互聯網登錄系統曝出重大漏洞 – Covert Redirect

Algerian-hacker
 

繼OpenSSL漏洞後,開源安全軟件再曝安全漏洞。新加坡南洋理工大學研究人員,物理和數學科學學院博士生王晶 (Wang Jing) 發現,OAuth 2.0, OpenID 授權接口的網站存隱蔽重定向漏洞、英文名為“Covert Redirect”。

 

攻擊者創建壹個使用真實站點地址的彈出式登錄窗口——而不是使用壹個假的域名——以引誘上網者輸入他們的個人信息。

 

黑客可利用該漏洞給釣魚網站“變裝”,用知名大型網站鏈接引誘用護登錄釣魚網站,壹旦用護訪問釣魚網站並成功登六授權,黑客即可讀取其在網站上存儲的私密信息。

 

騰訊,阿裏巴巴,QQ、新浪微博、淘寶網,支付寶,網易,PayPal, eBay, Amazon, Facebook、Google, LinkedIn, Yahoo, VK.com, Microsoft, Mail.ru, Github, WordPress 等國內外大量知名網站受影響。

 

鑒於OAuth和OpenID被廣泛用於各大公司——如微軟、Facebook、Google、以及 LinkedIn——Wang表示他已經向這些公司已經了匯報。Wang聲稱,微軟已經給出了答復,調查並證實該問題出在第三方系統,而不是該公司的自 有 站點。Facebook也表示,“短期內仍無法完成完成這兩個問題的修復工作,只得迫使每個應用程序平臺采用白名單”。至於Google,預計該公司 會追 蹤OpenID的問題;而LinkedIn則聲稱它將很快在博客中說明這壹問題。

 

OAuth 是壹個被廣泛應用的開放登六協議,允許用護讓第三方應用訪問該用護在某壹網站上存儲的私密的信息(如照片,視頻,聯系人列表),而無需將用護名和密碼提供給第三方應用。這次曝出的漏洞,可將Oauth2.0的使用方(第三方網站)的回跳域名劫持到惡意網站去,黑客利用XSS漏洞攻擊就能隨意操作被授權的帳號,讀取用護的隱私信息。像騰訊、新浪微博等社交網站壹般對登六回調地址沒有任何限制,極易遭黑客利用。

 

 

 

相關資料,
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
http://tech.firstpost.com/news-analysis/after-heartbleed-major-covert-redirect-flaw-threatens-oauth-openid-and-the-internet-222945.html
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html
http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html
http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html
http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html
http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html
http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/
http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/
http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/
http://network.pconline.com.cn/471/4713896.html
http://media.sohu.com/20140504/n399096249.shtml/
http://it.people.com.cn/n/2014/0504/c1009-24969253.html
http://www.cnbeta.com/articles/288503.htm
http://www.inzeed.com/kaleidoscope/computer-security/oauth-2-0-and-openid-covert-redirect/
http://baike.baidu.com/link?url=0v9QZaGB09ePxHb70bzgWqlW-C9jieVguuDObtvJ_6WFY3h2vWnnjNDy4-jliDmqbT47SmdGS1_pZ4BbGN4Re_
http://itinfotech.tumblr.com/post/118850342491/covert-redirect
http://tetraph.com/covert_redirect/
http://ittechnology.lofter.com/post/1cfbf60d_6f09f58
https://zh.wikipedia.org/wiki/%E9%9A%B1%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E
http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E
http://www.csdn.net/article/2014-05-04/2819588

 

 

NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com

163-neteasy

 

NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com


(1) Domain:
163.com

 

 

“NetEase, Inc. (simplified Chinese: 网易; traditional Chinese: 網易; pinyin: Wǎng Yì) is a Chinese Internet company that operates 163.com, a popular web portal ranked 27 by Alexa as of April 2014. 163.com is one of the largest Chinese Internet content providers, and as such frequently appears in the top 10 domains used in spam.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

163 web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

The programming code flaw occurs at page “redirect.html?” with parameter “&url”, e.g.
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCkQFjAA&url=http%3A%2F%2Fwww.tetraph.com%2F&ei=F-M2U-iiM4HoiAej74HADA&usg=AFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg&sig2=bdrpWjJ-87ZbUWuQivt5vA&bvm=bv.63808443,d.aGc

 

 

 

 

(2.1) When a user is redirected from 163 to another site, 163 will check whether this URL belongs to a domain on 163’s whitelist. If this is true, the redirection will be permitted.

However, if the URLs in a whitelisted domain have open URL redirection vulnerabilities themselves, a user could be redirected from 163 to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from 163 directly.

 

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://whitehatpostlike.lofter.com/“. Can suppose it is malicious.

 

Below is an example of a vulnerable domain:
google.com

 

Vulnerable URL from 163 that is related to yhd.com:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://fusion.google.com

 

POC:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fblog

 

 

 

POC video:
https://www.youtube.com/watch?v=8QqKQml1QCE


Blog Detail:
http://tetraph.blogspot.com/2014/05/163com-netease-covert-redirect-based-on.html

 

 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

More Details:
http://tetraph.com/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/https://computertechhut.wordpress.com/2014/05/02/netease-hack/
http://webtechhut.blogspot.com/2014/05/163-bug.html
http://tetraph.blog.163.com/blog/static/234603051201452375727342/
http://diebiyi.com/articles/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://testingcode.lofter.com/post/1cd26eb9_72e71fd
http://canghaixiao.tumblr.com/post/119486195192/itinfotech-covert
https://twitter.com/tetraphibious/status/559166137343037440
https://biyiniao.wordpress.com/2014/05/28/163-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://computerobsess.blogspot.com/2014/09/163-website-vulnerability.html





==============

 

 

 

网易 (NetEase) 网站 隐蔽重定向 (Covert Redirect) 网络安全漏洞 基于 谷歌 (Google.com)





(1) 域名:
163.com


” 网易 (NASDAQ: NTES)是中国领先的互联网技术公司,利用最先进的互联网技术,加强人与人之间信息的交流和共享,实现“网聚人的力量”。创始人兼CEO是丁磊。在开发 互联网应用、服务及其它技术方面,网易始终保持业界的领先地位,并在中国互联网行业内率先推出了包括中文全文检索、全中文大容量免费邮件系统、无限容量免 费网络相册、免费电子贺卡站、网上虚拟社区、网上拍卖平台、24小时客户服务中心在内的业内领先产品或服务,还通过自主研发推出了一款率先取得白金地位的 国产网络游戏。网易公司推出了门户网站、在线游戏、电子邮箱、在线教育、电子商务、在线音乐、网易bobo等多种服务。” (百度百科)

 

 

(2) 漏洞描述:

163 网站有有一个计算机安全问题,黑客可以对它用隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

 

 

漏洞地点 “redirect.html?”,参数”&url”, e.g.
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCkQFjAA&url=http%3A%2F%2Fwww.tetraph.com%2F&ei=F-M2U-iiM4HoiAej74HADA&usg=AFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg&sig2=bdrpWjJ-87ZbUWuQivt5vA&bvm=bv.63808443,d.aGc

 

 

 

 

(2.1) 163 对跳转的页面存在一个 domain whitelist, 如果跳转的页面属于这些 domain, 则允许跳转。

 

但是这些被whitelist domain 本身可能有 URL 跳转漏洞。因此,163 用户意识不到他会被先从 163 跳转到有漏洞的网页,然后从此网页跳转到有害的网页。这与从 163 直接跳转到有害网页是一样的。

 

 

 

 

(2.2) 用了一个页面进行了测试, 页面是 “http://shellmantis.tumblr.com/“. 可以假定它是有害的。

 

下面是一个有漏洞的 domain:
google.com

 

 

163 与 google.com 有关的有漏洞的 URL:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://fusion.google.com

 

 

POC:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fblog

 

 

 

POC 视频:
https://www.youtube.com/watch?v=8QqKQml1QCE


博客细节:
http://tetraph.blogspot.com/2014/05/163com-netease-covert-redirect-based-on.html

 

 

 

 

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。

 

 

 

漏洞发布:
王晶 (Wang Jing)
新加坡南洋理工大学物理与数学学院数学系 (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

 

相关文章:
http://tetraph.com/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/https://computertechhut.wordpress.com/2014/05/02/netease-hack/
http://webtechhut.blogspot.com/2014/05/163-bug.html
http://tetraph.blog.163.com/blog/static/234603051201452375727342/
http://diebiyi.com/articles/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://testingcode.lofter.com/post/1cd26eb9_72e71fd
http://canghaixiao.tumblr.com/post/119486195192/itinfotech-covert
https://twitter.com/tetraphibious/status/559166137343037440
https://biyiniao.wordpress.com/2014/05/28/163-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://computerobsess.blogspot.com/2014/09/163-website-vulnerability.html

 

 

 

两款互联网登录系统曝出重大漏洞 短期内或无法修复 (Covert Redirect)

安全漏洞

继OpenSSL漏洞后,开源安全软件再曝安全漏洞。新加坡南洋理工大学研究人员,数学系博士生 王晶 (Wang Jing ) 发现,Oauth 2.0, OpenID 授权接口的网站存隐蔽重定向漏洞、英文名为“Covert Redirect”。

 

 

入侵技术

攻击者创建一个使用真实站点地址的弹出式登录窗口——而不是使用一个假的域名——以引诱上网者输入他们的个人信息。

 

 

 

漏洞危害

黑客可利用该漏洞给钓鱼网站“变装”,用知名大型网站链接引诱用户登录钓鱼网站,一旦用户访问钓鱼网站并成功登陆授权,黑客即可读取其在网站上存储的私密信息。[1] 

腾 讯,阿里巴巴,QQ、新浪微博、淘宝网,支付宝,网易,PayPal, eBay, Amazon, Facebook、Google, LinkedIn, Yahoo, VK.com, Microsoft,  Mail.ru, Github, WordPress 等国内外大量知名网站受影响。

 

鉴 于OAuth和OpenID被广泛用于各大公司——如微软、Facebook、Google、以及 LinkedIn——Wang表示他已经向这些公司已经了汇报。Wang声称,微软已经给出了答复,调查并证实该问题出在第三方系统,而不是该公司的自有 站点。Facebook也表示,“短期内仍无法完成完成这两个问题的修复工作,只得迫使每个应用程序平台采用白名单”。至于Google,预计该公司会追 踪OpenID的问题;而LinkedIn则声称它将很快在博客中说明这一问题。

 

 

 

背景知识

Oauth是 一个被广泛应用的开放登陆协议,允许用户让第三方应用访问该用户在某一网站上存储的私密的信息(如照片,视频,联系人列表),而无需将用户名和密码提供给 第三方应用。这次曝出的漏洞,可将Oauth2.0的使用方(第三方网站)的回跳域名劫持到恶意网站去,黑客利用XSS漏洞攻击就能随意操作被授权的账 号,读取用户的隐私信息。像腾讯、新浪微博等社交网站一般对登陆回调地址没有任何限制,极易遭黑客利用。

 

 

 

 

参考资料:

 

Amazon Website Covert Redirect Web Security Bugs Based on Facebook – Attack Simulation

amazon_1

 

Amazon Website Covert Redirect Web Security Bugs Based on Facebook – Attack Simulation

“Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

Discover:
Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

(1) Vulnerability Description:

Amazon online website has a computer security bug problem. Hackers can exploit it by Covert Redirect attacks. This allow them to get users’ sensitive information by attacks such as phishing.

 

The code programming flaw exists at “redirect.html?” page with “&location” parameter, e.g.

The vulnerability can be attacked without user login. Tests were performed on Safari 6.1.6 in Mac OS X 10.7.5, IE 8 in Windows 7, Chromium version 37.0.2062.120 in Ubuntu 12.04 (281580) (64-bit).



 

 

(2) Vulnerability Details:

When a user is redirected from Amazon to another site, Amazon will check parameters “&token”. If the redirected URL’s domain is OK, Amazon will allow the redirection.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Amazon to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Amazon directly.

 

One of the vulnerable domain is,
facebook.com

 

“Facebook is an online social networking service headquartered in Menlo Park, California. Its website was launched on February 4, 2004, by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The founders had initially limited the website’s membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006, anyone who is at least 13 years old is allowed to become a registered user of the website, though the age requirement may be higher depending on applicable local laws. Its name comes from a colloquialism for the directory given to it by American universities students. After registering to use the site, users can create a user profile, add other users as “friends”, exchange messages, post status updates and photos, share videos and receive notifications when others update their profiles. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as “People From Work” or “Close Friends”. Facebook had over 1.44 billion monthly active users as of March 2015. Because of the large volume of data users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. held its initial public offering in February 2012 and began selling stock to the public three months later, reaching an original peak market capitalization of $104 billion. As of February 2015 Facebook reached a market capitalization of $212 Billion.” (Wikipedia – Facebook)

 

 

 

(3) Use one of webpages for the following tests. The webpage address is “http://inzeed.com/kaleidoscope“. Suppose that this webpage is malicious.

 

Vulnerable URL:

 

POC:

 

 

 

(4) Vulnerability Disclosure:

The vulnerability was reported to Amazon in the beginning of February 2014. Amazon has patch part of the vulnerability.

Internet Users Threatened by New Security Flaw, Covert Redirect

heartbleed_bug_hackers

 

A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed “Covert Redirect” by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.

 

Both standards are employed across the Internet to let users log into websites using their credentials from other sites, such as by logging into a Web forum using a Facebook or Twitter username and password instead of creating a new account just for that forum.

 

Attackers could exploit the flaw to disguise and launch phishing attempts from legitimate websites, said the flaw’s finder, Mathematics Ph.D. student Wang Jing of the Nanyang Technological University in Singapore.

 

Wang believes it’s unlikely that this flaw will be patched any time soon. He says neither the authentication companies (those with which users have an account, such as Google, Microsoft, Facebook, Twitter or LinkedIn, among others) nor the client companies (sites or apps whose users log in via an account from an authentication company) are taking responsibility for fixing the issue.

 

“The vulnerability is usually due to the existing weakness in the third-party websites,” Wang writes on his own blog. “However, they have little incentive to fix the problem.”

 

The biggest danger of Covert Redirect is that it could be used to conduct phishing attacks, in which cybercriminals seize login credentials, by using email messages containing links to malicious websites disguised as something their targets might want to visit.

 

Normal phishing attempts can be easy to spot, because the malicious page’s URL will usually be off by a couple of letters from that of the real site. The difference with Covert Redirect is that an attacker could use the real website instead by corrupting the site with a malicious login popup dialogue box.

 

For example, say you regularly visit a given forum (the client company), to which you log in using your credentials from Facebook (the authentication company). Facebook uses OAuth 2.0 to authenticate logins, so an attacker could put a corrupted Facebook login popup box on this forum.

 

If you sign in using that popup box, your Facebook data will be released to the attacker, not to the forum. This means the attacker could possibly gain access to your Facebook account, which he or she could use to spread more socially engineered attacks to your Facebook friends.

 

Covert Redirect could also be used in redirection attacks, which is when a link takes you to a different page than the one expected.

 

Wang told CNET authentication companies should create whitelists — pre-approved lists that block any not on it — of the client companies that are allowed to use OAuth and OpenID to redirect to them. But he said he had contacted a number of these authentication companies, who all shifted blame elsewhere.

 

Wang told CNET Facebook had told him it “understood the risks associated with OAuth 2.0” but that fixing the flaw would be “something that can’t be accomplished in the short term.” Google and LinkedIn allegedly told Wang they were looking into the issue, while Microsoft said the issue did not exist on its own sites.

 

Covert Redirect appears to exist in the implementations of the OpenID and OAuth standards used on client websites and apps. But because these two standards are open-source and were developed by a group of volunteers, there’s no company or dedicated team that could devote itself to fixing the issue.

 

 

Where does that leave things?

“Given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service,” Chris Wysopal, chief technology officer of Boston-area security firm Veracode and a member of the legendary 1990s hackerspace the L0pht, told CNET.

 

“It’s not easy to fix, and any effective remedies would negatively impact the user experience,” Jeremiah Grossman, founder of Santa Clara, Calif.-based WhiteHat Security, told CNET. “Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”

 

Users should be extra-wary of login popups on Web pages. If you wish to log into a given website, it might be better to use an account specific to that website instead of logging in with Facebook, Twitter, or another authentication company, which would require the use of OAuth and/or OpenID to do.

 

If you think someone has gained access to one of your online accounts, notify the service and change that account’s password immediately.

 

 

 

 

 

Related Articles:

http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

http://whitehatview.tumblr.com/post/120695795041

http://russiapost.blogspot.ru/2015/05/openid-oauth-20.html

http://www.diebiyi.com/articles/security/covert-redirect/covert_redirect/

https://itswift.wordpress.com/2014/05/06/microsoft-google-facebook-attacked/

http://tetraph.blog.163.com/blog/static/2346030512015420103814617/

http://itsecurity.lofter.com/post/1cfbf9e7_72e2dbe

http://ithut.tumblr.com/post/119493304233/securitypost-une-faille-dans-lintegration

http://japanbroad.blogspot.jp/2015/05/oauthopenid-facebook.html

http://webtech.lofter.com/post/1cd3e0d3_6f0f291

https://webtechwire.wordpress.com/2014/05/11/covert-redirect-attack-worldwide/

http://whitehatview.tumblr.com/post/119489968576/securitypost-sicherheitslucke-in-oauth-2-0-und

http://www.inzeed.com/kaleidoscope/computer-security/facebook-google-attack/