A research of security in website account binding

More and more websites have allowed users to bind a third-party account, mobile phone or email address. Users can log in to different websites through the bound third-party account or mobile phone, or recover password via the bound email address. So security issues in the binding process should be highly valued. In this article, we investigated the security in the account binding process. We designed three attack models for different account binding methods, which are OAuth based third-party account binding, Quick Response Code (QR code) based third-party account binding, and mobile phone/email address binding. We assessed the risk of these three attacks on 43 selected websites. According to our assessment results, 11 websites have vulnerabilities in third-party account binding, 4 websites have vulnerabilities in mobile phone or email address binding. To alleviate the possible hazards, we provided defensive measures for each stage of account binding.