 2023

  5. Balash, D.G., Wu, X., Grant, M., Reyes, I., Aviv, A.J.: Security and privacy perceptions of third-party application access for google accounts. In: 31st USENIX Security Symposium, USENIX Security 2022, , Boston, MA, pp. 3397–3414. USENIX Association, August 2022. https://www.usenix.org/conference/usenixsecurity22/presentation/balash

  6. Bastys, I., Piessens, F., Sabelfeld, A.: Tracking information flow via delayed output - addressing privacy in IoT and emailing apps. In: Nordic Conference on Secure IT Systems (2018)

    Google Scholar 

  7. Bösch, C., Erb, B., Kargl, F., Kopp, H., Pfattheicher, S.: Tales from the dark side: privacy dark strategies and privacy dark patterns. Proc. Priv. Enhancing Technol. 2016, 237–254 (2016)

    Article  Google Scholar 

  8. Bryan, P.C., Nottingham, M.: JavaScript Object Notation (JSON) Patch. RFC 6902, April 2013. https://doi.org/10.17487/RFC6902. https://www.rfc-editor.org/info/rfc6902

  9. Chen, Y., Alhanahnah, M., Sabelfeld, A., Chatterjee, R., Fernandes, E.: Practical data access minimization in Trigger-Action platforms. In: 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, pp. 2929–2945. USENIX Association, August 2022. https://www.usenix.org/conference/usenixsecurity22/presentation/chen-yunang-practical

  10. Chiang, Y.-H., Hsiao, H.-C., Yu, C.-M., Kim, T.H.-J.: On the privacy risks of compromised Trigger-Action platforms. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 251–271. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0_13

    Chapter  Google Scholar 

  11. Conti, G., Sobiesk, E.: Malicious interface design: exploiting the user. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 271–280. Association for Computing Machinery, New York, NY, USA (2010). https://doi.org/10.1145/1772690.1772719

  12. Dey, A., Weis, S.: PseudoID: enhancing privacy in federated login. In: Hot Topics in Privacy Enhancing Technologies, pp. 95–107 (2010). http://www.pseudoid.net

  13. Dey, A., Weis, S.: PseudoID: enhancing privacy in federated login. In: Hot Topics in Privacy Enhancing Technologies, pp. 95–107 (2010). http://www.pseudoid.net

  14. Dick Hardt (Editor): The OAuth 2.0 Authorization Framework. RFC 6749 (2012). https://doi.org/10.17487/RFC6749. https://www.rfc-editor.org/info/rfc6749

  15. Dimova, Y., van Goethem, T., Joosen, W.: Everybody’s looking for something: a large-scale evaluation on the privacy of OAuth authentication on the web. In: Proceedings on Privacy Enhancing Technologies, pp. 452–467 (2023). https://doi.org/10.56553/popets-2023-0119

  16. Farooqi, S., Musa, M.B., Shafiq, Z., Zaffar, F.: CanaryTrap: detecting data misuse by third-party apps on online social networks. Proc. Priv. Enhancing Technol. 2020, 336–354 (2020)

    Article  Google Scholar 

  17. Felt, A.P., Evans, D.E.: Privacy protection for social networking platforms. In: Web 2.0 Security and Privacy 2008, W2SP 2008 (2008)

    Google Scholar 

  18. Fett, D., Küsters, R., Schmitz, G.: SPRESSO: a secure, privacy-respecting single sign-on system for the web. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 1358–1369. Association for Computing Machinery, New York, NY, USA (2015). https://doi.org/10.1145/2810103.2813726

  19. Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016. Association for Computing Machinery (2016)

    Google Scholar 

  20. Firefox: Firefox Relay (2023). https://relay.firefox.com/. Accessed 21 Aug 2023

  21. Ghasemisharif, M., Ramesh, A., Checkoway, S., Kanich, C., Polakis, J.: O single \(\{\)Sign-Off\(\}\), where art thou? An empirical analysis of single \(\{\)Sign-On\(\}\) account hijacking and session management on the web. In: 27th USENIX Security Symposium, USENIX Security 2018, pp. 1475–1492 (2018)

    Google Scholar 

  22. Greenberg, A.: An absurdly basic bug let anyone grab all of Parler’s data, January 2021. https://www.wired.com/story/parler-hack-data-public-posts-images-video/. Accessed 21 Feb 2023

  23. Guha, S., Tang, K., Francis, P.: NOYB: privacy in online social networks. In: Proceedings of the First Workshop on Online Social Networks, WOSN 2008, pp. 49–54. Association for Computing Machinery, New York, NY, USA (2008). https://doi.org/10.1145/1397735.1397747

  24. Hammann, S., Sasse, R., Basin, D.: Privacy-preserving openID connect. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020, pp. 277–289. Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3320269.3384724

  25. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 639–652. Association for Computing Machinery, New York, NY, USA (2011). https://doi.org/10.1145/2046707.2046780

  26. Google Identity: Using OAuth 2.0 to access Google APIs. https://developers.google.com/identity/protocols/oauth2#expiration. Accessed 21 Aug 2023

  27. Isaak, J., Hanna, M.J.: User data privacy: Facebook, Cambridge Analytica, and privacy protection. Computer 51(8), 56–59 (2018). https://doi.org/10.1109/MC.2018.3191268

    Article  Google Scholar 

  28. Jannett, L., Mladenov, V., Mainka, C., Schwenk, J.: DISTINCT: identity theft using in-browser communications in dual-window single sign-on. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, pp. 1553–1567. Association for Computing Machinery, New York, NY, USA (2022). https://doi.org/10.1145/3548606.3560692

  29. Kalantari, S., Hughes, D., De Decker, B.: Listing the ingredients for IFTTT recipes. In: 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1376–1383 (2022). https://doi.org/10.1109/TrustCom56396.2022.00194

  30. Krebs, B.: USPS site exposed data on 60 million users, November 2018. https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/. Accessed 21 Aug 2023

  31. Malwarebytes Labs: Second colossal Linkedin ‘breach’ in 3 months, almost all users affected, June 2021. https://www.malwarebytes.com/blog/news/2021/06/second-colossal-linkedin-breach-in-3-months-almost-all-users-affected. Accessed 21 Aug 2023

  32. Li, W., Mitchell, C.J., Chen, T.: OAuthGuard: protecting user security and privacy with OAuth 2.0 and OpenID connect. In: Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop, SSR 2019, pp. 35–44. Association for Computing Machinery, New York, NY, USA (2019). https://doi.org/10.1145/3338500.3360331

  33. Lodderstedt, T., Richer, J., Campbell, B.: OAuth 2.0 Rich Authorization Requests. RFC 9396, May 2023. https://doi.org/10.17487/RFC9396. https://www.rfc-editor.org/info/rfc9396

  34. O’Neill, M., Zumerle, D., D’Hoinne, J.: API Security: What You Need to Do to Protect Your APIs, August 2019. https://www.gartner.com/en/documents/3956746

  35. Morkonda, S.G., Chiasson, S., van Oorschot, P.C.: Empirical analysis and privacy implications in OAuth-based single sign-on systems. In: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society, WPES 2021, pp. 195–208. Association for Computing Machinery, New York, NY, USA (2021)

    Google Scholar 

  36. OpenID: OpenID Certification (2023). https://openid.net/certification/. Accessed 21 Aug 2023

  37. Philippaerts, P., Preuveneers, D., Joosen, W.: OAuch: exploring security compliance in the OAuth 2.0 ecosystem. In: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022, pp. 460–481. Association for Computing Machinery, New York, NY, USA (2022). https://doi.org/10.1145/3545948.3545955

  38. Philippaerts, P., Preuveneers, D., Joosen, W.: Revisiting OAuth 2.0 compliance: a two-year follow-up study. In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 521–525. IEEE (2023). https://doi.org/10.1109/EuroSPW59978.2023.00064

  39. Singh, B.: API security: exposed API endpoint leaks over 11 million telco customers’ data, October 2022. https://checkmarx.com/blog/api-security-exposed-api-endpoint-leaks-over-11-million-telco-customers-data/. Accessed 21 Aug 2023

  40. Smullen, D., Feng, Y., Zhang, S., Sadeh, N.: The best of both worlds: mitigating trade-offs between accuracy and user burden in capturing mobile app privacy preferences. Proc. Priv. Enhancing Technol. 2020, 195–215 (2020). https://doi.org/10.2478/popets-2020-0011

    Article  Google Scholar 

  41. Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 378–390. Association for Computing Machinery, New York, NY, USA (2012). https://doi.org/10.1145/2382196.2382238

  42. Sun, S.T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: What makes users refuse web single sign-on? An empirical investigation of OpenID. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS 2011. Association for Computing Machinery (2011). https://doi.org/10.1145/2078827.2078833

  43. Swagger: OpenAPI specification (2021). https://swagger.io/specification/v3. Accessed 21 Aug 2023

  44. Wang, N., Xu, H., Grossklags, J.: Third-party apps on Facebook: privacy and the illusion of control. In: Proceedings of the 5th ACM Symposium on Computer Human Interaction for Management of Information Technology, CHIMIT 2011, Association for Computing Machinery, New York, NY, USA (2011). https://doi.org/10.1145/2076444.2076448

  45. Westers, M., Wich, T., Jannett, L., Mladenov, V., Mainka, C., Mayer, A.: SSO-monitor: fully-automatic large-scale landscape, security, and privacy analyses of single sign-on in the wild. arXiv preprint arXiv:2302.01024 (2023)

  46. Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wagner, D., Beznosov, K.: Android permissions remystified: a field study on contextual integrity. In: 24th USENIX Security Symposium, USENIX Security 2015, pp. 499–514. USENIX Association, Washington, D.C., August 2015. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wijesekera

  47. Zhou, Y., Evans, D.: \(\{\)SSOScan\(\}\): automated testing of web applications for single \(\{\)Sign-On\(\}\) vulnerabilities. In: 23rd USENIX Security Symposium, USENIX Security 2014, pp. 495–510 (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. imec-DistriNet, KU Leuven, Leuven, Belgium

    Shirin Kalantari, Pieter Philippaerts, Yana Dimova, Danny Hughes, Wouter Joosen & Bart De Decker

Authors
  1. Shirin Kalantari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pieter Philippaerts
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yana Dimova
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Danny Hughes
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Bart De Decker
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Shirin Kalantari or Pieter Philippaerts .

Editor information

Editors and Affiliations

  1. University of California, Irvine, CA, USA

    Gene Tsudik

  2. University of Padua, Padua, Italy

    Mauro Conti

  3. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  4. Delft University of Technology, Delft, The Netherlands

    Georgios Smaragdakis

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kalantari, S., Philippaerts, P., Dimova, Y., Hughes, D., Joosen, W., De Decker, B. (2024). A User-Centric Approach to API Delegations. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14345. Springer, Cham. https://doi.org/10.1007/978-3-031-51476-0_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-51476-0_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-51475-3

  • Online ISBN: 978-3-031-51476-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation