Exploring the Insecurity of Google Account Registration Protocol via Model Checking

Tian Xie, Sihan Wang, Guan Hua Tu, Chi-Yu Li, Xinyu Lei

研究成果: Conference contribution同行評審

2 引文 斯高帕斯(Scopus)

摘要

People nowadays use online service accounts (e.g., Google, Facebook, Twitter) to access certain services. Among them, Google accounts have become increasingly important for users. Not only do many Google services (e.g., Gmail, Google Voice, Google Play, etc.) require them, but many online services also trust and rely on them for operational needs (e.g., login based on Google accounts). This trend introduces a new type of attacks that create a large number of fake, but valid, Google accounts. The fake Google accounts allow the adversary to launch various cyber attacks towards Google account-related services. It motivates us to conduct an empirical security study on the Google account registration service. In this paper, we apply model checking techniques to systematically analyze the insecurity of Google account registration service. We develop a model-checking tool, GAcctAnalyzer, which consists of two phases: (1) service screening phase, which generates counterexamples from the violation of desired properties, and (2) experimental validation phase, which validates the counterexamples through real experiments. We use GAcctAnalyzer to discover four security vulnerabilities including design defects, operational slips, etc. Based on the discovered vulnerabilities, we devise two practical attacks against mobile users and Google: fake Google account generation and Google text/voice spamming attack. They can not only threaten the security of mobile applications and online services, but also cause the Google company to receive user complaints and lawsuits. We finally confirm the feasibility of these attacks through experiments, assess the real-world impact, and propose recommended solutions.

原文English
主出版物標題2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
發行者Institute of Electrical and Electronics Engineers Inc.
頁面3087-3096
頁數10
ISBN(電子)9781728124858
DOIs
出版狀態Published - 12月 2019
事件2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019 - Xiamen, 中國
持續時間: 6 12月 20199 12月 2019

出版系列

名字2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019

Conference

Conference2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
國家/地區中國
城市Xiamen
期間6/12/199/12/19

指紋

深入研究「Exploring the Insecurity of Google Account Registration Protocol via Model Checking」主題。共同形成了獨特的指紋。

引用此