VOAuth: A solution to protect OAuth against phishing

The OAuth protocol is designed for authorization which enables users to grant third-party applications to access their resources stored at a server. However, OAuth cannot prevent counterfeiting the Authorization Server, thus phishing attacks are usually encountered. Although the version 2.0 of OAuth has been widely used in web authorization services, counterfeiting problem remains unsolved. In this paper, VOAuth (Validation OAuth) is proposed as a novel solution to address this problem, which brings in a Validation System and optimizes the processes of OAuth. The Validation System including Validation Gateway and Validation Client can guarantee the authenticity of Authorization Server by taking tripartite consultation and one-time pad into account, hence users can be protected from phishing due to that passwords will not be stored or submitted for a long time. In order to prove that VOAuth can avoid phishing attacks especially counterfeiting Authorization Server effectively, countermeasures on phishing threat models and formal verification in VOAuth are shown with Alloy Analyzer. Finally, VOAuth is implemented in an actual mobile Internet application and has been on-line for more than two years with over 15 million users. So far, the leakage of user privacy data does not occur and there is no phished account reported, which provides further evidence of the effectiveness of VOAuth.