Measuring and mitigating oauth access token abuse by collusion networks

We uncover a thriving ecosystem of large-scale reputation manipulation services on Facebook that leverage the principle of collusion. Collusion networks collect OAuth access tokens from colluding members and abuse them to provide fake likes or comments to their members. We carry out a comprehensive measurement study to understand how these collusion networks exploit popular third-party Facebook applications with weak security settings to retrieve OAuth access tokens. We infiltrate popular collusion networks using honeypots and identify more than one million colluding Facebook accounts by "milking" these collusion networks. We disclose our findings to Facebook and collaborate with them to implement a series of countermeasures that mitigate OAuth access token abuse without sacrificing application platform usability for third-party developers. These countermeasures remained in place until April 2017, after which Facebook implemented a set of unrelated changes in its infrastructure to counter collusion networks. We are the first to report and effectively mitigate large-scale OAuth access token abuse in the wild.

[1]  Yuri Gurevich,et al.  Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization , 2013, USENIX Security Symposium.

[2]  Michalis Faloutsos,et al.  Detecting Malicious Facebook Applications , 2016, IEEE/ACM Transactions on Networking.

[3]  Qiang Cao,et al.  Uncovering Large Groups of Active Malicious Accounts in Online Social Networks , 2014, CCS.

[4]  Damon McCoy,et al.  Dialing Back Abuse on Phone Verified Accounts , 2014, CCS.

[5]  Emiliano De Cristofaro,et al.  Paying for Likes?: Understanding Facebook Like Fraud Using Honeypots , 2014, Internet Measurement Conference.

[6]  Phil Hunt,et al.  OAuth 2.0 Threat Model and Security Considerations , 2013, RFC.

[7]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[8]  Michalis Faloutsos,et al.  FRAppE: detecting malicious facebook applications , 2012, CoNEXT '12.

[9]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[10]  Wouter Joosen,et al.  It's Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services , 2016, NDSS.

[11]  James H. Martin,et al.  Speech and language processing: an introduction to natural language processing, computational linguistics, and speech recognition, 2nd Edition , 2000, Prentice Hall series in artificial intelligence.

[12]  Gianluca Stringhini,et al.  Detecting spammers on social networks , 2010, ACSAC '10.

[13]  Feng Qian,et al.  Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[14]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[16]  Konstantin Beznosov,et al.  Integro: Leveraging Victim Prediction for Robust Fake Account Detection in OSNs , 2015, NDSS.

[17]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[18]  Vern Paxson,et al.  Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse , 2013, USENIX Security Symposium.

[19]  Michael Kaminsky,et al.  SybilGuard: Defending Against Sybil Attacks via Social Networks , 2008, IEEE/ACM Transactions on Networking.

[20]  A. James 2010 , 2011, Philo of Alexandria: an Annotated Bibliography 2007-2016.

[21]  Hyun Ah Song,et al.  FRAUDAR: Bounding Graph Fraud in the Face of Camouflage , 2016, KDD.

[22]  Emiliano De Cristofaro,et al.  Adblocking and Counter Blocking: A Slice of the Arms Race , 2016, FOCI.

[23]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[24]  Ponnurangam Kumaraguru,et al.  What they do in shadows: Twitter underground follower market , 2015, 2015 13th Annual Conference on Privacy, Security and Trust (PST).

[25]  Gang Wang,et al.  Follow the green: growth and dynamics in twitter follower markets , 2013, Internet Measurement Conference.

[26]  Jong Kim,et al.  CrowdTarget: Target-based Detection of Crowdturfing in Online Social Networks , 2015, CCS.

[27]  Zhiyun Qian,et al.  The ad wars: retrospective measurement and analysis of anti-adblock filter lists , 2017, Internet Measurement Conference.

[28]  Angelos Stavrou,et al.  E-commerce Reputation Manipulation: The Emergence of Reputation-Escalation-as-a-Service , 2015, WWW.

[29]  Kyumin Lee,et al.  Uncovering social spammers: social honeypots + machine learning , 2010, SIGIR.

[30]  Sotiris Ioannidis,et al.  Understanding the behavior of malicious applications in social networks , 2010, IEEE Network.

[31]  Krishna P. Gummadi,et al.  Towards Detecting Anomalous User Behavior in Online Social Networks , 2014, USENIX Security Symposium.

[32]  Vern Paxson,et al.  Consequences of Connectivity: Characterizing Account Hijacking on Twitter , 2014, CCS.

[33]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[34]  Christos Faloutsos,et al.  CatchSync: catching synchronized behavior in large directed graphs , 2014, KDD.

[35]  Gang Wang,et al.  Man vs. Machine: Practical Adversarial Detection of Malicious Crowdsourcing Workers , 2014, USENIX Security Symposium.

[36]  Zhiyun Qian,et al.  Detecting Anti Ad-blockers in the Wild , 2017, Proc. Priv. Enhancing Technol..

[37]  Vern Paxson,et al.  Measurement and Analysis of Traffic Exchange Services , 2015, Internet Measurement Conference.

[38]  Ralf Küsters,et al.  A Comprehensive Formal Security Analysis of OAuth 2.0 , 2016, CCS.

[39]  Yuchen Zhou,et al.  SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities , 2014, USENIX Security Symposium.

[40]  Calton Pu,et al.  Social Honeypots: Making Friends With A Spammer Near You , 2008, CEAS.

[41]  Venkatesan Guruswami,et al.  CopyCatch: stopping group attacks by spotting lockstep behavior in social networks , 2013, WWW.

[42]  Gang Wang,et al.  Serf and turf: crowdturfing for fun and profit , 2011, WWW.

[43]  Michael Kaminsky,et al.  SybilLimit: A Near-Optimal Social Network Defense against Sybil Attacks , 2008, S&P 2008.

[44]  Yue Li,et al.  Application impersonation: problems of OAuth and API design in online social networks , 2014, COSN '14.

[45]  Patrick Traynor,et al.  More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations , 2015, DIMVA.

[46]  Erdong Chen,et al.  Facebook immune system , 2011, SNS '11.