Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Workshop Organizers
  • Registration Information
  • Registration Discounts
  • At a Glance
  • Calendar
  • Workshop Program
  • Birds-of-a-Feather Sessions
  • Co-located Workshops
  • Sponsorship
  • Activities
  • Hotel and Travel Information
  • Students
  • Questions
  • Help Promote!
  • For Participants
  • Call for Papers
  • Past Workshops

sponsors

Bronze Sponsor

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home ยป The Devil Is Phishing: Rethinking Web Single Sign-On Systems Security
Tweet

connect with us

https://twitter.com/usenixsecurity
https://www.facebook.com/usenixassociation
http://www.linkedin.com/groups/USENIX-Association-49559/about
https://plus.google.com/108588319090208187909/posts
http://www.youtube.com/user/USENIXAssociation

The Devil Is Phishing: Rethinking Web Single Sign-On Systems Security

Authors: 

Chuan Yue, University of Colorado, Colorado Springs

Abstract: 

One significant trend in online user authentication is using Web Single Sign-On (SSO) systems. Especially, open Web SSO standards such as OpenID and OAuth are rapidly gaining adoption on the Web, and they enable over one billion user accounts. However, the large-scale threat from phishing attacks to real-world Web SSO systems has been significantly underestimated and insufficiently analyzed. In this paper, we (1) pinpoint what are really unique in Web SSO phishing, (2) provide one example to illustrate how the identity providers (IdPs) of Web SSO systems can be spoofed with ease and precision, (3) present a preliminary user study to demonstrate the high effectiveness (20 out of 28, or 71% of participants became "victims") of Web SSO phishing attacks, and (4) call for a collective effort to effectively defend against the insidiousWeb SSO phishing attacks.

Chuan Yue, University of Colorado, Colorado Springs

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {179237,
author = {Chuan Yue},
title = {The Devil Is Phishing: Rethinking Web Single {Sign-On} Systems Security},
booktitle = {6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 13)},
year = {2013},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/leet13/workshop-program/presentation/yue},
publisher = {USENIX Association},
month = aug,
}
Download
Yue PDF
View the slides

Presentation Audio

MP3 Download OGG Download

Download Audio

  • Log in or    Register to post comments

Bronze Sponsors

© USENIX

  • Privacy Policy
  • Contact Us