pith. sign in

arxiv: 2605.22333 · v1 · pith:3JEZZWTMnew · submitted 2026-05-21 · 💻 cs.CR

A First Measurement Study on Authentication Security in Real-World Remote MCP Servers

Huijun Zhou , Xiaohan Zhang , Haozhe Zhang , Haoyang Zhang , Mi Zhang , Min Yang This is my paper

Pith reviewed 2026-05-22 05:31 UTC · model grok-4.3

classification 💻 cs.CR
keywords Model Context ProtocolMCPOAuthauthentication securitymeasurement studyremote serversLLM agentsdynamic client registration
2
0 comments X

The pith

The first measurement of remote MCP server authentication finds every OAuth-enabled server has flaws, with 325 total issues identified.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper performs the first large-scale study of authentication security in real-world remote Model Context Protocol servers that allow large language models to interact with user services. It locates thousands of live servers and develops a taxonomy of flaws tailored to MCP's use of OAuth, including dynamic client registration and delegated authorization. Testing 119 servers reveals that all have at least one flaw and dynamic client registration problems affect almost all of them. These issues matter because they can lead to data leaks and account compromises in an emerging standard for AI agents connecting to personal accounts.

Core claim

Applying a semi-automated detection framework to 119 testable real-world OAuth-enabled MCP servers shows that each server exhibits at least one flaw, with a total of 325 flaws identified. Dynamic client registration flaws affect 96.6% of the tested servers. Among 7,973 identified live remote MCP servers, 40.55% expose tools without authentication. The study derives a taxonomy of four categories and nine concrete flaw types specific to MCP OAuth characteristics.

What carries the argument

The taxonomy of authentication flaws comprising three MCP-specific categories and conventional OAuth misconfigurations, detected through a semi-automated framework of passive traffic inspection and active dynamic probing.

If this is right

  • 40.55% of identified remote MCP servers expose tools without any authentication.
  • OAuth deployments in MCP feature open client environments, dynamic client registration, and delegated authorization that create new attack surfaces.
  • Many identified flaws can lead to sensitive information leakage and account takeover.
  • Responsible disclosure resulted in 9 CVE IDs being assigned.
  • There is an urgent need for hardened OAuth-based remote MCP deployments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Developers building MCP servers should prioritize securing or avoiding dynamic client registration to reduce risks.
  • Similar flaws could appear in other protocols where LLMs act as clients to user-linked services.
  • The pervasiveness suggests that MCP's design for ease of integration trades off security in ways not present in traditional OAuth setups.
  • Broader adoption of MCP may require new security guidelines or updates to OAuth practices for AI agents.

Load-bearing premise

The identified 7,973 servers and the 119 testable OAuth servers accurately represent real-world remote MCP deployments, and the probing framework detects flaws without significant false positives or missed issues.

What would settle it

An independent large-scale scan that finds many OAuth-enabled MCP servers free of all nine flaw types in the taxonomy would indicate the issues are not as pervasive as reported.

Figures

Figures reproduced from arXiv: 2605.22333 by Haoyang Zhang, Haozhe Zhang, Huijun Zhou, Min Yang, Mi Zhang, Xiaohan Zhang.

Figure 1
Figure 1. Figure 1: Demonstration of the remote MCP server authentication. [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: MCP specification authentication evolution timeline. [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Two-step pipeline for discovering and validating remote MCP [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Workflow of OAuth-based authentication in remote MCP deployments. P1 - P3 capture the MCP client-to-server flow, while PA captures delegated [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Detection pipeline of our framework for detecting flaws in remote MCP OAuth deployments. [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Overall flaw detection results on 119 MCP servers. [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Case Study 1: Malicious client registration via open DCR. [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Case Study 2: Nested context pollution leading to account [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Case Study 3: Open redirect amplified by PKCE downgrade. [PITH_FULL_IMAGE:figures/full_fig_p012_9.png] view at source ↗
read the original abstract

The Model Context Protocol (MCP) is emerging as a common interface connecting large language models (LLMs) with external services. Remote deployments are becoming increasingly important as agents connect to user-linked online services, such as social, productivity, and financial services. In such deployments, the authentication boundary between MCP clients and remote servers becomes security-critical, yet remains underexplored. We present the first measurement study of authentication security in real-world remote MCP servers. We identify 7,973 live remote MCP servers, finding that 40.55% expose tools without authentication. Among authenticated servers, OAuth is the dominant authorization mechanism for reaching remote services, and OAuth deployments in the MCP ecosystem commonly exhibit three characteristics: open client environments, dynamic client registration, and delegated authorization. These characteristics distinguish MCP deployments from traditional OAuth and introduce new attack surfaces. Guided by this observation, we derive a taxonomy of authentication flaws comprising three MCP-specific categories and conventional OAuth misconfigurations, for a total of four categories and nine concrete flaw types. To evaluate these flaws at scale, we implement a semi-automated detection framework that combines passive traffic inspection with active dynamic probing. Applying it to 119 testable real-world OAuth-enabled MCP servers, we find that each server exhibits at least one flaw, with a total of 325 flaws identified, among which dynamic client registration flaws affect 96.6% of tested servers. Many of these flaws can lead to sensitive information leakage and account takeover. Through responsible disclosure, we obtained 9 CVE IDs. Our findings expose pervasive authentication weaknesses in the MCP ecosystem and underscore the urgent need for hardened OAuth-based remote deployments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. This paper presents the first measurement study of authentication security in real-world remote MCP servers. It identifies 7,973 live remote MCP servers, finding that 40.55% expose tools without authentication. Among authenticated servers, OAuth is dominant; applying a semi-automated passive-plus-active probing framework guided by an MCP-specific taxonomy of four categories and nine flaw types to 119 testable OAuth-enabled servers yields 325 flaws total, with every server exhibiting at least one flaw and dynamic client registration flaws affecting 96.6%. The work includes responsible disclosure resulting in 9 CVEs.

Significance. If the detection methodology holds, the findings are significant as the first empirical evidence of pervasive authentication weaknesses in the emerging MCP ecosystem for LLM-external service connections. The scale of server discovery, concrete flaw counts, and obtained CVEs highlight risks of information leakage and account takeover, supporting calls for hardened OAuth deployments. The study supplies concrete counts from large-scale scanning and testing.

major comments (1)
  1. [§3 (Detection Framework) and Abstract] §3 (Detection Framework) and Abstract: the central claims that all 119 testable OAuth-enabled servers exhibit at least one flaw (total 325 flaws, 96.6% with dynamic client registration flaws) rest on the semi-automated passive-plus-active probing framework. No false-positive rate, manual verification fraction, or ground-truth comparison is reported, leaving open the possibility that probing responses are misinterpreted and directly weakening the pervasiveness conclusion for the tested set.
minor comments (2)
  1. The criteria for deeming a server 'testable' and the exact breakdown of the 7,973 servers into authenticated vs. unauthenticated subsets could be stated more explicitly to aid reproducibility.
  2. A brief discussion of potential scanning artifacts (e.g., rate-limiting responses or honeypot-like servers) would strengthen the methodology presentation without altering the core results.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their careful and constructive review of our manuscript. We address the major comment on the validation of our detection framework below and have revised the manuscript to incorporate additional details on our verification procedures.

read point-by-point responses

  1. Referee: [§3 (Detection Framework) and Abstract] §3 (Detection Framework) and Abstract: the central claims that all 119 testable OAuth-enabled servers exhibit at least one flaw (total 325 flaws, 96.6% with dynamic client registration flaws) rest on the semi-automated passive-plus-active probing framework. No false-positive rate, manual verification fraction, or ground-truth comparison is reported, leaving open the possibility that probing responses are misinterpreted and directly weakening the pervasiveness conclusion for the tested set.

    Authors: We thank the referee for this observation, which highlights an opportunity to strengthen the presentation of our methodology. Our semi-automated framework integrates passive traffic analysis with active probing specifically tailored to the nine flaw types in our MCP-specific taxonomy. Each flaw is identified only when the server response matches a predefined, observable indicator (for instance, acceptance of unauthenticated dynamic client registration requests or exposure of tokens without proper scope validation). To mitigate risks of misinterpretation, we conducted a post-hoc manual review of the full set of probe responses and logs for all 119 servers, confirming that every reported flaw aligned with the expected behavioral signature. In addition, we performed an in-depth manual verification on a randomly selected subset of 25 servers (approximately 21% of the testable set), including direct inspection of registration endpoints and token issuance behavior where ethically permissible. No false positives were identified in this subset. While a complete ground-truth oracle for every server is not feasible—owing to the dynamic, third-party nature of the services and constraints against exhaustive active testing that could affect availability—we have added a dedicated subsection in the revised §3 describing the verification process, the manual review fraction, and the rationale for relying on conservative, multi-stage indicators. These changes directly address the concern and reinforce the reliability of the pervasiveness claim. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical measurement study with direct observation

full rationale

This is an empirical measurement study that identifies live remote MCP servers via scanning, observes authentication characteristics, derives a taxonomy from those observations, and applies a custom probing framework to count flaws in a testable subset. No equations, fitted parameters, or predictions appear that reduce by construction to the paper's own inputs. Central claims rest on reported counts from passive-plus-active detection rather than any self-referential derivation or self-citation chain. The study is self-contained against external benchmarks in the sense that its results are falsifiable via independent replication of the server discovery and probing steps.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

No free parameters or invented entities; relies on domain assumptions about server representativeness and detection accuracy.

axioms (1)
  • domain assumption Identified live remote MCP servers and testable OAuth servers are representative of the broader ecosystem.
    The measurement claims depend on the scanning and selection process capturing a valid sample of real-world deployments.

pith-pipeline@v0.9.0 · 5838 in / 1111 out tokens · 44202 ms · 2026-05-22T05:31:19.274945+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

  • IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear
    ?
    unclear

    Relation between the paper passage and the cited Recognition theorem.

    We implement a semi-automated detection framework that combines passive traffic inspection with active dynamic probing. Applying it to 119 testable real-world OAuth-enabled MCP servers, we find that each server exhibits at least one flaw, with a total of 325 flaws identified

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

50 extracted references · 50 canonical work pages · 5 internal anchors

  1. [1]

    Building agents that reach production systems with MCP,

    Anthropic, “Building agents that reach production systems with MCP,” Anthropic Engineering Blog, https://claude.com/blog/ building-agents-that-reach-production-systems-with-mcp, 2026

    work page 2026

  2. [2]

    A First Look at the Security Issues in the Model Context Protocol Ecosystem

    X. Li and X. Gao, “Toward understanding security issues in the model context protocol ecosystem,”arXiv preprint arXiv:2510.16558, 2025

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  3. [3]

    Compatibility at a cost: Systematic discovery and exploitation of mcp clause-compliance vulnerabilities,

    N. Yang, W. Bai, and K. Lu, “Compatibility at a cost: Systematic discovery and exploitation of mcp clause-compliance vulnerabilities,” arXiv preprint arXiv:2603.10163, 2026

    work page arXiv 2026

  4. [4]

    When MCP meets OAuth: Common pitfalls lead- ing to one-click account takeover,

    Obsidian Security, “When MCP meets OAuth: Common pitfalls lead- ing to one-click account takeover,” Obsidian Security Blog, 2025

    work page 2025

  5. [5]

    Authorization – model context protocol,

    Anthropic, “Authorization – model context protocol,” https://modelcontextprotocol.io/specification/2025-11-25/basic/ authorization, 2025

    work page 2025

  6. [6]

    Oauch: Exploring security compliance in the oauth 2.0 ecosystem,

    P. Philippaerts, D. Preuveneers, and W. Joosen, “Oauch: Exploring security compliance in the oauth 2.0 ecosystem,” inProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, 2022, pp. 460–481

    work page 2022

  7. [7]

    Systematic analysis of mcp security,

    Y . Guo, P. Liu, W. Ma, Z. Deng, X. Zhu, P. Di, X. Xiao, and S. Wen, “Systematic analysis of mcp security,”arXiv preprint arXiv:2508.12538, 2025

    work page arXiv 2025

  8. [8]

    Mcp safety audit: Llms with the model context protocol allow major security exploits,

    B. Radosevich and J. Halloran, “Mcp safety audit: Llms with the model context protocol allow major security exploits,”arXiv preprint arXiv:2504.03767, 2025

    work page arXiv 2025

  9. [9]

    Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers

    M. M. Hasan, H. Li, E. Fallahzadeh, G. K. Rajbahadur, B. Adams, and A. E. Hassan, “Model context protocol (mcp) at first glance: Studying the security and maintainability of mcp servers,”arXiv preprint arXiv:2506.13538, 2025

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  10. [10]

    When mcp servers attack: Taxonomy, feasibility, and mitigation,

    W. Zhao, J. Liu, B. Ruan, S. Li, and Z. Liang, “When mcp servers attack: Taxonomy, feasibility, and mitigation,”arXiv preprint arXiv:2509.24272, 2025

    work page arXiv 2025

  11. [11]

    Model Context Protocol,

    Anthropic, “Model Context Protocol,” https:// modelcontextprotocol.io/, 2024, accessed: 2026-05-07

    work page 2024

  12. [12]

    Securing the model context protocol (mcp): Risks, controls, and governance,

    H. Errico, J. Ngiam, and S. Sojan, “Securing the model context protocol (mcp): Risks, controls, and governance,”arXiv preprint arXiv:2511.20920, 2025. 14

    work page arXiv 2025

  13. [13]

    Breaking the protocol: Security anal- ysis of the model context protocol specification and prompt in- jection vulnerabilities in tool-integrated llm agents,

    N. Maloyan and D. Namiot, “Breaking the protocol: Security anal- ysis of the model context protocol specification and prompt in- jection vulnerabilities in tool-integrated llm agents,”arXiv preprint arXiv:2601.17549, 2026

    work page arXiv 2026

  14. [14]

    Systematization of knowledge: Security and safety in the model context protocol ecosystem,

    S. Gaire, S. Gyawali, S. Mishra, S. Niroula, D. Thakur, and U. Yadav, “Systematization of knowledge: Security and safety in the model context protocol ecosystem,”arXiv preprint arXiv:2512.08290, 2025

    work page arXiv 2025

  15. [15]

    Authorization – model context protocol,

    Anthropic, “Authorization – model context protocol,” https:// modelcontextprotocol.io/specification/2024-11-05, 2024

    work page 2024

  16. [16]

    Authorization – model context protocol,

    Anthropic, “Authorization – model context protocol,” https://modelcontextprotocol.io/specification/2025-03-26/basic/ authorization, 2025

    work page 2025

  17. [17]

    Proof Key for Code Exchange by OAuth Public Clients,

    N. Sakimura, J. Bradley, and N. Agarwal, “Proof Key for Code Exchange by OAuth Public Clients,” 2015. [Online]. Available: https://www.rfc-editor.org/rfc/rfc7636

    work page 2015

  18. [18]

    OAuth 2.0 Dynamic Client Registration Protocol,

    J. Richer, M. B. Jones, J. Bradley, M. Machulak, and P. Hunt, “OAuth 2.0 Dynamic Client Registration Protocol,” 2015. [Online]. Available: https://www.rfc-editor.org/rfc/rfc7591

    work page 2015

  19. [19]

    Authorization – model context protocol,

    Anthropic, “Authorization – model context protocol,” https://modelcontextprotocol.io/specification/2025-06-18/basic/ authorization, 2025

    work page 2025

  20. [20]

    OAuth 2.0 Protected Resource Metadata,

    M. B. Jones, P. Hunt, and A. Parecki, “OAuth 2.0 Protected Resource Metadata,” 2025. [Online]. Available: https://www.rfc-editor.org/rfc/ rfc9728

    work page 2025

  21. [21]

    Resource Indicators for OAuth 2.0,

    B. Campbell, J. Bradley, and H. Tschofenig, “Resource Indicators for OAuth 2.0,” RFC 8707, 2020. [Online]. Available: https: //www.rfc-editor.org/rfc/rfc8707

    work page 2020

  22. [22]

    Give them an inch and they will take a mile: Understand- ing and measuring caller identity confusion in mcp-based ai systems,

    Y . Huang, B. Ma, B. Yan, X. Dai, Y . Zhang, M. Xu, K. Xu, and Y . Zhang, “Give them an inch and they will take a mile: Understand- ing and measuring caller identity confusion in mcp-based ai systems,” arXiv preprint arXiv:2603.07473, 2026

    work page arXiv 2026

  23. [23]

    Authenticated delegation and authorized ai agents,

    T. South, S. Marro, T. Hardjono, R. Mahari, C. D. Whitney, D. Green- wood, A. Chan, and A. Pentland, “Authenticated delegation and authorized ai agents,”arXiv preprint arXiv:2501.09674, 2025

    work page arXiv 2025

  24. [24]

    Aip: Agent identity protocol for verifiable delegation across mcp and a2a,

    S. Prakash, “Aip: Agent identity protocol for verifiable delegation across mcp and a2a,”arXiv preprint arXiv:2603.24775, 2026

    work page arXiv 2026

  25. [25]

    FOFA Search Engine,

    FOFA, “FOFA Search Engine,” https://en.fofa.info/, 2026, accessed: 2026-05-07

    work page 2026

  26. [26]

    Shodan Search Engine,

    Shodan, “Shodan Search Engine,” https://www.shodan.io/, 2026, ac- cessed: 2026-05-07

    work page 2026

  27. [27]

    Empirical scanning analysis of censys and shodan,

    C. Bennett, A. Abdou, and P. C. van Oorschot, “Empirical scanning analysis of censys and shodan,” inWorkshop on Measurements, Attacks, and Defenses for the Web, 2021

    work page 2021

  28. [28]

    Burp Suite,

    PortSwigger, “Burp Suite,” https://portswigger.net/burp, 2026, ac- cessed: 2026-05-07

    work page 2026

  29. [29]

    PortSwigger oauth-scan,

    Maurizio Siddu, “PortSwigger oauth-scan,” https://github.com/ PortSwigger/oauth-scan, 2024, accessed: 2026-05-07

    work page 2024

  30. [30]

    Agent2Agent (A2A) Protocol,

    Google, “Agent2Agent (A2A) Protocol,” https://a2a-protocol.org, 2025

    work page 2025

  31. [31]

    Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP

    Z. Anbiaee, M. Rabbani, M. Mirani, G. Piya, I. Opushnyev, A. Ghor- bani, and S. Dadkhah, “Security threat modeling for emerging ai- agent protocols: A comparative analysis of mcp, a2a, agora, and anp,” arXiv preprint arXiv:2602.11327, 2026

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  32. [32]

    Model context protocol (mcp): Landscape, security threats, and future research directions

    X. Hou, Y . Zhao, S. Wang, and H. Wang, “Model context protocol (mcp): Landscape, security threats, and future research directions.” ACM New York, NY , 2025

    work page 2025

  33. [33]

    Parasites in the Toolchain: A Large-Scale Analysis of Attacks on the MCP Ecosystem

    S. Zhao, Q. Hou, Z. Zhan, Y . Wang, Y . Xie, Y . Guo, L. Chen, S. Li, and Z. Xue, “Mind your server: A systematic study of parasitic toolchain attacks on the mcp ecosystem,”arXiv preprint arXiv:2509.06572, 2025

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  34. [34]

    Enterprise-grade security for the model context protocol (mcp): Frameworks and mitigation strategies,

    V . S. Narajala and I. Habler, “Enterprise-grade security for the model context protocol (mcp): Frameworks and mitigation strategies,” in 2026 IEEE 5th International Conference on AI in Cybersecurity (ICAIC). IEEE, 2026, pp. 1–8

    work page 2026

  35. [35]

    Etdi: Mitigating tool squat- ting and rug pull attacks in model context protocol (mcp) by using oauth-enhanced tool definitions and policy-based access control,

    M. Bhatt, V . S. Narajala, and I. Habler, “Etdi: Mitigating tool squat- ting and rug pull attacks in model context protocol (mcp) by using oauth-enhanced tool definitions and policy-based access control,” in 2025 Cyber Awareness and Research Symposium (CARS). IEEE, 2025, pp. 1–6

    work page 2025

  36. [36]

    Identity management for agentic ai: The new frontier of authorization, authentication, and security for an ai agent world,

    T. South, S. Nagabhushanaradhya, A. Dissanayaka, S. Cecchetti, G. Fletcher, V . Lu, A. Pietropaolo, D. H. Saxe, J. Lombardo, A. M. Shivalingaiahet al., “Identity management for agentic ai: The new frontier of authorization, authentication, and security for an ai agent world,”arXiv preprint arXiv:2510.25819, 2025

    work page arXiv 2025

  37. [37]

    A comprehensive formal security analysis of oauth 2.0,

    D. Fett, R. K ¨usters, and G. Schmitz, “A comprehensive formal security analysis of oauth 2.0,” inProceedings of the 2016 ACM SIGSAC conference on computer and communications security, 2016, pp. 1204–1215

    work page 2016

  38. [38]

    The web sso standard openid connect: In-depth formal security analysis and security guidelines,

    D. Fett, R. K ¨usters, and G. Schmitz, “The web sso standard openid connect: In-depth formal security analysis and security guidelines,” in 2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE, 2017, pp. 189–202

    work page 2017

  39. [39]

    An Extensive Formal Security Analysis of the OpenID Financial-grade API

    D. Fett, P. Hosseyni, and R. K ¨usters, “An extensive formal se- curity analysis of the openid financial-grade api,”arXiv preprint arXiv:1901.11520, 2019

    work page internal anchor Pith review Pith/arXiv arXiv 1901

  40. [40]

    Audience injection attacks: A new class of attacks on web-based authorization and authentication standards,

    P. Hosseyni, R. Kuesters, and T. W ¨urtele, “Audience injection attacks: A new class of attacks on web-based authorization and authentication standards,”Cryptology ePrint Archive, 2025

    work page 2025

  41. [41]

    Revisiting OAuth 2.0 compliance: A two-year follow-up study,

    P. Philippaerts, D. Preuveneers, and W. Joosen, “Revisiting OAuth 2.0 compliance: A two-year follow-up study,” inProceedings of the 2023 IEEE European Symposium on Security and Privacy Workshops, 2023

    work page 2023

  42. [42]

    Model-based security testing: An empirical study on OAuth 2.0 implementations,

    R. Yang, G. Li, W. C. Lau, K. Zhang, and P. Hu, “Model-based security testing: An empirical study on OAuth 2.0 implementations,” inProceedings of the 11th ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2016

    work page 2016

  43. [43]

    SSOScan: Automated testing of web appli- cations for single sign-on vulnerabilities,

    Y . Zhou and D. Evans, “SSOScan: Automated testing of web appli- cations for single sign-on vulnerabilities,” inProceedings of the 23rd USENIX Security Symposium, 2014

    work page 2014

  44. [44]

    Vulnerability assessment of OAuth implementations in Android applications,

    H. Wang, Y . Zhang, J. Li, H. Liu, W. Yang, B. Li, and D. Gu, “Vulnerability assessment of OAuth implementations in Android applications,” inProceedings of the 31st Annual Computer Security Applications Conference (ACSAC), 2015

    work page 2015

  45. [45]

    The Achilles’ heel of OAuth: A multi-platform study of OAuth-based authentication,

    H. Wang, Y . Zhang, J. Li, and D. Gu, “The Achilles’ heel of OAuth: A multi-platform study of OAuth-based authentication,” inProceed- ings of the 32nd Annual Computer Security Applications Conference (ACSAC), 2016

    work page 2016

  46. [46]

    Make redirection evil again: Url parser issues in oauth,

    X. Wang, W. C. Lau, R. Yang, and S. Shi, “Make redirection evil again: Url parser issues in oauth,”BlackHat Asia, vol. 2019, 2019

    work page 2019

  47. [47]

    Oauth 2.0 redirect uri validation falls short, literally,

    T. Innocenti, M. Golinelli, K. Onarlioglu, A. Mirheidari, B. Crispo, and E. Kirda, “Oauth 2.0 redirect uri validation falls short, literally,” inProceedings of the 39th Annual Computer Security Applications Conference, 2023, pp. 256–267

    work page 2023

  48. [48]

    Do (not) follow the white rabbit: Challenging the myth of harmless open redirection,

    S. Khodayari, K. Glauber, and G. Pellegrino, “Do (not) follow the white rabbit: Challenging the myth of harmless open redirection,” 2025

    work page 2025

  49. [49]

    Universal cross-app attacks: Exploiting and securing{OAuth}2.0 in integration platforms,

    K. Luo, X. Wang, P. H. A. Fung, W. C. Lau, and J. Lecomte, “Universal cross-app attacks: Exploiting and securing{OAuth}2.0 in integration platforms,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 3221–3238

    work page 2025

  50. [50]

    “only as strong as the weakest link

    T. Innocenti, L. Jannett, C. Mainka, V . Mladenov, and E. Kirda, ““only as strong as the weakest link”: On the security of brokered single sign- on on the web,” in2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 1009–1027. 15

    work page 2025