TY - GEN
T1 - Exploring the Insecurity of Google Account Registration Protocol via Model Checking
AU - Xie, Tian
AU - Wang, Sihan
AU - Tu, Guan Hua
AU - Li, Chi-Yu
AU - Lei, Xinyu
PY - 2019/12
Y1 - 2019/12
N2 - People nowadays use online service accounts (e.g., Google, Facebook, Twitter) to access certain services. Among them, Google accounts have become increasingly important for users. Not only do many Google services (e.g., Gmail, Google Voice, Google Play, etc.) require them, but many online services also trust and rely on them for operational needs (e.g., login based on Google accounts). This trend introduces a new type of attacks that create a large number of fake, but valid, Google accounts. The fake Google accounts allow the adversary to launch various cyber attacks towards Google account-related services. It motivates us to conduct an empirical security study on the Google account registration service. In this paper, we apply model checking techniques to systematically analyze the insecurity of Google account registration service. We develop a model-checking tool, GAcctAnalyzer, which consists of two phases: (1) service screening phase, which generates counterexamples from the violation of desired properties, and (2) experimental validation phase, which validates the counterexamples through real experiments. We use GAcctAnalyzer to discover four security vulnerabilities including design defects, operational slips, etc. Based on the discovered vulnerabilities, we devise two practical attacks against mobile users and Google: fake Google account generation and Google text/voice spamming attack. They can not only threaten the security of mobile applications and online services, but also cause the Google company to receive user complaints and lawsuits. We finally confirm the feasibility of these attacks through experiments, assess the real-world impact, and propose recommended solutions.
AB - People nowadays use online service accounts (e.g., Google, Facebook, Twitter) to access certain services. Among them, Google accounts have become increasingly important for users. Not only do many Google services (e.g., Gmail, Google Voice, Google Play, etc.) require them, but many online services also trust and rely on them for operational needs (e.g., login based on Google accounts). This trend introduces a new type of attacks that create a large number of fake, but valid, Google accounts. The fake Google accounts allow the adversary to launch various cyber attacks towards Google account-related services. It motivates us to conduct an empirical security study on the Google account registration service. In this paper, we apply model checking techniques to systematically analyze the insecurity of Google account registration service. We develop a model-checking tool, GAcctAnalyzer, which consists of two phases: (1) service screening phase, which generates counterexamples from the violation of desired properties, and (2) experimental validation phase, which validates the counterexamples through real experiments. We use GAcctAnalyzer to discover four security vulnerabilities including design defects, operational slips, etc. Based on the discovered vulnerabilities, we devise two practical attacks against mobile users and Google: fake Google account generation and Google text/voice spamming attack. They can not only threaten the security of mobile applications and online services, but also cause the Google company to receive user complaints and lawsuits. We finally confirm the feasibility of these attacks through experiments, assess the real-world impact, and propose recommended solutions.
KW - Google account
KW - model checking
KW - registration
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85080900460&partnerID=8YFLogxK
U2 - 10.1109/SSCI44817.2019.9003113
DO - 10.1109/SSCI44817.2019.9003113
M3 - Conference contribution
AN - SCOPUS:85080900460
T3 - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
SP - 3087
EP - 3096
BT - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
Y2 - 6 December 2019 through 9 December 2019
ER -