创建博客 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

tetraph.com 的博客

http://www.tetraph.com/blog/

 
 
 

日志

 
 

Hack Facebook Account Based on OAuth 2.0 Covert Redirect Vulnerability (Information Leakage and URL Redirect) ( 攻击脸书 基于 OAuth 2.0 漏洞, 信息泄漏, URL 跳转)  

2014-05-02 22:40:46|  分类: OAuth2.0 漏洞 |  标签: |举报 |字号 订阅



I found a new method to hack Facebook OAuth 2.0 based on Covert Redirect vulnerability (http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html).

Facebook relied:

"Short of forcing every single application on the platform to use a whitelist, which isn't something that can be accomplished in the short term, do you have any recommendations on actions we can take here?"

"For any URL, it has a particular value "&h". If the URL is changed. there is no permission any more. That means the modified URL will not get any "&h". Because it is illegal."
Yes. As you mentioned, that's how our Linkshim system works. As I said, that doesn't seem to be a feasible solution for an OAuth endpoint where the URL needs to be provided by a third-party site to arbitrary random users.




The vulnerability could lead to Open Redirect Attacks (https://www.owasp.org/index.php/Open_redirect) to both Facebook and third-party Apps. 

In Facebook, these attacks might jeopardize “the token” of the site users, which could be used to access user information. The information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user's behalf. 




Unfortunately, it is difficult to patch the problem because the system is shared by a large third-party websites (the clients) that use Facebook OAuth 2.0.  The vulnerability is usually due to the existing weakness in the third-party websites. However, they have little incentive to fix the problem. One concern is the cost and the other is that in their view, Facebook is responsible for making the attacks appear more credible; therefore, it is not solely their problem. Then, the onus would fall onto Facebook again. However, to Facebook, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the different clients, which is nonetheless a daunting task. 


The reply from Facebook underscores the difficulty. Facebook said that "[they] understand the risks associated with OAuth 2.0. However, short of forcing every single application on the platform to use a whitelist, [fixing the vulnerability] isn't something that can be accomplished in the short term." 

The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. 
 
I suggested that Facebook could enhance the verification process so as to preempt redirections of unidentified URLs. Facebook told him that “Linkshim system (Facebook's new security system) works that way, [but] that doesn't seem to be a feasible solution for an OAuth endpoint where the URL needs to be provided by a third-party site to arbitrary random users.” 

A better alternative is Facebook developing a more thorough verification procedure to prevent such attacks.
  评论这张
 
阅读(798)| 评论(1)
推荐 转载

历史上的今天

最近读者

热度

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2014