{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T23:20:56Z","timestamp":1777591256580,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":63,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,10,26]],"date-time":"2022-10-26T00:00:00Z","timestamp":1666742400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,10,26]]},"DOI":"10.1145\/3545948.3545955","type":"proceedings-article","created":{"date-parts":[[2022,10,17]],"date-time":"2022-10-17T11:21:49Z","timestamp":1666005709000},"page":"460-481","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":19,"title":["OAuch: Exploring Security Compliance in the OAuth\u00a02.0 Ecosystem"],"prefix":"10.1145","author":[{"given":"Pieter","family":"Philippaerts","sequence":"first","affiliation":[{"name":"imec-DistriNet, KU Leuven, Belgium"}]},{"given":"Davy","family":"Preuveneers","sequence":"additional","affiliation":[{"name":"imec-DistriNet, KU Leuven, Belgium"}]},{"given":"Wouter","family":"Joosen","sequence":"additional","affiliation":[{"name":"imec-DistriNet, KU Leuven, Belgium"}]}],"member":"320","published-online":{"date-parts":[[2022,10,26]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT\u201914)","author":"Akhawe Devdatta","year":"2014","unstructured":"Devdatta Akhawe , Warren He , Zhiwei Li , Reza Moazzezi , and Dawn Song . 2014 . Clickjacking Revisited: A Perceptual View of UI Security . In Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT\u201914) . Devdatta Akhawe, Warren He, Zhiwei Li, Reza Moazzezi, and Dawn Song. 2014. Clickjacking Revisited: A Perceptual View of UI Security. In Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT\u201914)."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-140503"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-80825-9_2"},{"key":"e_1_3_2_1_4_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security 18)","author":"Calzavara Stefano","year":"2018","unstructured":"Stefano Calzavara , Riccardo Focardi , Matteo Maffei , Clara Schneidewind , Marco Squarcina , and Mauro Tempesta . 2018 . WPSE: fortifying web protocols via browser-side security monitoring . In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18) . 1493\u20131510. Stefano Calzavara, Riccardo Focardi, Matteo Maffei, Clara Schneidewind, Marco Squarcina, and Mauro Tempesta. 2018. WPSE: fortifying web protocols via browser-side security monitoring. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18). 1493\u20131510."},{"key":"e_1_3_2_1_5_1","volume-title":"Universally Composable Security Analysis of OAuth v2.0. IACR Cryptol. ePrint Arch. 2011","author":"Chari Suresh","year":"2011","unstructured":"Suresh Chari , Charanjit\u00a0 S Jutla , and Arnab Roy . 2011. Universally Composable Security Analysis of OAuth v2.0. IACR Cryptol. ePrint Arch. 2011 ( 2011 ). Suresh Chari, Charanjit\u00a0S Jutla, and Arnab Roy. 2011. Universally Composable Security Analysis of OAuth v2.0. IACR Cryptol. ePrint Arch. 2011 (2011)."},{"key":"e_1_3_2_1_6_1","unstructured":"Eric Chen Yutong Pei Yuan Tian Shuo Chen Robert Kotcher and Patrick Tague. 2016. 1000 ways to die in mobile OAuth. In Blackhat USA.  Eric Chen Yutong Pei Yuan Tian Shuo Chen Robert Kotcher and Patrick Tague. 2016. 1000 ways to die in mobile OAuth. In Blackhat USA."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660323"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417869"},{"key":"e_1_3_2_1_9_1","volume-title":"Security evaluation of the OAuth 2.0 framework. Information and Computer Security 23 (03","author":"Ferry Eugene","year":"2015","unstructured":"Eugene Ferry , John O\u2019Raw , and Kevin Curran . 2015. Security evaluation of the OAuth 2.0 framework. Information and Computer Security 23 (03 2015 ). Eugene Ferry, John O\u2019Raw, and Kevin Curran. 2015. Security evaluation of the OAuth 2.0 framework. Information and Computer Security 23 (03 2015)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00067"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"crossref","unstructured":"Daniel Fett Ralf Kuesters and Guido Schmitz. 2014. An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System. 673\u2013688\u00a0pages.  Daniel Fett Ralf Kuesters and Guido Schmitz. 2014. An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System. 673\u2013688\u00a0pages.","DOI":"10.1109\/SP.2014.49"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978385"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2017.20"},{"key":"e_1_3_2_1_14_1","volume-title":"The OWASP Testing Guide 4.0. https:\/\/kennel209.gitbooks.io\/owasp-testing-guide-v4\/content\/en\/web_application_security_testing\/testing_for_clickjacking_otg-client-009.html. [Online","author":"Foundation OWASP","year":"2021","unstructured":"The\u00a0 OWASP Foundation . 2014. The OWASP Testing Guide 4.0. https:\/\/kennel209.gitbooks.io\/owasp-testing-guide-v4\/content\/en\/web_application_security_testing\/testing_for_clickjacking_otg-client-009.html. [Online ; accessed May 20, 2021 ]. The\u00a0OWASP Foundation. 2014. The OWASP Testing Guide 4.0. https:\/\/kennel209.gitbooks.io\/owasp-testing-guide-v4\/content\/en\/web_application_security_testing\/testing_for_clickjacking_otg-client-009.html. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_15_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (S&P\u201922)","author":"Ghasemisharif M.","year":"2022","unstructured":"M. Ghasemisharif , C. Kanich , and J. Polakis . 2022. Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments . In Proceedings of the IEEE Symposium on Security and Privacy (S&P\u201922) . IEEE Computer Society, Los Alamitos, CA, USA, 1524\u20131524. https:\/\/doi.org\/10.1109\/SP46214. 2022 .00095 10.1109\/SP46214.2022.00095 M. Ghasemisharif, C. Kanich, and J. Polakis. 2022. Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments. In Proceedings of the IEEE Symposium on Security and Privacy (S&P\u201922). IEEE Computer Society, Los Alamitos, CA, USA, 1524\u20131524. https:\/\/doi.org\/10.1109\/SP46214.2022.00095"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.5555\/3277203.3277314"},{"key":"e_1_3_2_1_17_1","unstructured":"Roland Hedberg. 2012. OpenID Connect Deployment Verification Tool. https:\/\/kantarainitiative.org\/confluence\/download\/attachments\/3408008\/Roland%20Hedberg%20-%20Kantara_summit_oic_test_tool.pdf  Roland Hedberg. 2012. OpenID Connect Deployment Verification Tool. https:\/\/kantarainitiative.org\/confluence\/download\/attachments\/3408008\/Roland%20Hedberg%20-%20Kantara_summit_oic_test_tool.pdf"},{"key":"e_1_3_2_1_18_1","unstructured":"Pili Hu and Wing Cheong\u00a0Lau. 2014. How to Leak a 100-Million-Node Social Graph in Just One Week? A Reflection on OAuth and API Design in Online Social Networks. In BlackHat USA.  Pili Hu and Wing Cheong\u00a0Lau. 2014. How to Leak a 100-Million-Node Social Graph in Just One Week? A Reflection on OAuth and API Design in Online Social Networks. In BlackHat USA."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660460.2660463"},{"key":"e_1_3_2_1_20_1","volume-title":"Proceedings of the 21st USENIX Security Symposium (USENIX Security 12)","author":"Huang Lin-Shung","year":"2012","unstructured":"Lin-Shung Huang , Alex Moshchuk , Helen\u00a0 J Wang , Stuart Schecter , and Collin Jackson . 2012 . Clickjacking: Attacks and defenses . In Proceedings of the 21st USENIX Security Symposium (USENIX Security 12) . Lin-Shung Huang, Alex Moshchuk, Helen\u00a0J Wang, Stuart Schecter, and Collin Jackson. 2012. Clickjacking: Attacks and defenses. In Proceedings of the 21st USENIX Security Symposium (USENIX Security 12)."},{"key":"e_1_3_2_1_21_1","volume-title":"A secure OAuth 2.0 implementation model. Master\u2019s thesis","author":"Koponen Ari-Pekka","unstructured":"Ari-Pekka Koponen . 2016. A secure OAuth 2.0 implementation model. Master\u2019s thesis . University of Jyv\u00e4skyl\u00e4 . Ari-Pekka Koponen. 2016. A secure OAuth 2.0 implementation model. Master\u2019s thesis. University of Jyv\u00e4skyl\u00e4."},{"key":"e_1_3_2_1_22_1","unstructured":"Itzik Kotler and Amit Klein. 2016. Crippling HTTPS with unholy PAC. In BlackHat USA.  Itzik Kotler and Amit Klein. 2016. Crippling HTTPS with unholy PAC. In BlackHat USA."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-13257-0_34"},{"key":"e_1_3_2_1_25_1","volume-title":"OpenID Connect. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA\u201916)","author":"Li Wanpeng","year":"2016","unstructured":"Wanpeng Li and Chris\u00a0 J Mitchell . 2016 . Analysing the Security of Google\u2019s implementation of OpenID Connect. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA\u201916) . Springer, 357\u2013376. Wanpeng Li and Chris\u00a0J Mitchell. 2016. Analysing the Security of Google\u2019s implementation of OpenID Connect. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA\u201916). Springer, 357\u2013376."},{"key":"e_1_3_2_1_26_1","unstructured":"Wanpeng Li Chris\u00a0J Mitchell and Thomas Chen. 2018. Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect. arxiv:1801.07983\u00a0[cs.CR]  Wanpeng Li Chris\u00a0J Mitchell and Thomas Chen. 2018. Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect. arxiv:1801.07983\u00a0[cs.CR]"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2018.8514180"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-03251-7_3"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338500.3360331"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00025"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSNT.2011.141"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00036"},{"key":"e_1_3_2_1_33_1","volume-title":"Cerberus: Query-driven Scalable Security Checking for OAuth Service Provider Implementations.","author":"Rahat Tamjid\u00a0Al","year":"2022","unstructured":"Tamjid\u00a0Al Rahat , Yu Feng , and Yuan Tian . 2022 . Cerberus: Query-driven Scalable Security Checking for OAuth Service Provider Implementations. (2022). Tamjid\u00a0Al Rahat, Yu Feng, and Yuan Tian. 2022. Cerberus: Query-driven Scalable Security Checking for OAuth Service Provider Implementations. (2022)."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1080\/19393555.2014.931489"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/MobServ.2014.15"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_13"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382238"},{"key":"e_1_3_2_1_38_1","unstructured":"The OWASP Foundation. 2013. OWASP Top 10 - 2013. Technical Report. http:\/\/owasptop10.googlecode.com\/files\/OWASP%20Top%2010%20-%202013.pdf  The OWASP Foundation. 2013. OWASP Top 10 - 2013. Technical Report. http:\/\/owasptop10.googlecode.com\/files\/OWASP%20Top%2010%20-%202013.pdf"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991105"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818024"},{"key":"e_1_3_2_1_41_1","unstructured":"Xianbo Wang Wing\u00a0Cheong Lau Ronghai Yang and Shangcheng Shi. 2019. Make Redirection Evil Again: URL Parser Issues in OAuth. In BlackHat Asia.  Xianbo Wang Wing\u00a0Cheong Lau Ronghai Yang and Shangcheng Shi. 2019. Make Redirection Evil Again: URL Parser Issues in OAuth. In BlackHat Asia."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897874"},{"key":"e_1_3_2_1_43_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14)","author":"Zhou Yuchen","year":"2014","unstructured":"Yuchen Zhou and David Evans . 2014 . SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities . In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14) . 495\u2013510. Yuchen Zhou and David Evans. 2014. SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14). 495\u2013510."},{"key":"e_1_3_2_1_44_1","volume-title":"https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-oauth-security-topics. [Online","author":"Bradley John","year":"2021","unstructured":"John Bradley , Andrey Labunets , and Daniel Fett . 2020. O Auth 2.0 Security Best Current Practice . https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-oauth-security-topics. [Online ; accessed May 20, 2021 ]. John Bradley, Andrey Labunets, and Daniel Fett. 2020. OAuth 2.0 Security Best Current Practice. https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-oauth-security-topics. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_45_1","volume-title":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8705. [Online","author":"Campbell Brian","year":"2021","unstructured":"Brian Campbell , John Bradley , Nat Sakimura , and Torsten Lodderstedt . 2020. O Auth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens . https:\/\/datatracker.ietf.org\/doc\/html\/rfc8705. [Online ; accessed May 20, 2021 ]. Brian Campbell, John Bradley, Nat Sakimura, and Torsten Lodderstedt. 2020. OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. https:\/\/datatracker.ietf.org\/doc\/html\/rfc8705. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_46_1","volume-title":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8252. [Online","author":"Denniss William","year":"2021","unstructured":"William Denniss and John Bradley . 2017. O Auth 2.0 for Native Apps . https:\/\/datatracker.ietf.org\/doc\/html\/rfc8252. [Online ; accessed May 20, 2021 ]. William Denniss and John Bradley. 2017. OAuth 2.0 for Native Apps. https:\/\/datatracker.ietf.org\/doc\/html\/rfc8252. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_47_1","volume-title":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8628. [Online","author":"Denniss William","year":"2021","unstructured":"William Denniss , John Bradley , Michael Jones , and Hannes Tschofenig . 2019. O Auth 2.0 Device Authorization Grant . https:\/\/datatracker.ietf.org\/doc\/html\/rfc8628. [Online ; accessed May 20, 2021 ]. William Denniss, John Bradley, Michael Jones, and Hannes Tschofenig. 2019. OAuth 2.0 Device Authorization Grant. https:\/\/datatracker.ietf.org\/doc\/html\/rfc8628. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_48_1","volume-title":"The OAuth 2.0 Authorization Framework. https:\/\/datatracker.ietf.org\/doc\/html\/rfc6749. [Online","author":"Hardt Dick","year":"2021","unstructured":"Dick Hardt . 2012. The OAuth 2.0 Authorization Framework. https:\/\/datatracker.ietf.org\/doc\/html\/rfc6749. [Online ; accessed May 20, 2021 ]. Dick Hardt. 2012. The OAuth 2.0 Authorization Framework. https:\/\/datatracker.ietf.org\/doc\/html\/rfc6749. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_49_1","volume-title":"The OAuth 2.0 Authorization Framework: Bearer Token Usage. https:\/\/datatracker.ietf.org\/doc\/html\/rfc6750. [Online","author":"Hardt Dick","year":"2021","unstructured":"Dick Hardt and Michael Jones . 2012. The OAuth 2.0 Authorization Framework: Bearer Token Usage. https:\/\/datatracker.ietf.org\/doc\/html\/rfc6750. [Online ; accessed May 20, 2021 ]. Dick Hardt and Michael Jones. 2012. The OAuth 2.0 Authorization Framework: Bearer Token Usage. https:\/\/datatracker.ietf.org\/doc\/html\/rfc6750. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_50_1","volume-title":"https:\/\/openid.net\/specs\/oauth-v2-form-post-response-mode-1_0.html. [Online","author":"Jones Michael","year":"2021","unstructured":"Michael Jones and Brian Campbell . 2015. O Auth 2.0 Form Post Response Mode . https:\/\/openid.net\/specs\/oauth-v2-form-post-response-mode-1_0.html. [Online ; accessed May 20, 2021 ]. Michael Jones and Brian Campbell. 2015. OAuth 2.0 Form Post Response Mode. https:\/\/openid.net\/specs\/oauth-v2-form-post-response-mode-1_0.html. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_51_1","volume-title":"JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7523. [Online","author":"Jones Michael","year":"2021","unstructured":"Michael Jones , Brian Campbell , and Chuck Mortimore . 2015. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7523. [Online ; accessed May 20, 2021 ]. Michael Jones, Brian Campbell, and Chuck Mortimore. 2015. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7523. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_52_1","volume-title":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc7009. [Online","author":"Lodderstedt Torsten","year":"2021","unstructured":"Torsten Lodderstedt , Stefanie Dronia , and Marius Scurtescu . 2013. O Auth 2.0 Token Revocation . https:\/\/datatracker.ietf.org\/doc\/html\/rfc7009. [Online ; accessed May 20, 2021 ]. Torsten Lodderstedt, Stefanie Dronia, and Marius Scurtescu. 2013. OAuth 2.0 Token Revocation. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7009. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_53_1","volume-title":"https:\/\/docs.kantarainitiative.org\/uma\/wg\/rec-oauth-uma-grant-2.0.html. [Online","author":"Machulak Maciej","year":"2021","unstructured":"Maciej Machulak and Justin Richer . 2018. User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization . https:\/\/docs.kantarainitiative.org\/uma\/wg\/rec-oauth-uma-grant-2.0.html. [Online ; accessed May 20, 2021 ]. Maciej Machulak and Justin Richer. 2018. User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization. https:\/\/docs.kantarainitiative.org\/uma\/wg\/rec-oauth-uma-grant-2.0.html. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_54_1","volume-title":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc6819. [Online","author":"McGloin Mark","year":"2021","unstructured":"Mark McGloin and Phil Hunt . 2013. O Auth 2.0 Threat Model and Security Considerations . https:\/\/datatracker.ietf.org\/doc\/html\/rfc6819. [Online ; accessed May 20, 2021 ]. Mark McGloin and Phil Hunt. 2013. OAuth 2.0 Threat Model and Security Considerations. https:\/\/datatracker.ietf.org\/doc\/html\/rfc6819. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_55_1","volume-title":"Proof Key for Code Exchange by OAuth Public Clients. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7636. [Online","author":"Sakimura Nat","year":"2021","unstructured":"Nat Sakimura , John Bradley , and Naveen Agarwal . 2015. Proof Key for Code Exchange by OAuth Public Clients. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7636. [Online ; accessed May 20, 2021 ]. Nat Sakimura, John Bradley, and Naveen Agarwal. 2015. Proof Key for Code Exchange by OAuth Public Clients. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7636. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_56_1","volume-title":"https:\/\/openid.net\/specs\/openid-connect-core-1_0.html. [Online","author":"Sakimura Nat","year":"2021","unstructured":"Nat Sakimura , John Bradley , Michael\u00a0 B. Jones , Breno de Medeiros , and Chuck Mortimore . 2014. Open ID Connect . https:\/\/openid.net\/specs\/openid-connect-core-1_0.html. [Online ; accessed May 20, 2021 ]. Nat Sakimura, John Bradley, Michael\u00a0B. Jones, Breno de Medeiros, and Chuck Mortimore. 2014. OpenID Connect. https:\/\/openid.net\/specs\/openid-connect-core-1_0.html. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_57_1","volume-title":"https:\/\/openid.net\/certification\/. [Online","author":"Foundation The","year":"2021","unstructured":"The OpenID Foundation . 2022. Open ID Certification . https:\/\/openid.net\/certification\/. [Online ; accessed May 20, 2021 ]. The OpenID Foundation. 2022. OpenID Certification. https:\/\/openid.net\/certification\/. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_58_1","volume-title":"Microsoft fixes login vulnerability. https:\/\/www.foxbusiness.com\/technology\/microsoft-vulnerability-login-system. [Online","author":"Genovese Daniella","year":"2021","unstructured":"Daniella Genovese . 2019. Microsoft fixes login vulnerability. https:\/\/www.foxbusiness.com\/technology\/microsoft-vulnerability-login-system. [Online ; accessed May 20, 2021 ]. Daniella Genovese. 2019. Microsoft fixes login vulnerability. https:\/\/www.foxbusiness.com\/technology\/microsoft-vulnerability-login-system. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_59_1","volume-title":"Referer Leakage Vulnerability leads to OAuth token theft. https:\/\/hackerone.com\/reports\/787160. [Online","author":"Gomes Cassio","year":"2021","unstructured":"Cassio Gomes . 2019. Referer Leakage Vulnerability leads to OAuth token theft. https:\/\/hackerone.com\/reports\/787160. [Online ; accessed September 21, 2021 ]. Cassio Gomes. 2019. Referer Leakage Vulnerability leads to OAuth token theft. https:\/\/hackerone.com\/reports\/787160. [Online; accessed September 21, 2021]."},{"key":"e_1_3_2_1_60_1","unstructured":"Dan Goodin. 2020. Apple fixes bug that could have given hackers full access to user accounts. https:\/\/arstechnica.com\/information-technology\/2020\/06\/apple-fixes-bug-that-could-have-given-hackers-unauthorized-to-user-accounts\/. [Online; accessed May 20 2021].  Dan Goodin. 2020. Apple fixes bug that could have given hackers full access to user accounts. https:\/\/arstechnica.com\/information-technology\/2020\/06\/apple-fixes-bug-that-could-have-given-hackers-unauthorized-to-user-accounts\/. [Online; accessed May 20 2021]."},{"key":"e_1_3_2_1_61_1","volume-title":"10-Year Old Facebook OAuth Framework Flaw Discovered. https:\/\/latesthackingnews.com\/2020\/03\/03\/10-year-old-facebook-oauth-framework-flaw-discovered\/. [Online","author":"Hashim Abeerah","year":"2021","unstructured":"Abeerah Hashim . 2020. 10-Year Old Facebook OAuth Framework Flaw Discovered. https:\/\/latesthackingnews.com\/2020\/03\/03\/10-year-old-facebook-oauth-framework-flaw-discovered\/. [Online ; accessed May 20, 2021 ]. Abeerah Hashim. 2020. 10-Year Old Facebook OAuth Framework Flaw Discovered. https:\/\/latesthackingnews.com\/2020\/03\/03\/10-year-old-facebook-oauth-framework-flaw-discovered\/. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_62_1","volume-title":"Hacker Reveals How to Hack Any Facebook Account. https:\/\/thehackernews.com\/2016\/03\/hack-facebook-account.html. [Online","author":"Khandelwal Swati","year":"2021","unstructured":"Swati Khandelwal . 2016. Hacker Reveals How to Hack Any Facebook Account. https:\/\/thehackernews.com\/2016\/03\/hack-facebook-account.html. [Online ; accessed May 20, 2021 ]. Swati Khandelwal. 2016. Hacker Reveals How to Hack Any Facebook Account. https:\/\/thehackernews.com\/2016\/03\/hack-facebook-account.html. [Online; accessed May 20, 2021]."},{"key":"e_1_3_2_1_63_1","volume-title":"Race Conditions in OAuth 2 API implementations. https:\/\/hackerone.com\/reports\/55140. [Online","author":"Moroz Max","year":"2021","unstructured":"Max Moroz . 2017. Race Conditions in OAuth 2 API implementations. https:\/\/hackerone.com\/reports\/55140. [Online ; accessed May 20, 2021 ]. Max Moroz. 2017. Race Conditions in OAuth 2 API implementations. https:\/\/hackerone.com\/reports\/55140. [Online; accessed May 20, 2021]."}],"event":{"name":"RAID 2022: 25th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Limassol Cyprus","acronym":"RAID 2022"},"container-title":["Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3545948.3545955","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3545948.3545955","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:30:27Z","timestamp":1750188627000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3545948.3545955"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,26]]},"references-count":63,"alternative-id":["10.1145\/3545948.3545955","10.1145\/3545948"],"URL":"https:\/\/doi.org\/10.1145\/3545948.3545955","relation":{},"subject":[],"published":{"date-parts":[[2022,10,26]]},"assertion":[{"value":"2022-10-26","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}