注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

Tetraph 的博客

IT 计算机网络信息安全技术 数学 统计 云计算 安全漏洞 日常随笔 散文 音乐

 
 
 

日志

 
 

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID ( 与 OAuth 2.0 and OpenID 有关的 Covert Redirect 漏洞 )  

2014-05-02 23:18:30|  分类: Covert Redirect |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

I found that OAuth 2.0 and OpenID have serious Covert Redirect (http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html) vulnerability.


The vulnerabilities affects most major internet companies OAuth 2.0 and OpenID prodivers, such as Facebook,  Google, Yahoo, LinkedIn, Microsoft, QQ, Taobao, Weibo, VK, Mail.Ru, PayPal, GitHub, Sohu and so on. I will introduce their vulnerabilities in detail one by one in the near future.


The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. 




Detail explanation of the vulnerability.

Youtube: http://www.youtube.com/user/tetraph

Youku: http://i.youku.com/tetraph

Blog: http://tetraph.com/blog/

Blogspot: http://tetraph.blogspot.com

163 Blog: http://tetraph.blog.163.com/


The vulnerability could lead to Open Redirect Attacks (https://www.owasp.org/index.php/Open_redirect) to both clients and providers of OAuth 2.0 or OpenID. For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information.  In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user's behalf. 


For OpenID, the attackers may get user's information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved. 


Unfortunately, it is difficult to patch the problem because the system is shared by a large host company (the provider) and numerous third-party websites (the clients) that use OAuth 2.0 and OpenID to gain access to the large user base of the host company. The vulnerability is usually due to the existing weakness in the third-party websites. However, they have little incentive to fix the problem. One concern is the cost and the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. Then, the onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the different clients, which is nonetheless a daunting task. 


I have reported the vulnerability to related companies. 


Facebook said "they] understand the risks associated with OAuth 2.0. However, short of forcing every single application on the platform to use a whitelist, [fixing the vulnerability] isn't something that can be accomplished in the short term."


Google said "[they] are aware of the problem and are tracking it at the moment."


LinkedIn said "have published a blog post on how [they] intend to address [the problem]." 

( Blog address: https://developer.linkedin.com/blog/register-your-oauth-2-redirect-urls )


Microsoft answered after they did an investigation and concluded that the vulnerability exists in the domain of a third-party, different from the one reported by Wang (login.live.com). They recommended me to report the issue to the third-party instead. 


Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation.


Taobao just closed my report without giving any reason.


Yahoo did not reply me months after my report.


I did not report to VK.com, Mail.Ru and so on because I do not know their contact email related to security.

  评论这张
 
阅读(46)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017