The book of songs Bei Feng drum

Love, Affection, Sweet, Sleep – Pure Music – Ghost, Final Fantasy

The book of songs Bei Feng drum

Hear the roll of our drums! See how we leap about, using our weapons! Those do the fieldwork in the state, or fortify Cao, while we alone March to the south.

From Sun Zizhong, Ping Chen and song. [but] he did not lead us back, and our sorrowful hearts are very sad.

Here will he reside ; here will he sit? Here we lose our horses? And we seek for them? Among the trees of the forest.

For life or for death, however separated, to our wives we pledged our word. Hold your hand and grow old together with you.

Alas for our separation! We have no prospect of life. Alas for our stipulation! We cannot make it good.

diebiyi:
http://www.diebiyi.com/
http://www.diebiyi.com/articles/
Music: Ghost, Final Fantasy – Mixed Music
Background: Beautiful Love

Otra brecha de seguridad amenaza parte de Internet

Cuando aún muchos servidores en el mundo se mantienen afectados por Heartbleed hay noticias de otro fallo de grandes magnitudes, aunque sin llegar al nivel del primero. La vulnerabilidad que existe ahora es en OAuth y OpenID y los usuarios muy poco podemos hacer al respecto, ya que la solución está en manos de las empresas.

 

covert-redirect-11

 

OAuth y OpenID son herramientas de código abierto para autentificar usuarios y que utilizan empresas como Google, Facebook, Microsoft, Yahoo, Paypal y Linkedin. Todos hemos visto estas herramientas, que abren ventanas emergentes donde se nos pide autentificarnos con alguna de nuestras cuentas para poder acceder a cierto contenido o servicio.

 

El problema consiste en que aparece una ventana que nos pide redirigirnos a Facebook, la cual parece totalmente segura pero no lo es. Hasta aquí la cuestión funciona como si fuese phishing, pero va más allá ya que el exploid, que se ha llamado Covert Redirect, obtiene la información del usuario desde el servidor, sin que el usuario tenga que introducirla.

 

covert-redirect-12

 

Esta nueva vulnerabilidad ha sido descubierta por Wang Jing, un estudiante de doctorado de la Universidad Técnica de Nanyang, en Singapur. El problema podría salir caro para las empresas pero en algún momento tendrán que poner manos a la obra. De momento se recomienda no loggearse a las cuentas digitales a través de ventanas emergentes.

 

 

http://www.inzeed.com/kaleidoscope/covert-redirect/otra-brecha-de-seguridad-amenaza-parte-de-internet/

 

 

Falha de segurança afetam logins de Facebook

Um estudante de PHD de Singapura, Wang , identificou a falha, chamada de “Covert Redirect”, que consegue usar domínios reais de sites para verificação de páginas de login falsas, enganando os internautas.

Os cibercriminosos podem criar links maliciosos para abrir janelas pop-up do Facebook pedindo que o tal aplicativo seja autorizado.

 

cryptographic-algorithms

 

Caso seja realizada esta sincronização, os dados pessoais dos usuários serão passados para os hackers.

 

Wang afirma que já entrou em contato com o Facebook, porém recebeu uma resposta de que “entende os riscos de estar associado ao OAuth 2.0″ e que corrigir a falha “é algo que não pode ser feito por enquanto”.

 

O Google afirmou que o problema está sendo rastreado, o LinkedIn publicou nota em que garante que já tomou medidas para evitar que a falha seja explorada, e a Microsoft negou que houvesse vulnerabilidade em suas páginas, apenas nas de terceiros.

 

A recomendação do descobridor da falha para os internautas é que evitem fazer o login com dados de confirmação de Facebook, Google ou qualquer outro serviço sem terem total certeza de que estão em um ambiente seguro.

 

 

http://www.megafm.com.br/noticia/falha-de-seguranca-afetam-logins-de-facebook

 

Des vulnérabilités pour les boutons types S’identifier avec Facebook

Quelques semaines seulement après la découverte du bug Heartbleed, les utilisateurs moyens comme vous et moi pourraient s’inquiéter d’un autre problème très répandu qui ne sera pas facile à réparer. Il s’agit du bug « Covert Redirect » récemment révélé par Wang Jing, un étudiant en doctorat de mathématiques à l’université de technologie de Nanyang à Singapour. Le problème a été détecté au sein des célèbres protocoles Internet OpenID et OAuth. Le premier est utilisé quand vous vous identifiez dans des sites qui utilisent vos profils Google, Facebook, LinkedIn, etc. Le deuxième est utilisé quand vous vous autorisez des sites, des applications ou des services avec Facebook/G+/etc., sans révéler pour autant votre mot de passe à ces sites externes. Ces deux protocoles sont utilisés ensemble et vous pourriez bien être en train de communiquer vos informations aux mauvaises personnes.

 

hacking-home-router


La menace

Nos amis de Threatpost ont une explication du problème plus technique ainsi qu’un lien vers la recherche originale, mais nous vous épargnerons les détails inutiles et allons vous décrire le possible scénario d’attaque et ces conséquences. Premièrement, dans le cas où un utilisateur visiterait un site d’hameçonnage qui utilise le bouton « S’identifier avec Facebook ». Un site peut ressembler de prêt à un service populaire ou se faire passer pour un tout nouveau service. Ensuite, une vraie fenêtre Facebook/G+/LinkedIn s’ouvrira, demandant à l’utilisateur de rentrer son nom d’utilisateur et son mot de passe afin d’autoriser le service à accéder au profil de l’utilisateur. Enfin, l’autorisation d’utiliser le profil est envoyée au mauvais site (d’hameçonnage) en utilisant une redirection incorrecte.

 

Une vraie fenêtre Facebook/G+/LinkedIn s’ouvrira, demandant à l’utilisateur de rentrer son nom d’utilisateur et son mot de passe afin d’autoriser le service à accéder au profil de l’utilisateur.

 

En fin de compte, un cybercriminel reçoit l’autorisation d’accéder au profil de la victime (jeton OAuth) avec toutes les permissions que les applications ont en général, et dans le pire des cas, avec l’habilité d’accéder aux contacts de l’utilisateur, d’envoyer des messages, etc.




Est-ce réparé ? Pas vraiment.

Cette menace ne disparaîtra pas de si tôt, car la réparation devra être aussi bien réalisée du côté du fournisseur (Facebook, LinkedIn, Google, etc.) que du côté du client (le service ou l’application externe). Le protocole OAuth est toujours en version Beta et plusieurs fournisseurs utilisent différentes mises en place qui varient selon leur habilité de contre-attaquer l’attaque mentionnée précédemment. LinkedIn est mieux positionné pour mettre en place la réparation et gère les choses de manière plus stricte en exigeant que le développeur du service externe fournisse une « liste blanche » des redirections correctes. Pour le moment, chaque application qui utilise une autorisation LinkedIn est soit sécurisée soit non fonctionnelle. Les choses sont différentes pour Facebook qui dispose malheureusement d’un très grand nombre d’applications externes et peut-être d’une version de OAuth plus ancienne. C’est pourquoi les porte-paroles de Facebook ont informé Jing que la création d’une liste blanche « n’est pas quelque chose qui pourra être mis en place à court terme ».


Il existe de nombreux autres fournisseurs qui semblent être vulnérables (regardez la photo), donc si vous vous identifiez dans certains sites en utilisant ces services, vous devez prendre des mesures.




Votre plan d’action

Pour les plus prudents, la solution infaillible serait d’abandonner l’utilisation d’OpenID et ces fameux boutons « S’identifier avec… » pendant quelques mois. Cela vous permettra peut-être également de renforcer votre confidentialité, car autoriser ces identifications sur des réseaux sociaux rend votre activité en ligne plus facile à suivre et permet à de plus en plus de sites de lire vos données démographiques de base. Pour éviter d’avoir à mémoriser différents identifiants sur tous ces sites, commencez à utiliser un gestionnaire de mots de passe efficace. La plupart des services, de nos jours, sont équipés de clients multiplateformes et de synchronisation avec le Cloud afin de garantir un accès à vos mots de passe sur tous les ordinateurs que vous possédez.

 

Néanmoins, si vous avez l’intention de continuer à utiliser l’autorisation OpenID, il n’y a pas de danger immédiat. Vous devez juste faire attention et éviter les arnaques d’hameçonnage qui commencent typiquement par un message étrange dans votre boîte de réception ou par un lien provocateur sur Facebook et autres réseaux sociaux. Si vous vous authentifiez dans un service utilisant Facebook/Google/etc., assurez-vous que vous accédez au site de ce service en tapant l’adresse manuellement ou en utilisant un marque page, et non pas le lien contenu dans vos e-mails ou votre messagerie. Vérifiez bien la barre d’adresse afin de ne pas vous rendre sur des sites louches et ne souscrivez pas de nouveaux services avec OpenID, sauf si vous êtes certain à 100% que le service est réputé et qu’il s’agit bien du bon site. De plus, nous vous conseillons d’utiliser une solution de navigation sécurisée telle que Kaspersky Internet Security – Multi-Device qui empêchera votre navigateur de visiter des endroits dangereux tels que des sites d’hameçonnage.


Il s’agit juste de mesures de précaution, que tous les utilisateurs Internet devraient prendre chaque jour, car les menaces d’hameçonnage sont très répandues et efficaces et peuvent mener à toutes sortes de pertes numériques, y compris à la perte de numéros de carte bancaire, d’identifiants de messagerie, etc. Le bug « Covert Redirect » dans OpenID et OAuth n’est qu’une raison supplémentaire de les suivre, et ce, sans exception.

 

 

 


Articles Liés:

http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/

 

 

 

 

 

Sicherheitslücke in OAuth 2.0 und OpenID gefunden

covert_redirect3

Wang Jing, Student an der Nanyang Technological University in Singapur, hat nach dem Bekanntwerden des OpenSSL-Heartbleed-Lecks, eine weitere schwere Sicherheitslücke entdeckt, diesmal in den Authentifizierungsmethoden OAuth 2.0 und OpenID. Die als “Covert Redirect” (“Heimliche Umleitung”) benannte Sicherheitslücke ermöglicht es Angreifern, dem Nutzer einen echt aussehenden Login-Screen unterzujubeln und sich so Zugriff auf die bereitgestellten Daten zu verschaffen. Das gefährliche daran: Die Sicherheitslücke besitzt – anders als bisher bekannte Fishing-Versuche – eine legitime Domainadresse, kann also über einen Blick in die URL-Zeile des Browsers nicht oder nur sehr schwer entlarvt werden. Auf OAuth 2.0 und OpenID bieten inzwischen zahlreiche Webdienste um einen direkten Login in andere Dienste und Apps zu ermöglichen, darunter auch Google, Facebook, Microsoft und Co.

 

So ist es möglich, dem Nutzer eine Mail mit einem speziell präparierten Link zukommen zu lassen, ein Klick auf diesen öffnet eben wie gesagt eine legitime Adresse samt entsprechendem Logo. Autorisiert der Nutzer dann diese Anfrage und loggt sich in den Dienst ein, so werden die Daten nicht an die vermeintliche App weitergeleitet, sondern gelangen eben in den Besitz des Angreifers. Je nachdem, welche Daten abfragt werden, bekommt dieser somit also E-Mail-Adresse, Geburtsdatum, Kontaktlisten und dergleichen. Ebenso ist es möglich, den Nutzer nach dem Login auf eine beliebige Webseite, welche unter Umständen Malware verbreitet, weiterzuleiten.



covert-redirect-11

 

covert-redirect-12


Die Lösung des Problems könnte aber – wenn es überhaupt einmal eine geben sollte – eine langwierige Sache sein. Wang Jing hat bereits etliche größere Anbieter der Loginmethoden angeschrieben und über die gefundene Sicherheitslücke aufgeklärt, hierbei gab es jedoch unterschiedliche Aussagen. Im Hause Google beobachtet man das Problem, Microsoft ist sich keiner Schuld bewusst und schiebt die Sicherheitslücke an Drittanbieter ab. Lediglich Facebook scheint hier ehrlich zu sein und gibt an, dass es sich dabei um ein grundsätzliches Problem von OAuth 2.0 und OpenID handelt – möchte man nicht eine umfangreiche Whitelist mit sämtlichen nicht-schädlichen Apps pflegen, ist die Sicherheitslücke nicht “mal eben so” zu beheben. Im Grunde dürften sich sämtliche Gegenmaßnahmen negativ auf die Nutzererfahrung auswirken, was natürlich keiner der Dienste in Kauf nehmen möchte – und so bleibt es hierbei scheinbar beim “kleineren Übel” für die Anbieter.

So bleibt eigentlich nur die Möglichkeit, auf OAuth 2.0 oder OpenID als Login-Methode für Drittanbieter Dienste und Apps zu verzichten oder genauestens darauf zu achten, auf was man klickt. Hat man keine explizite Autorisierung angestoßen, sollte man die geöffneten Tabs umgehend schließen und darauf hoffen, dass sich nicht doch irgendwo ein falscher Link eingepfercht hat.



Quelle:
http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/




Студент-математик нашёл уязвимость в OpenID и OAuth 2.0

OAuth и OpenID — очень популярные протоколы, которые совместно используются для авторизации и аутентификации. Приложение OAuth генерирует токены для клиентов, а OpenID предоставляет возможность децентрализованной аутентификации на сторонних сайтах, раскрывая персональные данные пользователей.


Студент Ван Цзин (Wang Jing) с факультета математики Наньянского технологического университета в Сингапуре нашел способ, как злоумышленник может перехватить персональные данные пользователей, перенаправив их на вредоносный сайт после авторизации. Речь идет об уязвимости типа скрытого редиректа (covert redirect), по аналогии с известной атакой open redirect.



covert_redirect1



В этом случае провайдер (Facebook, Google и проч.) видит, что информацию запрашивает нормальное приложение, но на самом деле пользователя скрыто направляют на другой сайт, заменив значение redirect_uri в URL.



covert_redirect2



Уязвимость затрагивает множество крупных сайтов, такие как Facebook, Google, Yahoo, LinkedIn, Microsoft, VK, Mail.Ru, PayPal, GitHub и другие. Все они выдают по запросу злоумышленника персональные данные пользователя. В случае Facebook это может быть имя, фамилия, почтовый адрес, возраст, место жительства, место работы и проч.




covert_redirect3



Кстати, open redirect входит в число 10 главных атак за 2013 год по версии OWASP.


Ван Цзин опубликовал видеоролик, в котором показывает способ эксплуатации уязвимости, на примере Facebook OAuth 2.0. По его словам, защититься от таких атак можно только с помощью «белого списка» сайтов для редиректа.


источник:
http://xakep.ru/62448/




 

 

OAuthとOpenIDに深刻な脆弱性か–Facebookなど大手サイトに影響も

digital-security-padlock-protection-binary-virus-hack-malware

 

OpenSSLの脆弱性「Heartbleed」に続き、人気のオープンソースセキュリ ティソフトウェアでまた1つ大きな脆弱性が見つかった。今回、脆 弱性が見つかったのはログインツールの「OAuth」と「OpenID」で、これらのツールは多数のウェブサイトと、Google、Facebook、 Microsoft、LinkedInといったテクノロジ大手に使われている。

 

シンガポールにあるNanyang Technological University(南洋理工大学)で学ぶ博士課程の学生Wang Jing氏は、「Covert Redirect」という深刻な脆弱性によって、影響を受けるサイトのドメイン上でログイン用ポップアップ画面を偽装できることを発見した。Covert Redirectは、既知のエクスプロイトパラメータに基づいている。

 

たとえば、悪意あるフィッシングリンクをクリックすると、 Facebook内でポップアップウィンドウが開き、アプリを許可するよう求められる。 Covert Redirect脆弱性の場合、本物に似た偽ドメイン名を使ってユーザーをだますのではなく、本物のサイトアドレスを使って許可を求める。

 

ユーザーがログインの許可を選択すると、正当なウェブサイトではなく攻撃者に個人データが送られてしまう。渡される個人データは、何を要求されるかにもよるが、メールアドレス、誕生日、連絡先リスト、さらにはアカウント管理情報にも及ぶ可能性がある。

 

アプリを許可したかどうかにかかわらず、標的になったユーザーはその後、攻撃者が選ぶウェブサイトにリダイレクトされ、そこでさらなる攻撃を受ける可能性がある。

 

Wang 氏によると、すでにFacebookには連絡し、この脆弱性を報告したが、同社は「OAuth 2.0に関連するリスクは理解していた」と述べた上で、「当プラットフォーム上の各アプリケーションにホワイトリストの利用を強制することが難しい」た め、このバグを修正することは「短期間で達成できるものではない」と返答したという。

 

影響を受けるサイトはFacebookだけではない。Wang氏は、Google、LinkedIn、Microsoftにもこの件を報告したが、問題への対処についてさまざまな回答を受け取ったと述べている。

 

Google(OpenID を利用している)はWang氏に、現在この問題に取り組んでいると伝えた。LinkedInは、この件に関するブログを公開 したと述べた。一方でMicrosoftは、調査を行ったところ、脆弱性はサードパーティーのドメインに存在しており、自社サイトには存在しないと述べ た。

 

この記事は海外CBS Interactive発の記事を朝日インタラクティブが日本向けに編集したものです。



 

 

 

関連ニュース:
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID

 

A serious Covert Redirect vulnerability related to OAuth 2.0 and OpenID has been found. Almost all major providers of OAuth 2.0 and OpenID are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.

 

 

It could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID. 

 

For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf. 

 

For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved. 

 

 

More Details:
Blog Youtube
Q&A

Why is it a serious vulnerability?

▪ It enables Open Redirect Attacks
▪ It could lead to sensitive information leakage
▪ It has wide coverage: most of the major internet companies that provide authentication/authorization services
▪ It is difficult to patch

 

How widespread is the vulnerability?

Almost all major OAuth 2.0 and OpenID providers are affected.

List of affected major OAuth 2.0 and OpenID providers:
Website Company Blog Detail POC Video
facebook.com Facebook Blog Youtube
google.com Google Blog Youtube
linkedin.com LinkedIn Blog Youtube
yahoo.com Yahoo Blog Youtube
live.com Microsoft Blog Youtube
vk.com VK Blog Youtube
qq.com Tencent Blog Youtube
weibo.com Sina Blog Youtube
paypal.com PayPal Blog Youtube
mail.ru Mail.Ru Blog Youtube
taobao.com Alibaba Blog Youtube
sina.com.cn Sina Blog Youtube
sohu.com Sohu Blog Youtube
163.com 163 Blog Youtube
github.com GitHub Blog Youtube
alipay.com Alibaba Blog Youtube
★ Website ranking is based on Alexa.

 

Who should be responsible for the vulnerability?

The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. The onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task.

In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.

As the internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one’s own site without paying attention to that of its neighbours.

 

 

How to patch the vulnerability?

The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.

An alternative solution is the providers developing a more thorough verification procedure to prevent such attacks.

 

 

What is the meaning of the logo?

The logo depicts the three parties involved in the attack: the provider (top-left), the third-party application used by the client (bottom) and the attacker (top-right).

Due to the loophole in the third-party application, the attacker is able to attack the provider through the application. The client therefore acts as a bridge between the provider and the attacker, albeit unintentionally. The attack could be seen as a redirect from the client but it is preceded or masked by a redirect from the provider to the client.

 

 

Why it is called Covert Redirect Vulnerability?

A Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation.

The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. An Open Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT ANY validation (OWASP). If a website is exposed to Open Redirect attack, it is often because of its own negligence.

On the other hand, the Covert Redirect vulnerability related to OAuth 2.0 and OpenID is, in the author’s view, a result of the provider’s overconfidence in its clients/partners. The provider relies on the clients to provide a list of “trustworthy” domains and assumes all would be safe. However, without sufficient verification of the redirected URLs, no safety could be guaranteed.

 

 

Who found the vulnerability?

The vulnrability was found by WANG Jing, a PhD student in mathematics from Nanyang Technological University.

Covert Redirect Vulnerability

Covert Redirect Vulnerability

Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation. This is often the of result of a website’s overconfidence in its partners. In another word, the Covert Redirect vulnerability exists because there is not sufficient validation of the redirected URLs that belong to the domain of the partners.

Two main validation methods that would lead to Covert Redirect Vulnerability:
(1) Validation using a matched domain-token pair
(2) Validation using a whitelist

Q&A

Why is it called Covert Redirect Vulnerability?

The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. An Open Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT ANY validation (OWASP). If a website is exposed to Open Redirect attack, it is often because of its own negligence.

A Covert Redirect resembles an Open Redirect however it is preceded by a normal redirect from the Website to a partner that is exposed to Open Redirect attacks. Covert Redirect vulnerability exists because of the Website’s overconfidence in its partners, consequently giving leeway to the attackers. The Website relies on its partners to provide a list of “trustworthy” domains and assumes all would be safe. However, without sufficient verification of the redirected URLs, no safety could be guaranteed.

What is Covert Redirect based on validation using a matched domain-token pair?

The Website checks the domain name against the token (assigned to the partner as a means for verification) in the redirected URL. If the pair is on the approved list in its database, the Website would allow the redirection. However, if the URL belongs to a domain that has Open Redirect vulnerability, users could be redirected from the Website to the vulnerable site and then to a malicious site.

Some Examples,

Website Company Blog Detail POC Video
amazon.com Amazon Blog Youtube
nytimes.com NYTimes Blog Youtube

What is Covert Redirect based on validation using a whitelist?

The Website preserves a whitelist of domains to which they allow redirection. The whitelist usually comprises of well-known web giants, e.g. Google, Facebook and LinkedIn.

Before a user is redirected out of the Website, it will check whether the redirected URL belongs to the domains on its whitelist. If it does, the Website will authorize the redirection. However, if the URL belongs to a domain that has Open Redirect vulnerability, then the user could be redirected from the Website to the vulnerable site and then to a malicious site.

Some Examples,

Website Company Blog Detail POC Video
ebay.com eBay Blog Youtube
wordpress.com WordPress Blog Youtube
odnoklassniki.ru Odnoklassniki.ru Blog Youtube
godaddy.com GoDaddy Blog Youtube
youku.com Youku Blog Youtube

The validation system related to OAuth 2.0 and OpenID could be viewed as using a semi-whitelist. The list is not specified by the Website (provider) but rather by the partners (clients).
OAuth 2.0 and OpenID Covert Redirect

Who should be responsible for the vulnerability?

The vulnerability is in general due to the existing weakness in the partner websites; therefore, the Website might not feel it is responsible to patch up the vulnerability. To the partners, they may be unaware of the vulnerability or do not bother to fix it. In my view, the Website should be responsible for the vulnerability because attacks are mainly targeted at them.

How widespread is the vulnerability?

Its sphere of influence is almost as wide as that of Open Redirect vulnerability.

Why is it a serious vulnerability?

▪ Enable Open Redirect Attacks
▪ Wide coverage (It could potentially affect as many websites as Open Redirect could do)
▪ Possibility of sensitive information leakage (such as Covert Redirect vulnerability related to OAuth 2.0 and OpenID)

How to patch the vulnerability?

The Website(s) need to carry out sufficient verification of the URLs for redirection.

What is the meaning of the logo?

The logo depicts the three parties involved in the attack: the website of interest (“the Website” hereafter; top-left), the partner (bottom) and the attacker (top-right).

Due to the loophole in the partnership, the attacker is able to attack the Website through the link between them. The partner therefore acts as a bridge between the Website and the attacker, albeit unintentionally.

The entire logo is made up of two hemispheres that look like mirror images of each other, except that the colors are different. The attack could be seen as a redirect from the partner but it is preceded or masked by a redirect from the Website to the partner. The blue background of the left hemisphere signifies the purview of the Website who is only aware of the first redirect and believes it to be safe. However, there is an attendant malicious redirect from the client to the attacker, which appears “invisible” to the Website. Thus, a white background is chosen for the right hemisphere to represent the space in which the second redirect occurs. To the attacker, the second redirect may be the real attack while the first one only a camouflage.

Who found the Covert Redirect Vulnerability?

The vulnrability was found by WANG Jing, a PhD student in mathematics from Nanyang Technological University.

From:

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID

Covert Redirect: http://tetraph.com/covert_redirect/

I found a serious Covert Redirect ( http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html ) vulnerability related to OAuth 2.0 and OpenID.

Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu. 163, Alipay, Alibaba, Sina etc. I will introduce them one by one in my later posts.

The vulnerability could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID.

For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf.

For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved.

Who should be responsible for the vulnerability?

The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. The onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task.
In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.

As the internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one’s own site without paying attention to that of its neighbours.

How to patch the vulnerability?

The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.

An alternative solution is the providers developing a more thorough verification procedure to prevent such attacks.

I found this vulnerability at the beginning of February and I have reported it to related companies.

Facebook said “Short of forcing every single application on the platform to use a whitelist, which isn’t something that can be accomplished in the short term, do you have any recommendations on actions we can take here?”

In my reply, I suggested “For any URL, it has a particular value “&h”. If the URL is changed. there is no permission any more. That means the modified URL will not get any “&h”. Because it is illegal.”

Facebook agreed. “As you mentioned, that’s how our Linkshim system works. As I said, that doesn’t seem to be a feasible solution for an OAuth endpoint where the URL needs to be provided by a third-party site to arbitrary random users.”

Google said “[they] are aware of the problem and are tracking it at the moment.”

LinkedIn “[has] published a blog post on how [they] intend to address [the problem].”

( Blog address: https://developer.linkedin.com/blog/r… )

Microsoft answered after they did an investigation and concluded that the vulnerability exists in the domain of a third-party, different from the one reported by me (login.live.com). They recommended me to report the issue to the third-party instead.

Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation as soon as possible.

Taobao closed my report without providing a reason.

Yahoo did not reply me months after my report.

I did not report to VK, Mail.Ru and the others because I do not know the contact of their security teams.

Published by:

Wang Jing (PhD student of Mathematics)
Nanyang Technological University & University of Science and Technology of China & No.1 Middle School of Jiaonan (Huangdao)

More Details:
Covert Redirect:
http://tetraph.com/covert_redirect/
Covert Redirect Related to OAuth 2.0 and OpenID:
http://tetraph.com/covert_redirect/oa…
Blog:
http://tetraph.com/blog/
Youtube:
http://www.youtube.com/user/tetraph/