---

---

05/21/2026 11:53

Audience Injection: Researchers in Stuttgart discover novel IT attacks – The defense mechanism is already operational

Jacqueline Gehrke Stabsstelle Hochschulkommunikation
Universität Stuttgart

Researchers at the University of Stuttgart’s Institute of Information Security have developed a new security standard to counter a novel form of cyberattack – one they had previously identified themselves. The attacks specifically target web protocols used, for example, to manage login processes. This affects, among others, industries that handle sensitive data – such as healthcare, insurance, and banking. At the “IEEE Symposium on Security and Privacy” in San Francisco, researchers from Stuttgart will present their defense mechanism. DOI: 10.1109/SP63933.2026.00116

Certain types of cyberattacks keep making headlines. Ransomware attacks are a common example: Attackers gain access to the IT system through individual devices, encrypt data, and demand a ransom. In the summer of 2025, researchers at the Institute for Information Security (SEC) at the University of Stuttgart – led by Director Prof. Dr. Ralf Küsters, along with Dr. Tim Würtele and Pedram Hosseyni – discovered an entirely new class of cyberattacks. “The targets of these attacks are not individual computers or websites, but protocols – guidelines for how parties on the internet exchange messages as securely as possible,” explains Tim Würtele. These protocols operate behind the scenes of websites and apps or determine how software functions. Their functionality is defined in what are known as standards.

False identity

The basic idea behind the attacks is always the same. They aim to create a ubiquitous, protocol-driven process for verifying the identity of services and individuals. Example: Party A and Party B are exchanging information. B wants to be sure that A is actually A – and not someone pretending to be A. To this end, A digitally signs a document that contains A's name. This makes it clear who is identifying themselves. In addition, the document includes a second value – the “audience” field – which specifies the party to whom A is identifying itself; in this example, party B. However, specific vulnerabilities in the protocol enable a malicious party, C, to manipulate the “audience” field and thereby impersonate A to B. Because C “injects” an incorrect value into the verification process, this type of attack is known as an “audience injection attack".

The injection method was discovered during a security analysis of the “OpenID Federation” protocol developed by the U.S.-based OpenID Foundation, whose protocol standards are used worldwide. The Stuttgart Institute of Information Security specializes in analyzing such protocols, using its own “Web Infrastructure Model,” which was co-developed by the institute’s director, Ralf Küsters. A mathematical model that proves the security of protocols and indicates whether the protocol under examination is vulnerable or not. Since many protocols around the world are analyzed using the Stuttgart model, it quickly became clear that OpenID Federation is not an isolated case. A whole range of widely used protocols are at risk. For example, the “OpenID Connect” protocol, which is used, among other things, for logging in to Google, Apple, or Microsoft services.

Sensitive data

The FAPI 2.0 protocol family, which is used for user authentication and rights management and is deployed in business sectors that handle sensitive data – such as healthcare organizations, banks, and insurance companies – remains at risk. Anyone who hacks into these protocols gains access to patient data, investment portfolios, or account numbers. In these areas, FAPI 2.0 secures hundreds of millions of accounts worldwide – for example, on “Norsk Helsenett,” Norway’s national healthcare platform, which has been vulnerable to these new types of attacks.

After discovering this new type of cyber threat last year, the researchers in Stuttgart first notified the relevant standardization bodies and software vendors so that the affected software could be patched before the attacks were made public. Within just a few months, they worked with standardization bodies to develop new, validated protocol standards – a process that typically takes several years. Preventing these attacks isn’t all that complicated, explains Würtele: “Sender A actually already has all the necessary information to securely select the audience value – namely, the exact IP address of recipient B.” Accordingly, the new standard developed in Stuttgart stipulates that the sender of the identification document may use only this one audience value, and no other.

Conduct analyses early enough

The researchers are presenting this new class of cyberattacks and the new security mechanisms at the “IEEE Symposium on Security and Privacy” in San Francisco, the most important gathering of the international IT security research community. At the same time, the Stuttgart-based institute is working to reduce the workload involved in the analyses and speed up the entire process. In particular, the process of determining certainty or uncertainty within the mathematical model should be able to be carried out with computer assistance in the future. “The creation of the model – which currently still requires a great deal of time and expertise – would then simply be a matter of implementing the protocol in a suitable programming language, something any experienced software developer could do,” explains Würtele.

Another important point is that, in the future, analyses will take place during – rather than after – the development of the protocols. After all, once the protocols are embedded in thousands of software packages, updates become time-consuming and costly for everyone involved. It would be much better if the protocols were secure from the start. That is exactly how the upcoming EU Digital Identity Wallet is supposed to work. Here, too, the institute is working closely with the OpenID Foundation. The protocols that will form the basis of the “digital wallet” are being developed under the umbrella of the U.S. organization.

Web Infrastructure Model

The mathematical models developed in Stuttgart describe a protocol in the form of highly complex equations. If everything goes well, the result will be what is known as a safety certificate. In other words, an attack is mathematically impossible, encompassing all conceivable – and even currently inconceivable – forms of attack. If, on the other hand, the equation does not hold, this means, for example, that attacker C can impersonate the innocent party A. Würtele: “Our model remains the most detailed one available – at the cutting edge of research, so to speak.” This approach enables detailed analysis of highly complex protocols without requiring simultaneous consideration of thousands of pages of standards. In practice, it has repeatedly uncovered novel attacks, even on protocols that had already been analyzed using other models.

---

Contact for scientific information:

Dr. Tim Würtele, University of Stuttgart, Institute of Information Security (SEC), tel: +49 711 685 88468, email: tim.wuertele@sec.uni-stuttgart.de

---

Original publication:

Pedram Hosseyni, Ralf Küsters, and Tim Würtele, “Audience Injection Attacks: A New Class of Attacks on Web-Based Authorization and Authentication Standards,” in 47th IEEE Symposium on Security and Privacy (S&P 2026), 2026, pp. 205–222. DOI: https://computer.org/10.1109/SP63933.2026.00116

---

More information:

https://www.uni-stuttgart.de/en/university/news/all/Audience-Injection-Researche...
https://www.sec.uni-stuttgart.de/
https://www.sec.uni-stuttgart.de/research/wim/

---

<
Dr. Tim Würtele conducts research on the security of protocols for digital identities at the Institu ...
Source: Institute SEC
Copyright: Institute of Information Security (SEC)

---

Criteria of this press release:
Journalists, all interested persons
Information technology
transregional, national
Research results, Transfer of Science or Research
English

---