Speaker: Ronghai Yang

Mainstream Identity Providers (e.g. Facebook, Sina) have adopted OAuth 2.0 protocol to support Single-Sign-On service. We will present several OAuth vulnerabilities, all of which can be exploited to sign into a victim’s mobile app account. These vulnerabilities have affected lots of popular third-party applications. Part of the result has been demonstrated on Black Hat Europe 2016.