Alibaba Taobao OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

1688-taobao

 

Alibaba Taobao OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
taobao.com

 

 

“Taobao (simplified Chinese: 淘宝网; traditional Chinese: 淘寶網; pinyin: Táobǎo Wǎng; literally: “searching for treasure website”) is a Chinese website for online shopping similar to eBay and Amazon that is operated in China by Alibaba Group. Founded by Alibaba Group on May 10, 2003, Taobao Marketplace facilitates consumer-to-consumer (C2C) retail by providing a platform for small businesses and individual entrepreneurs to open online stores that mainly cater to consumers in Chinese-speaking regions (Mainland China, Hong Kong, Macau and Taiwan) and also abroad. With around 760 million product listings as of March 2013, Taobao Marketplace is one of the world’s top 10 most visited websites according to Alexa. For the year ended March 31, 2013, the combined gross merchandise volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Taobao web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 

 

(2.1) Vulnerability Detail:

Taobao’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Taobao.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerabilities occurs at page “/authorize?” with parameter “&redirect_uri”, e.g.
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://store.tv.sohu.com/web/login.do%3Fbru%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html [1]

 

 

Before acceptance of third-party application:

When a logged-in Taobao user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Taobao and clicks the URL ([1]) above, the same situation will happen upon login.

 

 

After acceptance of third-party application:

A logged-in Taobao user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) Taobao would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Taobao to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Taobao directly. The number of Taobao’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Taobao’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Taobao’s authentication system and attack more easily.

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “https://computerpitch.wordpress.com/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
sohu.com

 

Vulnerable URL in this domain:
http://store.tv.sohu.com/web/login.do?bru=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

Vulnerable URL from Taobao that is related to sohu.com:
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://sohu.com

 

POC:
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://store.tv.sohu.com/web/login.do%3Fbru%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

 

 

 

(2.3) The following URLs have the same vulnerabilities.
https://login.taobao.com/member/login.jhtml?sign=8uBo%2FBShyXsFVd4q%2FREkfg%3D%3D&timestamp=2014-03-19+09%3A24%3A22&sub=true&style=mini_top&need_sign=top&full_redirect=true&from=mini_top&from_encoding=utf-8&TPL_redirect_url=https%3A%2F%2Foauth.taobao.com%2Fauthorize%3Fstate%3D1%26response_type%3Dcode%26client_id%3D21112101%26redirect_uri%3Dhttp%253A%252F%252Fwww.paidai.com%252Fuser%252Foauth_taobao.php

 

 

POC Video:
https://www.youtube.com/watch?v=aZVCZK03-Rw



Blog Detail:
http://tetraph.blogspot.com/2014/05/alibaba-taobao-oauth-20-covert-redirect.html







(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/









Related Articles:
http://tetraph.com/security/covert-redirect/alibaba-taobao-oauth-2-0-covert-redirect
http://www.inzeed.com/kaleidoscope/covert-redirect/alibaba-taobao-bug
http://computerobsess.blogspot.com/2014/05/alibaba-taobao-service-exploit.html
https://twitter.com/essayjeans/status/558976811573321728
https://webtechwire.wordpress.com/2014/06/06/taobao-vulnerability/
http://inzeed.tumblr.com/post/119493913816/securitypost-itinfotech-continuan-los
http://essayjeans.lofter.com/post/1cc7459a_7069892
http://securityrelated.blogspot.com/2014/05/alibaba-taobao-service-exploit.html
http://tetraph.blog.163.com/blog/static/2346030512014463745630/
http://diebiyi.com/articles/security/covert-redirect/alibaba-taobao-oauth-2-0
https://hackertopic.wordpress.com/2014/06/01/alibaba-taobao-bug/

 

 

 

===========

 

 


阿里巴巴 淘宝 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)




(1) 域名:

taobao.com



” 淘宝网是亚太地区较大的网络零售商圈,由阿里巴巴集团在2003年5月10日投资创立。淘宝网现在业务跨越C2C(个人对个人)、B2C(商家对个人)两 大部分。截止2014年,淘宝网注册会员超5亿人每天有超过1.2亿的活跃用户,在线商品数达到10亿件,淘宝网和天猫平台的交易额总额超过了1.5万 亿。” (百度百科)







(2) 漏洞描述:

阿里巴巴 淘宝 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。




这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。




 


(2.1) 漏洞细节:

Taobao 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Taobao 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Taobao 的 URL跳转 攻击。

 

 

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type”=sensitive_info,token,code…

“&scope”=get_user_info,email…

 

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

 

漏洞地点 “/authorize?”,参数”&redirect_uri”, e.g.
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://store.tv.sohu.com/web/login.do%3Fbru%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html [1]

 

 

 

同意三方 App 前:

当一个已经登录的 Taobao 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。

 

 

如果没有登录的Taobao 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

 

 

同意三方 App 后:

已经登录的 Taobao 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

 

如果 Taobao 用户没有登录,攻击依然可以在要求他登录的Taobao的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 

 

 

 

(2.1.1) Taobao 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

 

因此,Taobao 用户意识不到他会被先从 Taobao 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Taobao 直接跳转到有害网页是一样的。

 

 

因为 Taobao 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

 

在同意三方 App 之前,Taobao 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

 

同意三方 App 后, 攻击者可以完全绕过 Taobao 的 URL跳转 验证系统。

 

 

 

 

(2.2) 用了一个页面进行了测试, 页面是 “http://lifegreen.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

 

下面是一个有漏洞的三方 domain:
sohu.com

 

 

这个 domain 有漏洞的 URL:
http://store.tv.sohu.com/web/login.do?bru=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

 

Taobao 与 sohu.com 有关的有漏洞的 URL:
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://sohu.com

 

 

 

POC:
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://store.tv.sohu.com/web/login.do%3Fbru%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html



(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向也可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。

 

 

漏洞发布:
王晶 (Wang Jing)
新加坡南洋理工大学物理与数学学院数学系 (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

相关文章:
http://tetraph.com/security/covert-redirect/alibaba-taobao-oauth-2-0-covert-redirect
http://www.inzeed.com/kaleidoscope/covert-redirect/alibaba-taobao-bug
http://computerobsess.blogspot.com/2014/05/alibaba-taobao-service-exploit.html
https://twitter.com/essayjeans/status/558976811573321728
http://webtechhut.blogspot.com/2014/06/taobao-exploit.html
http://inzeed.tumblr.com/post/119493913816/securitypost-itinfotech-continuan-los
http://essayjeans.lofter.com/post/1cc7459a_7069892
https://infoswift.wordpress.com/2014/06/28/taobao-hack/
http://tetraph.blog.163.com/blog/static/2346030512014463745630/
http://diebiyi.com/articles/security/covert-redirect/alibaba-taobao-oauth-2-0
https://hackertopic.wordpress.com/2014/06/01/alibaba-taobao-bug/















Advertisements

Oracle Access Manager WebGate Subcomponent Unspecified Remote Information Disclosure CVE-2014-2404

Exploit Title: Oracle Manager WebGate Subcomponent Unspecified Remote Information Disclosure
Product: Access Manager component in Oracle Fusion Middleware
Vendor: Oracle
Vulnerable Versions: 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, and 11.1.2.2.0
Advisory Publication: Apr 15, 2014
Latest Update: Apr 15, 2014
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: CVE-2014-2404
Risk Level: Medium
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) (legend)
Solution Status: Fixed by Vendor
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]
Original advisory
Jing Wang has reported two vulnerabilities in Oracle Access Manager, which can be exploited by malicious users to disclose potentially sensitive information and cause a DoS (Denial of Service).
1) An unspecified error within the “WebGate” sub-component can be exploited to disclose certain Oracle Access Manager accessible data.
This vulnerability is reported in versions 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, and 11.1.2.2.0.
2) An unspecified error within the “Webserver Plugin” sub-component can be exploited to cause a hang or frequently repeatable crash of the application.
This vulnerability is reported in version 11.1.1.5.
Extra information
Solution : Apply updates.
Reported by : Jing Wang.
Changelog : 2014-06-13: Updated “Description” section and credits. Added
one link to the “Original Advisory” section.
Reference original advisory : Oracle:

Alvorlig feil i utbredt innloggingssystem

Alvorlig feil i utbredt innloggingssystem

Benyttes av Facebook, Google, Yahoo, LinkedIn, Microsoft og mange flere.

Wang Jing, en doktorgradstudent ved Nanyang Technological University i Singapore, har oppdaget en alvorlig sårbarhet knyttet til autentiseringssystemene OAuth 2.0 og OpenID. Sårbarheten, som er av typen «covert redirect», dreier seg om at en applikasjon tar en parameter og omdirigerer en bruker til parameteren uten tilstrekkelig validering. Ifølge Jing skyldes dette ofte at nettsteder har for stor tillit til sine partnere.

website-sicherheit-notifications

– Nettstedet sjekker domenenavnet mot et «token» (tildelt til partneren som et middel for verifisering) i den omdirigerte URL-en. Dersom paret er i godkjent-listen i nettstedets database, vil det tillate omdirigeringen. Men dersom URL-en tilhører et domene som har en «open redirect»-sårbarhet, kan brukerne omdirigeres fra nettstedet til et sårbart nettsted og deretter til en ondsinnet nettsted, skriver Jing.

http://www.digi.no/928515/alvorlig-feil-i-utbredt-innloggingssystem

VK.com OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

Screenshot from 2015-06-27 14:36:59

 

VK.com OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 




(1) Domain:
vk.com

 

“VK (originally VKontakte, Russian: ВКонтакте, literally “in touch”) is the largest Russian social network in Europe. It is available in several languages, but is especially popular among Russian-speaking users, particularly in Russia, Ukraine, Belarus, Kazakhstan and Uzbekistan. Like other social networks, VK allows users to message each other publicly or privately, to create groups, public pages and events, share and tag images, audio and video, and to play browser-based games. As of November 2014, VK had at least 280 million accounts. VK is ranked 22 (as of November 1, 2014) in Alexa’s global Top 500 sites and is the second most visited website in Russia, after Yandex. According to eBizMBA Rank, it is the 8th most popular social networking site in the world. As of January 2015, VK had an average of 70 million daily users.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

VK.com web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 

(2.1) Vulnerability Detail:

VK’s OAuth system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth system is insufficient. It can be misused to design Open Redirect Attacks to VK.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=code,token…

“&scope”=basic information…

 

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerabilities occurs at page “/authorize?” with parameter “&redirect_uri”, e.g.

http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html [1]

 

 

Before acceptance of third-party application:

 

When a logged-in VK user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto VK and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

 

A logged-in VK user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) VK would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from VK to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from VK directly. The number of VK’s OAuth client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, VK’s OAuth system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass VK’s authentication system and attack more easily.

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://diebiyi.com/articles/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
kp.ru

 

Vulnerable URL in this domain:
http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html

 

Vulnerable URL from VK that is related to kp.ru:
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin%2Fvkontakte.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.kp.ru%252F

http://api.vk.com/oauth/authorize?client_id=2852163&redirect_uri=http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.kp.ru&display=page&scope=wall,offline

 

POC:
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html

http://api.vk.com/oauth/authorize?client_id=2852163&redirect_uri=http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html&display=page&scope=wall,offline

 

 

 

POC Video:
https://www.youtube.com/watch?v=3gNhi8h2AQY

 

Blog Detail:
http://www.tetraph.com/blog/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/



 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/




 

 

More Details:
http://tetraph.com/security/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/
https://itswift.wordpress.com/2014/05/02/vk-exploit/
http://tetraph.blogspot.com/2014/05/vkcom-oauth-20-covert-redirect.html
https://twitter.com/tetraphibious/status/559166795525799936
http://frenchairing.blogspot.fr/2014/05/vk-exploit.html
http://whitehatview.tumblr.com/post/119487379761/securitypost
http://webtech.lofter.com/post/1cd3e0d3_706aec6
http://tetraph.blog.163.com/blog/static/234603051201445111630165/
http://www.inzeed.com/kaleidoscope/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/
https://itinfotechnology.wordpress.com/2014/05/07/vk-bug/
http://russiapost.blogspot.ru/2014/05/vk-exploit.html

 

 

 

=================

 

 

 

 

ВКонтакте OAuth 2.0 Ошибки служба Скрытое перенаправление веб-безопасности (утечка информации и открытого редирект)

 

 

 

(1) Домен:
vk.com

 

“«ВКонта́кте» (vk.com) — социальная сеть, принадлежащая Mail.Ru Group. По данным SimilarWeb, «ВКонтакте» является первым по популярности сайтом в России и на Украине, 6-м — в мире. По данным Alexa Internet, второй по популярности сайт в России и на Украине, третий — в Белоруссии, 24-й — в мире. Проект запущен 10 октября 2006 года. Ресурс изначально позиционировал себя в качестве социальной сети студентов и выпускников российских вузов, позднее стал называть себя «современным, быстрым и эстетичным способом общения в сети». В январе 2014 года ежедневная аудитория «ВКонтакте» составляла около 60 миллионов человек, а в январе 2015 года — 70 миллионов человек в день. Генеральный директор (с 2014 года) — Борис Добродеев, сын Олега Добродеева — генерального директора Всероссийской государственной телевизионной и радиовещательной компании.”. (ru.wikipedia)

 

 

 

(2) Уязвимость Описание:

 

Веб-приложение ВКонтакте имеет проблемы компьютерной безопасности. Хакер может использовать его Скрытое перенаправление кибератак.

 

Уязвимости могут быть атакованы без входа пользователя в систему. Испытания проводились на Microsoft IE (10.0.9200.16750) в Windows 8, Mozilla Firefox (34,0) и Google Хром 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-бит) Ubuntu (14.04), Apple Safari 6.1.6 от Mac OS X Lion 10.7.

 

 

 

(2.1) Уязвимость деталь:

Система OAuth ВКонтакте подвержен атакам. Более конкретно, аутентификация параметра “& redirct_uri” в системе OAuth является недостаточным. Это может быть неправильно для разработки открытым перенаправление атак на VK.

 

В то же время, он может быть использован, чтобы собирать конфиденциальную информацию как стороннего приложения и пользователей, используя следующие параметры (секретная информация, содержащаяся в заголовке HTTP.),

“& Response_type” = код маркера …

“& Область” = базовая информация …

 

Это увеличивает вероятность успешных атак Открыть перенаправление на сторонних веб-сайтах, тоже.

 

Уязвимости происходит на странице “/ разрешить?” с параметром “& redirect_uri”, например
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html [1]

 

 

 

До принятия сторонних применения:

 

Когда вошедшего в систему пользователя ВКонтакте нажимает URL ([1]) выше, то он / она будет предложено согласия, в том, чтобы позволить сторонних веб-сайт для получения его / ее информацию. Если пользователь нажимает кнопку ОК, он / она будет затем перенаправляется на URL, назначенного параметра “& redirect_uri».

 

Если пользователь не вошел на VK и нажимает URL ([1]) выше, такая же ситуация произойдет при входе.

 

После принятия стороннем приложении:

 

не вошедшего в систему пользователя ВКонтакте больше не будет предложено для согласия и может быть перенаправлен на веб-страницу, контролируемой злоумышленником, когда он / она нажимает URL ([1]).

 

Для пользователя, который не авторизованы атака еще может быть завершена после всплывающая страница, что побуждает его / ее войти.

 

 

 

(2.1.1) ВК, как правило, позволяют все адреса, которые принадлежат к сфере уполномоченным сторонних веб-сайт. Тем не менее, эти URL-адреса могут быть склонны к манипуляциям. Например, параметр “& redirect_uri” в URL, как предполагается, будет установлен сторонних веб-сайтах, но злоумышленник может изменить его значение, чтобы атак.

 

Следовательно, пользователь может быть перенаправлен от VK с уязвимой URL в этой области первым, а затем будет перенаправлен из этого уязвимого сайта на вредоносный сайт неохотно. Это как если бы пользователь перенаправляется от VK напрямую. Количество OAuth клиентских сайтов В.К. настолько огромен, что такие атаки могут быть обычным явлением.

 

До принятия стороннего приложения, система OAuth ВКонтакте делает редирект кажутся более надежными и потенциально может увеличить вероятность успешных атак Открыть перенаправление сторонних веб-сайта.

 

После того, как пользователь принимает заявки, нападавшие могли полностью обойти систему аутентификации ВКонтакте и нападение легче.

 

 

 

 

(2.2) Используется один из веб-страниц для следующих испытаний. Веб-страница “http://diebiyi.com/articles/“. Можно предположить, что это злая и содержит код, который собирают конфиденциальную информацию как сторонних приложений и пользователей.

 

Ниже пример уязвимой области стороннего:
kp.ru

 

 

Уязвимые URL в этой области:
http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html

 

 

Уязвимые URL из ВК, что это связано с kp.ru:
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin%2Fvkontakte.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.kp.ru%252F

http://api.vk.com/oauth/authorize?client_id=2852163&redirect_uri=http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.kp.ru&display=page&scope=wall,offline

 

 

СПЭ:
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html

http://api.vk.com/oauth/authorize?client_id=2852163&redirect_uri=http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html&display=page&scope=wall,offline

 

 

СПЭ Видео:
https://www.youtube.com/watch?v=3gNhi8h2AQY

 

Блог деталь:
http://www.tetraph.com/blog/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/

 

 

 

(3) Что такое Скрытое перенаправление?

Скрытое перенаправление класс ошибок безопасности, описанных мая 2014 Это приложение, которое принимает параметр и перенаправляет пользователя на значение параметра без достаточного обоснования. Это часто делает использование открытого Redirect и XSS (Cross-Site Scripting) уязвимостей в сторонних приложениях.

 

Скрытое перенаправление также связано с единого входа, такие как OAuth и OpenID. Хакер может использовать это, чтобы украсть конфиденциальную информацию пользователей. Почти все OAuth 2.0 и OpenID-провайдеров по всему миру страдают. Скрытое перенаправление может работать вместе с CSRF (Cross-Site Request подлог), а также.

 

 

 

Откройте для себя и Докладчик:
Ван Цзин, Отдел математических наук (MAS), школа физико-математических наук (ВПУ), Nanyang технологический университет (НТУ), Сингапур. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

Подробнее:
http://tetraph.com/security/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/
https://itswift.wordpress.com/2014/05/02/vk-exploit/
http://tetraph.blogspot.com/2014/05/vkcom-oauth-20-covert-redirect.html
https://twitter.com/tetraphibious/status/559166795525799936
http://frenchairing.blogspot.fr/2014/05/vk-exploit.html
http://whitehatview.tumblr.com/post/119487379761/securitypost
http://webtech.lofter.com/post/1cd3e0d3_706aec6
http://tetraph.blog.163.com/blog/static/234603051201445111630165/
http://www.inzeed.com/kaleidoscope/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/
https://itinfotechnology.wordpress.com/2014/05/07/vk-bug/
http://russiapost.blogspot.ru/2014/05/vk-exploit.html