Mail.ru Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)
Group (London Stock Exchange listed since November 5, 2010) is a
Russian Internet company. It was started in 1998 as an e-mail service
and went on to become a major corporate figure in the Russian-speaking
segment of the Internet. As of 2013, according to comScore, websites
owned by Mail.ru collectively had the largest audience in Russia and
captured the most screen time. Mail.Ru's sites reach approximately 86%
of Russian Internet users on a monthly basis and the company is in the
top 5 of largest Internet companies, based on the number of total pages
viewed. Mail.ru controls the 3 largest Russian social networking sites.
It operates the second and third most popular Russian social networking
sites, Odnoklassniki and Moy Mir, respectively. Mail.ru holds 100% of
shares of Russia's most popular social network VKontakte and minority
stakes in Qiwi, formerly OE Investments (15.04%). It also operates two
instant messaging networks (Mail.Ru Agent and ICQ), an e-mail service
and Internet portal Mail.ru, as well as a number of online games." (Wikipedia)
крупный коммуникационный портал российского Интернета, ежемесячная
аудитория которого по данным на октябрь 2012 года превышает 31,9 млн
человек. Ресурс занимает 52-е место по популярности в мире и 5-е — в
России. Число работников составляет 2800 человек. Ресурс принадлежит
инвестиционной группе Mail.Ru Group." (Ru.Wikipedia)
(2) Vulnerability Description:
Mail.ru web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.
vulnerabilities can be attacked without user login. Tests were
performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla
Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064
(64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7.
(2.1) Vulnerability Detail:
system is susceptible to Attacks. More specifically, the authentication
of parameter "&redirct_uri" in OAuth system is insufficient. It can
be misused to design Open Redirect Attacks to Mail.Ru.
At the same
time, it can be used to collect sensitive information of both
third-party app and users by using the following parameters (sensitive
information is contained in HTTP header.),
It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.
The vulnerabilities occurs at page "/oauth/authorize?" with parameter "&redirect_uri", e.g.
Before acceptance of third-party application:
logged-in Mail.Ru user clicks the URL () above, he/she will be asked
for consent as in whether to allow a third-party website to receive
his/her information. If the user clicks OK, he/she will be then
redirected to the URL assigned to the parameter "&redirect_uri".
If a user has not logged onto Mail.Ru and clicks the URL () above, the same situation will happen upon login.
After acceptance of third-party application:
Mail.Ru user would no longer be asked for consent and could be
redirected to a webpage controlled by the attacker when he/she clicks
the URL ().
For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.
would normally allow all the URLs that belong to the domain of an
authorized third-party website. However, these URLs could be prone to
manipulation. For example, the "&redirect_uri" parameter in the URLs
is supposed to be set by the third-party websites, but an attacker
could change its value to make Attacks.
Hence, a user
could be redirected from Mail.Ru to a vulnerable URL in that domain
first and later be redirected from this vulnerable site to a malicious
site unwillingly. This is as if the user is redirected from Mail.Ru
directly. The number of Mail.Ru's OAuth client websites is so huge that
such Attacks could be commonplace.
acceptance of the third-party application, Mail.Ru's OAuth system makes
the redirects appear more trustworthy and could potentially increase the
likelihood of successful Open Redirect Attacks of third-party website.
Once the user
accepts the application, the attackers could completely bypass Mail.Ru's
authentication system and attack more easily.
(2.2) Used one of webpages for the following tests. The webpage is "http://biboying.lofter.com/". We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.
Below is an example of a vulnerable third-party domain:
Vulnerable URL in this domain:
Vulnerable URL from Mail.Ru that is related to kp.ru:
(3) What is Covert Redirect?
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and
redirects a user to the parameter value without sufficient validation.
This often makes use of Open Redirect and XSS (Cross-site Scripting)
vulnerabilities in third-party applications.
Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all
OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect
can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.
Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University
(NTU), Singapore. (@justqdjing)