{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,20]],"date-time":"2025-09-20T18:36:39Z","timestamp":1758393399856,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":47,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,15]],"date-time":"2021-11-15T00:00:00Z","timestamp":1636934400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001804","name":"Canada Research Chairs","doi-asserted-by":"publisher","award":["950-231004-2016; 950-231002-2016"],"award-info":[{"award-number":["950-231004-2016; 950-231002-2016"]}],"id":[{"id":"10.13039\/501100001804","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000038","name":"Natural Sciences and Engineering Research Council of Canada","doi-asserted-by":"publisher","award":["RGPIN-05339-2018; RGPAS-2017-507902"],"award-info":[{"award-number":["RGPIN-05339-2018; RGPAS-2017-507902"]}],"id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,15]]},"DOI":"10.1145\/3463676.3485600","type":"proceedings-article","created":{"date-parts":[[2021,11,5]],"date-time":"2021-11-05T22:07:38Z","timestamp":1636150058000},"page":"195-208","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["Empirical Analysis and Privacy Implications in OAuth-based Single Sign-On Systems"],"prefix":"10.1145","author":[{"given":"Srivathsan G.","family":"Morkonda","sequence":"first","affiliation":[{"name":"Carleton University, Ottawa, ON, Canada"}]},{"given":"Sonia","family":"Chiasson","sequence":"additional","affiliation":[{"name":"Carleton University, Ottawa, ON, Canada"}]},{"given":"Paul C.","family":"van Oorschot","sequence":"additional","affiliation":[{"name":"Carleton University, Ottawa, ON, Canada"}]}],"member":"320","published-online":{"date-parts":[[2021,11,15]]},"reference":[{"volume-title":"https:\/\/www.appcensus.io\/","year":"2020","key":"e_1_3_2_1_1_1","unstructured":"Appcensus. https:\/\/www.appcensus.io\/ , 2020 . Appcensus. https:\/\/www.appcensus.io\/, 2020."},{"key":"e_1_3_2_1_2_1","volume-title":"Comparative Analysis and Framework Evaluating Web Single Sign-on Systems. ACM Computing Surveys, 53(5)","author":"Alaca F.","year":"2020","unstructured":"F. Alaca and P. C. van Oorschot . Comparative Analysis and Framework Evaluating Web Single Sign-on Systems. ACM Computing Surveys, 53(5) , 2020 . F. Alaca and P. C. van Oorschot. Comparative Analysis and Framework Evaluating Web Single Sign-on Systems. ACM Computing Surveys, 53(5), 2020."},{"volume-title":"The top 500 sites on the web. https:\/\/www.alexa.com\/topsites","year":"2021","key":"e_1_3_2_1_3_1","unstructured":"Alexa. The top 500 sites on the web. https:\/\/www.alexa.com\/topsites , 2021 . Alexa. The top 500 sites on the web. https:\/\/www.alexa.com\/topsites, 2021."},{"volume-title":"Top Sites by Category has been retired. https:\/\/support.alexa.com\/hc\/en-us\/articles\/360051913314","year":"2021","key":"e_1_3_2_1_4_1","unstructured":"Alexa. Top Sites by Category has been retired. https:\/\/support.alexa.com\/hc\/en-us\/articles\/360051913314 , 2021 . Alexa. Top Sites by Category has been retired. https:\/\/support.alexa.com\/hc\/en-us\/articles\/360051913314, 2021."},{"volume-title":"New Guidelines for Sign in with Apple. https:\/\/developer.apple.com\/news\/?id=09122019b","year":"2019","key":"e_1_3_2_1_5_1","unstructured":"Apple. New Guidelines for Sign in with Apple. https:\/\/developer.apple.com\/news\/?id=09122019b , 2019 . Apple. New Guidelines for Sign in with Apple. https:\/\/developer.apple.com\/news\/?id=09122019b, 2019."},{"volume-title":"App privacy labels now live on the App Store. https:\/\/developer.apple.com\/news\/?id=3wann9gh","year":"2020","key":"e_1_3_2_1_6_1","unstructured":"Apple. App privacy labels now live on the App Store. https:\/\/developer.apple.com\/news\/?id=3wann9gh , 2020 . Apple. App privacy labels now live on the App Store. https:\/\/developer.apple.com\/news\/?id=3wann9gh, 2020."},{"volume-title":"Sign in with Apple. https:\/\/developer.apple.com\/documentation\/sign_in_with_apple","year":"2021","key":"e_1_3_2_1_7_1","unstructured":"Apple. Sign in with Apple. https:\/\/developer.apple.com\/documentation\/sign_in_with_apple , 2021 . Apple. Sign in with Apple. https:\/\/developer.apple.com\/documentation\/sign_in_with_apple, 2021."},{"key":"e_1_3_2_1_8_1","volume-title":"NDSS","author":"Bai G.","year":"2013","unstructured":"G. Bai , J. Lei , G. Meng , S. S. Venkatraman , P. Saxena , J. Sun , Y. Liu , and J. S. Dong . AuthScan: Automatic Extraction of Web Authentication Protocols from Implementations . In NDSS , 2013 . G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong. AuthScan: Automatic Extraction of Web Authentication Protocols from Implementations. In NDSS, 2013."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.44"},{"key":"e_1_3_2_1_10_1","volume-title":"RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. https:\/\/datatracker.ietf.org\/doc\/html\/rfc8705","author":"Campbell B.","year":"2020","unstructured":"B. Campbell , J. Bradley , N. Sakimura , and T. Lodderstedt . RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. https:\/\/datatracker.ietf.org\/doc\/html\/rfc8705 , 2020 . B. Campbell, J. Bradley, N. Sakimura, and T. Lodderstedt. RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. https:\/\/datatracker.ietf.org\/doc\/html\/rfc8705, 2020."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660323"},{"key":"e_1_3_2_1_12_1","volume-title":"Hackers stole GitHub and GitLab OAuth tokens from Git analytics form Waydev. https:\/\/www.zdnet.com\/article\/hackers-stole-github-and-gitlab-oauth-tokens-from-git-analytics-firm-waydev\/","author":"Cimpanu C.","year":"2020","unstructured":"C. Cimpanu . Hackers stole GitHub and GitLab OAuth tokens from Git analytics form Waydev. https:\/\/www.zdnet.com\/article\/hackers-stole-github-and-gitlab-oauth-tokens-from-git-analytics-firm-waydev\/ , 2020 . C. Cimpanu. Hackers stole GitHub and GitLab OAuth tokens from Git analytics form Waydev. https:\/\/www.zdnet.com\/article\/hackers-stole-github-and-gitlab-oauth-tokens-from-git-analytics-firm-waydev\/, 2020."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417869"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978313"},{"key":"e_1_3_2_1_15_1","unstructured":"Review. https:\/\/developers.facebook.com\/docs\/app-review 2021"},{"key":"e_1_3_2_1_16_1","volume-title":"https:\/\/developers.facebook.com\/docs\/graph-api\/","author":"Graph","year":"2021","unstructured":"Facebook. Graph API. https:\/\/developers.facebook.com\/docs\/graph-api\/ , 2021 . Facebook. Graph API. https:\/\/developers.facebook.com\/docs\/graph-api\/, 2021."},{"key":"e_1_3_2_1_17_1","volume-title":"https:\/\/developers.facebook.com\/docs\/permissions\/reference\/","author":"Reference Permissions","year":"2021","unstructured":"Facebook. Permissions Reference . https:\/\/developers.facebook.com\/docs\/permissions\/reference\/ , 2021 . Facebook. Permissions Reference. https:\/\/developers.facebook.com\/docs\/permissions\/reference\/, 2021."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2335356.2335360"},{"key":"e_1_3_2_1_19_1","volume-title":"OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer. https:\/\/datatracker.ietf.org\/doc\/html\/draft-fett-oauth-dpop-00","author":"Fett D.","year":"2019","unstructured":"D. Fett , J. Bradley , B. Campbell , T. Lodderstedt , and M. Jones . OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer. https:\/\/datatracker.ietf.org\/doc\/html\/draft-fett-oauth-dpop-00 , 2019 . D. Fett, J. Bradley, B. Campbell, T. Lodderstedt, and M. Jones. OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer. https:\/\/datatracker.ietf.org\/doc\/html\/draft-fett-oauth-dpop-00, 2019."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978385"},{"key":"e_1_3_2_1_21_1","volume-title":"An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web. In USENIX Security","author":"Ghasemisharif M.","year":"2018","unstructured":"M. Ghasemisharif , A. Ramesh , S. Checkoway , C. Kanich , and J. Polakis . O Single Sign-Off, Where Art Thou ? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web. In USENIX Security , 2018 . M. Ghasemisharif, A. Ramesh, S. Checkoway, C. Kanich, and J. Polakis. O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web. In USENIX Security, 2018."},{"key":"e_1_3_2_1_22_1","volume-title":"Information Exposure Through Query Strings in URL. https:\/\/owasp.org\/www-community\/vulnerabilities\/Information_exposure_through_query_strings_in_url","author":"Gilbert R.","year":"2021","unstructured":"R. Gilbert . Information Exposure Through Query Strings in URL. https:\/\/owasp.org\/www-community\/vulnerabilities\/Information_exposure_through_query_strings_in_url , 2021 . R. Gilbert. Information Exposure Through Query Strings in URL. https:\/\/owasp.org\/www-community\/vulnerabilities\/Information_exposure_through_query_strings_in_url, 2021."},{"volume-title":"Google API for Authentication. https:\/\/developers.google.com\/identity\/sign-in\/web\/reference","year":"2021","key":"e_1_3_2_1_23_1","unstructured":"Google. Google API for Authentication. https:\/\/developers.google.com\/identity\/sign-in\/web\/reference , 2021 . Google. Google API for Authentication. https:\/\/developers.google.com\/identity\/sign-in\/web\/reference, 2021."},{"key":"e_1_3_2_1_24_1","volume-title":"https:\/\/developers.google.com\/identity\/protocols\/oauth2\/scopes","author":"Is Auth","year":"2021","unstructured":"Google. O Auth 2.0 Scopes for Google AP Is . https:\/\/developers.google.com\/identity\/protocols\/oauth2\/scopes , 2021 . Google. OAuth 2.0 Scopes for Google APIs. https:\/\/developers.google.com\/identity\/protocols\/oauth2\/scopes, 2021."},{"volume-title":"OAuth API verification FAQs. https:\/\/support.google.com\/cloud\/answer\/9110914","year":"2021","key":"e_1_3_2_1_25_1","unstructured":"Google. OAuth API verification FAQs. https:\/\/support.google.com\/cloud\/answer\/9110914 , 2021 . Google. OAuth API verification FAQs. https:\/\/support.google.com\/cloud\/answer\/9110914, 2021."},{"key":"e_1_3_2_1_26_1","volume-title":"The OAuth 2.0 Authorization Framework. https:\/\/tools.ietf.org\/html\/rfc6749","author":"Hardt D.","year":"2012","unstructured":"D. Hardt . RFC 6749 : The OAuth 2.0 Authorization Framework. https:\/\/tools.ietf.org\/html\/rfc6749 , 2012 . D. Hardt. RFC 6749: The OAuth 2.0 Authorization Framework. https:\/\/tools.ietf.org\/html\/rfc6749, 2012."},{"key":"e_1_3_2_1_27_1","volume-title":"RFC 7519: JSON Web Token (JWT). https:\/\/tools.ietf.org\/html\/rfc7519","author":"Jones M. B.","year":"2015","unstructured":"M. B. Jones , J. Bradley , and N. Sakimura . RFC 7519: JSON Web Token (JWT). https:\/\/tools.ietf.org\/html\/rfc7519 , 2015 . M. B. Jones, J. Bradley, and N. Sakimura. RFC 7519: JSON Web Token (JWT). https:\/\/tools.ietf.org\/html\/rfc7519, 2015."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-34638-5_6"},{"volume-title":"Sign In with LinkedIn. https:\/\/docs.microsoft.com\/en-us\/linkedin\/consumer\/integrations\/self-serve\/sign-in-with-linkedin","year":"2018","key":"e_1_3_2_1_29_1","unstructured":"LinkedIn. Sign In with LinkedIn. https:\/\/docs.microsoft.com\/en-us\/linkedin\/consumer\/integrations\/self-serve\/sign-in-with-linkedin , 2018 . LinkedIn. Sign In with LinkedIn. https:\/\/docs.microsoft.com\/en-us\/linkedin\/consumer\/integrations\/self-serve\/sign-in-with-linkedin, 2018."},{"key":"e_1_3_2_1_30_1","volume-title":"Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on","author":"Mainka C.","year":"2016","unstructured":"C. Mainka , V. Mladenov , and J. Schwenk . Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on . In IEEE EuroS &P, 2016 . C. Mainka, V. Mladenov, and J. Schwenk. Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on. In IEEE EuroS&P, 2016."},{"key":"e_1_3_2_1_31_1","volume-title":"SoK: Single Sign-On Security - An Evaluation of OpenID Connect","author":"Mainka C.","year":"2017","unstructured":"C. Mainka , V. Mladenov , J. Schwenk , and T. Wich . SoK: Single Sign-On Security - An Evaluation of OpenID Connect . In IEEE EuroS &P, 2017 . C. Mainka, V. Mladenov, J. Schwenk, and T. Wich. SoK: Single Sign-On Security - An Evaluation of OpenID Connect. In IEEE EuroS&P, 2017."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359183"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3397884"},{"key":"e_1_3_2_1_34_1","volume-title":"Is the OAuth 2.0 Implicit Flow Dead? https:\/\/developer.okta.com\/blog\/2019\/05\/01\/is-the-oauth-implicit-flow-dead","author":"Parecki A.","year":"2019","unstructured":"A. Parecki . Is the OAuth 2.0 Implicit Flow Dead? https:\/\/developer.okta.com\/blog\/2019\/05\/01\/is-the-oauth-implicit-flow-dead , 2019 . A. Parecki. Is the OAuth 2.0 Implicit Flow Dead? https:\/\/developer.okta.com\/blog\/2019\/05\/01\/is-the-oauth-implicit-flow-dead, 2019."},{"key":"e_1_3_2_1_35_1","volume-title":"USENIX Security","author":"Reardon J.","year":"2019","unstructured":"J. Reardon , \u00c1. Feal, P. Wijesekera , A. E. B. On , N. Vallina-Rodriguez , and S. Egelman . 50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System . In USENIX Security , 2019 . J. Reardon, \u00c1. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman. 50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System. In USENIX Security, 2019."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660460.2660471"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7636"},{"key":"e_1_3_2_1_38_1","volume-title":"OpenID Connect Core 1.0. https:\/\/openid.net\/specs\/openid-connect-core-1_0.html","author":"Sakimura N.","year":"2014","unstructured":"N. Sakimura , J. Bradley , M. B. Jones , B. de Medeiros , and C. Mortimore . OpenID Connect Core 1.0. https:\/\/openid.net\/specs\/openid-connect-core-1_0.html , 2014 . N. Sakimura, J. Bradley, M. B. Jones, B. de Medeiros, and C. Mortimore. OpenID Connect Core 1.0. https:\/\/openid.net\/specs\/openid-connect-core-1_0.html, 2014."},{"key":"e_1_3_2_1_39_1","volume-title":"https:\/\/www.selenium.dev\/documentation\/en\/webdriver\/","author":"WebDriver Selenium","year":"2021","unstructured":"Selenium. Selenium WebDriver . https:\/\/www.selenium.dev\/documentation\/en\/webdriver\/ , 2021 . Selenium. Selenium WebDriver. https:\/\/www.selenium.dev\/documentation\/en\/webdriver\/, 2021."},{"key":"e_1_3_2_1_40_1","volume-title":"Why Apple sells just 2.5% of India's smartphones. https:\/\/www.cnbc.com\/2018\/01\/29\/why-apple-sells-just-2-point-5-percent-of-indias-smartphones.html","author":"Singh M.","year":"2019","unstructured":"M. Singh . Why Apple sells just 2.5% of India's smartphones. https:\/\/www.cnbc.com\/2018\/01\/29\/why-apple-sells-just-2-point-5-percent-of-indias-smartphones.html , 2019 . M. Singh. Why Apple sells just 2.5% of India's smartphones. https:\/\/www.cnbc.com\/2018\/01\/29\/why-apple-sells-just-2-point-5-percent-of-indias-smartphones.html, 2019."},{"key":"e_1_3_2_1_41_1","volume-title":"SOUPS","author":"Stobert E.","year":"2014","unstructured":"E. Stobert and R. Biddle . The Password Life Cycle: User Behaviour in Managing Passwords . In SOUPS , 2014 . E. Stobert and R. Biddle. The Password Life Cycle: User Behaviour in Managing Passwords. In SOUPS, 2014."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382238"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2078827.2078833"},{"key":"e_1_3_2_1_44_1","volume-title":"Tools and Jewels","author":"van Oorschot P. C.","year":"2020","unstructured":"P. C. van Oorschot . Computer Security and the Internet : Tools and Jewels . Springer Nature , 2020 . P. C. van Oorschot. Computer Security and the Internet: Tools and Jewels. Springer Nature, 2020."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.30"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897874"},{"key":"e_1_3_2_1_47_1","volume-title":"USENIX Security","author":"Zhou Y.","year":"2014","unstructured":"Y. Zhou and D. Evans . SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities . In USENIX Security , 2014 . Y. Zhou and D. Evans. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In USENIX Security, 2014."}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Virtual Event Republic of Korea","acronym":"CCS '21"},"container-title":["Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3463676.3485600","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3463676.3485600","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:25:07Z","timestamp":1750195507000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3463676.3485600"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,15]]},"references-count":47,"alternative-id":["10.1145\/3463676.3485600","10.1145\/3463676"],"URL":"https:\/\/doi.org\/10.1145\/3463676.3485600","relation":{},"subject":[],"published":{"date-parts":[[2021,11,15]]},"assertion":[{"value":"2021-11-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}