Detecting the Vulnerability of Multi-Party Authorization Protocols to Name Matching Attacks

Software as a Service (SaaS) clouds cooperate to provide services, which often provoke multi-party authorization. The multi-party authorization suffers the so-called name matching attacks where involved parties misinterpret the other parties in the authorization, thus leading to undesired or even fatal consequences (e.g., an adversary can shop for free or can log into a victim’s Facebook account). In this paper, we propose a scheme to detect the vulnerability of multi-party authorization protocols that are susceptible to name matching attacks. We implement the detecting scheme and apply it to real world multi-party authorization protocols including Alipay PeerPay, Amazon FPS Marketplace, and PayPal Express Checkout. New name matching attacks are found, and fixes are proposed accordingly.