Sina Weibo OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

china

 

Sina Weibo OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 

 

(1) Domain:
weibo.com

 

 

“Sina Weibo (NASDAQ: WB) is a Chinese microblogging (weibo) website. Akin to a hybrid of Twitter and Facebook, it is one of the most popular sites in China, in use by well over 30% of Internet users, with a market penetration similar to the United States’ Twitter. It was launched by SINA Corporation on 14 August 2009, and has 503 million registered users as of December 2012. About 100 million messages are posted each day on Sina Weibo. In March 2014, Sina Corporation announced a spinoff of Weibo as a separate entity and filed an IPO under the symbol WB. Sina retains 56.9% ownership in Weibo. The company began trading publicly on April 17, 2014. “Weibo” (微博) is the Chinese word for “microblog”. Sina Weibo launched its new domain name weibo.com on 7 April 2011, deactivating and redirecting from the old domain, t.sina.com.cn to the new one. Due to its popularity, the media sometimes directly uses “Weibo” to refer to Sina Weibo. However, there are other Chinese microblogging/weibo services including Tencent Weibo, Sohu Weibo and NetEase Weibo.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Weibo web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

(2.1) Vulnerability Detail:

Weibo’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Weibo.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerabilities occurs at page “oauth2/authorize?” with parameter “&redirect_uri”, e.g.
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [1]

 

Before acceptance of third-party application:

When a logged-in Weibo user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Weibo and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

A logged-in Weibo user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

(2.1.1) Weibo would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Weibo to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Weibo directly. The number of Weibo’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Weibo’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Weibo’s authentication system and attack more easily.

 

Used one of webpages for the following tests. The webpage is “https://biyiniao.wordpress.com/“. We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
cjcp.com.cn

 

Vulnerable URL in this domain:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=sina&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

Vulnerable URL from Weibo that is related to cjcp.com.cn:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code

 

POC:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dsina%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A5%2525AD%2525E6%252598%2525A5.html&response_type=code [2]

 

(2.2) Another method for attackers.


Attackers enter the following URL in browser,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=sina&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

Then, attackers can get URL below,
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [3]

 

If users click URL [3], the same thing will happen as URL [2].

 

 

 

 

POC Video:
https://www.youtube.com/watch?v=eKozHxrk4js

 

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/sina-weibo-oauth-20-covert-redirect.html

 

 



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

Related Articles:
http://diebiyi.com/articles/security/covert-redirect/sinas-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
http://tetraph.com/security/covert-redirect/sina-weibo-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
https://redysnowfox.wordpress.com/2014/08/02/sina-exploit/
http://qianqiuxue.tumblr.com/post/118901060925/itinfotech-covert#notes
http://webtechhut.blogspot.com/2014/07/sina-bug.html
https://twitter.com/yangziyou/status/614745661704015873
http://tetraph.blog.163.com/blog/static/2346030512014463356551/
http://biboying.lofter.com/post/1cc9f4f5_706b6c3
http://frenchairing.blogspot.fr/2014/07/sina-hacking.html
http://www.inzeed.com/kaleidoscope/covert-redirect/sina-weibo-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
https://biyiniao.wordpress.com/2014/06/07/sina-research/

 

 

==========

 

新浪 微博 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
weibo.com

 

” 新浪微博是一个由新浪网推出,提供微型博客服务类的社交网站。用户可以通过网页、WAP页面、手机客户端、手机短信、彩信发布消息或上传图片。新浪可以把 微博理解为“微型博客”或者“一句话博客”。用户可以将看到的、听到的、想到的事情写成一句话,或发一张图片,通过电脑或者手机随时随地分享给朋友,一起 分享、讨论;还可以关注朋友,即时看到朋友们发布的信息” (百度百科)

 

 

(2) 漏洞描述:

新浪 微博 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。


(2.1) 漏洞细节:
Weibo 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Weibo 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Weibo 的 URL跳转 攻击。

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type”=sensitive_info,token,code…

“&scope”=get_user_info%2Cadd_share…

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

漏洞地点 “oauth2/authorize?”,参数”&redirect_uri”, e.g.
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [1]

 

同意三方 App 前:

当一个已经登录的 Weibo 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。


如果没有登录的 Weibo 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

同意三方 App 后:

已经登录的 Weibo 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

如果 Weibo 用户没有登录,攻击依然可以在要求他登录的Weibo的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 


(2.1.1) Weibo 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

因此,Weibo 用户意识不到他会被先从 Weibo 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Weibo 直接跳转到有害网页是一样的。

 

因为 Weibo 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

在同意三方 App 之前,Weibo 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

同意三方 App 后, 攻击者可以完全绕过 Weibo 的 URL跳转 验证系统。

 

 

用了一个页面进行了测试, 页面是 “http://tetraphlike.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

 

下面是一个有漏洞的三方 domain:
cjcp.com.cn

 

 

这个 domain 有漏洞的 URL:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=Weibo&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 

 

Weibo 与 cjcp.com.cn 有关的有漏洞的 URL:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code

 

 

POC:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dsina%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A5%2525AD%2525E6%252598%2525A5.html&response_type=code [2]

 

 



(2.2) 攻击的另一个方法.


攻击者在浏览器输入 URL,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=sina&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

然后,攻击者可以得到 URL,
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [3]

 

如果用户点击 URL [3], 发生的事情和 URL [2] 一样.

 

 




(2.3)下面的 URLs 有同样的漏洞.
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fsiteuser%2Foauth_sina.php%3Ffrom%3Dweibo&response_type=code

 

 

POC 视频:
https://www.youtube.com/watch?v=eKozHxrk4js

 

 

博客细节:
http://tetraph.blogspot.com/2014/05/sina-weibo-oauth-20-covert-redirect.html

 

 

 

 

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567; Bugtraq ID 是 67196; X-Force ID 是 93031。

 

 

 

 



eBay Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

ebay-logo

eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

(1) WebSite:
ebay.com



“eBay Inc. (stylized as ebay, formerly eBay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries.

 

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now” shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services.” (Wikipedia)

 



(2) Vulnerability Description:

eBay web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability occurs at “ebay.com/rover” page with “&mpre” parameter, i.e.

http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://www.google.com

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.


 

 

 

(2.1) When a user is redirected from eBay to another site, eBay will check whether the redirected URL belongs to domains in eBay’s whitelist, e.g.
google.com

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from eBay to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from eBay directly.

 

One of the vulnerable domain is,
http://googleads.g.doubleclick.net (Google’s Ad system)

 

 

 

(2.2) Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. We can suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

Poc Video:
https://www.youtube.com/watch?v=a4H-u17Y9ks

 

Blog Detail:
http://securityrelated.blogspot.com/2014/11/ebay-covert-redirect-vulnerability.html



 

 



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

About Group 超过 99.88% 的链接容易遭受 XSS 和 XFS 攻击

2607064191

 
About Group 网站有一个严重的网络安全问题,它容易遭受 XSS (跨站脚本漏洞) XFS (跨Frame脚本漏洞)。这对它的近10亿月访问用户是灾难和毁灭性的。

 

根据漏洞研究者发布的结果POC视频,所有About.com的话题(子域名)都可以被攻击者利用。

 

新加坡南洋理工大学 (NTU) 数学和物理学院 (SPMS) 数学系 (MAS) 的王晶 (Wang Jing) 发布了这个严重的安全漏洞。王晶声称在2014年10月19号,他向 About Group 做了报告,但是迄今为止一直没有收到回复。漏洞的发布时间是2015年2月2号。“到现在为止,漏洞还没有被修复” 王晶说。

 

与此同时,王晶披露 About.com 主页面的搜索域也容易遭受 XSS 攻击。除此之外,他还发布了一些 About.com 的公开重定向漏洞 (Open Redirect). 王说他的测试是在 Windows 8 的 IE (10.0.9200.16750) 和 Mozilla 的 Firefox (34.0), Ubuntu (14.04) 的 Google Chromium 39.0.2171.65-0, 以及 Mac OS X Lion 10.7 的 Apple Safari 6.1.6 上进行的。

 

XSS (Cross- site Scripting) 可以用来窃取用户信息,控制用户浏览器,和进行 DOS (Denial of Service) 攻击。 XFS (Cross-frame Scripting) 也叫 iFrame Injection,可以修改用户浏览器页面内容。

 

在发布漏洞的同时,王晶还说明因为 About Group 的普遍性,它的漏洞可以用来对其他网站进行隐蔽重定向攻击 (Covert Redirect);XFS 则可以用来对计算机和网络进行 DDOS (Distributed Denial of Service) 黑客攻击。这些漏洞发布在著名漏洞平台 Full-Disclosure 上和他的个人博客上。

 

王晶是一名学生安全研究人员。他发布了包括谷歌,脸书,亚马逊,阿里巴巴,电子湾,领英等多家公司网站的重要漏洞以及大量网络应用程序的补丁。
 

 
 
 

相关新闻:
http://www.zdnet.com/article/over-99-percent-of-about-com-links-vulnerable-to-xss-xfs-iframe-attack/
http://www.securityweek.com/xss-xfs-open-redirect-vulnerabilities-found-aboutcom
http://securityaffairs.co/wordpress/33070/hacking/com-affected-xss-xfs-open-redirect-vulnerabilities-since-october-2014.html
http://packetstormsecurity.com/files/130211/About.com-Cross-Site-Scripting.html
http://www.zoomit.ir/it-news/security/17394-about-com-links-vulnerable-to-xss-xfs
http://itsecurity.lofter.com/post/1cfbf9e7_6f05a63
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
http://securitypost.tumblr.com/post/118837857592/about-group-99-88-xss-xfs-about
http://www.inzeed.com/kaleidoscope/computer-security/about-group-xss-xfs/
https://www.secnews.gr/99percent-about-xss-xfs-attack-exploit
http://www.decomoadesinstalar.com/abrir-codigo-iframe-xss-xfs-ataque-mas-del-99-por
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1547
http://www.40kalagh.net/about-grope-xss-and-xfs
http://blog.norsecorp.com/2015/02/03/about-com-platform-rife-with-xss-and-iframe-injection-vulnerabilities/

Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities

aliexpress_1


Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities



Domains Basics:

Alibaba Taobao, AliExpress, Tmall are the top three online shopping websites belonging to Alibaba.





Vulnerability Discover:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/




(1) Domains Descriptions:

“Taobao is a Chinese website for online shopping similar to eBay and Amazon that is operated in China by Alibaba Group.” (Wikipedia)

“With around 760 million product listings as of March 2013, Taobao Marketplace is one of the world’s top 10 most visited websites according to Alexa. For the year ended March 31, 2013, the combined gross merchandise volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.” (Wikipedia)

Alexa ranking 9 at 10:40 am Thursday, 22 January 2015 (GMT+8).



“Launched in 2010, AliExpress.com is an online retail service made up of mostly small Chinese businesses offering products to international online buyers. It is the most visited e-commerce website in Russia” (Wikipedia)



“Taobao Mall, is a Chinese-language website for business-to-consumer (B2C) online retail, spun off from Taobao, operated in the People’s Republic of China by Alibaba Group. It is a platform for local Chinese and international businesses to sell brand name goods to consumers in mainland China, Hong Kong, Macau and Taiwan.” (Wikipedia)

 

 

(2) Vulnerability descriptions:

Alibaba Taobao AliExpress Tmall online electronic shopping website has a cyber security bug problem. It can be exploited by XSS and Covert Redirect attacks.

 

 

(3) Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS

The vulnerability can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (8.0.7601) in Windows 7.

 

 

(3.1) Alibaba Taobao Online Electronic Shopping Website (Taobao.com ) XSS (cross site scripting) Security Vulnerability

The vulnerabilities occur at “writecookie.php?” page with “ck” parameter, e.g

POC Code:

http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw“–>’-alert(/justqdjing/ )-‘”;&redirect=0

POC Video:

Blog Details:




(3.2)Alibaba AliExpress Online Electronic Shopping Website (Aliexpress.com) XSS Security Vulnerabilities

The vulnerabilities occur at “landing.php?” page with “cateid” “fromapp” parameters, e.g

POC Code:

/’ “><img src=x onerror=prompt(/tetraph/)>

http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/’ “><img src=x onerror=prompt(/tetraph/)><!–&fromapp=

POC Video:

Blog Details:




(3.3) Alibaba Tmall Online Electronic Shopping Website (Tmall.com) XSS Security Vulnerability

The vulnerabilities occur at “writecookie.php?” page with “ck” parameter, e.g

POC Code:

http://www.tmall.com/go/app/sea/writecookie.php?ck=cn“–>’-alert(/tetraph/ )-‘”;&redirect=1

POC Video:

Blog Details:

 

This vulnerabilities were disclosed at Full Disclosure. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” All the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards.

 

 

(4) Alibaba Taobao(taobao.com)Covert Redirect Security Vulnerability Based on Apple.com



(4.1) Vulnerability description:

Alibaba Taobao has a security problem. It can be exploited by Covert Redirect attacks. Taobao will check whether the redirected URL belongs to domains in Taobao’s whitelist, e.g.

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Taobao to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Taobao directly.

In fact, Apple.com was found can be exploited by Open Redirect vulnerabilities. Those vulnerabilities details will be published in the near future.



(4.2) The vulnerability occurs at “redirect.htm?” page, with parameter “&url”, i.e.

The vulnerabilities can be attacked without user login. Tests were performed on IE (10.0) of Windows 8, Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

(4.3) Use a website for the tests,the redirected webpage is “http://www.tetraph.com/blog“. Just suppose it is malicious.

Vulnerable URL:

POC Code:

Poc Video:

Blog Detail:

 

 

Those vulnerablities were reported to Alibaba in 2014 and have been patched by the security team (just checked). Name was listed in the hall of fame by Alibaba.
http://security.alibaba.com/people.htm?id=2048213134

 

 

 

 

https://www.facebook.com/websecuritiesnews/posts/802525526534286

https://www.facebook.com/permalink.php?story_fbid=841091885926189&id=767438873291491

https://infoswift.wordpress.com/2015/01/27/alibaba-xss-open-redirect/

http://tetraph.blog.163.com/blog/static/2346030512015545132356/

 

 



========================================================







阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞

 

 

域名:

阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 是阿里巴巴集团最大的前三家网上购物电子商务网站.

 

 

(1) 漏洞描述:

阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 有一个安全问题. 它容易遭受 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞攻击.

漏洞不需要用户登录,测试是基于Windows 7 的 IE (8.0. 7601) 和 Ubuntu (14.04) 的 Firefox (34.0)。

 

 

(1.1) 阿里巴巴 淘宝 线上电子购物网 (Taobao.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “writecookie.php?”, 参数 “ck” e.g.

POC:

http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw“–>’-alert(/tetraph/ )-‘”;&redirect=0

 

 

(1.2) 阿里巴巴 全球速卖通 在线交易平台 (aliexpress.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “mobile_325_promotion_landing.php”, 参数 “cateid” 和 “fromapp” e.g.

POC:

/’ “><img src=x onerror=prompt(/tetraph/)>

http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/’ “><img src=x onerror=prompt(/tetraph/)><!–&fromapp=

 

 

(1.3) 阿里巴巴 天猫 线上电子购物网 (Tmall.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “writecookie.php?”, 参数 “ck” e.g.

POC:

http://www.tmall.com/go/app/sea/writecookie.php?ck=cn“–>’-alert(/tetraph/ )-‘”;&redirect=1

 

 

(2) 阿里巴巴淘宝线上电子购物网(taobao.com)Covert Redirect(隐蔽重定向跳转)安全漏洞基于 苹果网站

 

 

(2.1) 漏洞描述:

阿里巴巴 淘宝购物网 有一个安全问题. 它容易遭受 Covert Redirect (Open Redirect 公开重定向) 漏洞攻击. 所有 属于 Apple.com 的 链接都在白名单内。故而如果 苹果的 网站 本身有 公开重定向问题。那么受害者相当于首先被导向到 苹果官网然后 到 有害网站。 事实上苹果网站被发现有公开重定向问题,过段时间会公布细节。

有漏洞的文件是 “redirect.htm?”, 参数 “&url”, i.e.

这个漏洞不需要用户登录。测试是基于Windows 8 的 IE (10.0) 和 Ubuntu (14.04) 的 Firefox (34.0) 及 Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit),Mac OS X Lion 10.7 的 Safari 6.1.6。

 

 

(2.2) 用一个创建的网页进行测试,这个网页是“http://www.tetraph.com/blog“。可以假定这个页面是有害的。

漏洞网址:

POC 代码:

 

这些漏洞在2014年被报告给阿里巴巴安全应急中心,到今天已被修补 (刚刚检查), 名字被列在了白帽子名单感谢表里。
http://security.alibaba.com/people.htm?id=2048213134

 

漏洞发现者:
王晶, 数学科学系 (MAS), 物理与数学科学学院 (SPMS), 南洋理工大学 (NTU), 新加坡.
http://www.tetraph.com/wangjing/

 

 

 

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

Anonymous-hackers

 

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

— Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com omnivoracious.com carlustblog.com Open Redirect Web Security Vulnerabilities

“Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

All kindlepost.com, omnivoracious.com, carlustblog.com are websites belonging to Amazon.

“The Kindle Post keeps Kindle customers up-to-date on the latest Kindle news and information and passes along fun reading recommendations, author interviews, and more.”

“Omnivoracious is a blog run by the books editors at Amazon.com. We aim to share our passion for the written word through news, reviews, interviews, and more. This is our space to talk books and publishing frankly and we welcome participation through comments. Please visit often or add us to your favorite RSS reader to keep up on the latest information.”

“Car Lust is, very simply, where interesting cars meet irrational emotion. It’s a deeply personal exploration of the hidden gems of the automotive world; a twisted look into a car nut’s mind; and a quirky look at the broader automotive universe – a broader universe that lies beneath the new, the flashy, and the trendy represented in the car magazines.”

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Vulnerabilities Description:

Amazon has a computer bug security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks. This allows hackers to do phishing attacks to Amazon users.

 

When a user is redirected from amazon to another site, amazon will check a variable named “token”. Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon.

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Use a website for the following tests. The website is “http://www.diebiyi.com/articles“. Suppose this website is malicious,

 

 


(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on kindlepost.com

(1.1) Kindle Daily Post Open Redirect Security Vulnerability

Vulnerable Links:

Poc:

 

 

(1.2) Amazon Covert Redirect Based on kindlepost.com

Vulnerable URL of Amazon:

POC:

 

 

kindlepost_com

 

 

 

(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on omnivoracious.com

(2.1) Omnivoracious Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(2.2) Amazon Covert Redirect Based on omnivoracious.com

Vulnerable URL:

POC:

 

 

omnivoracious_com

 

 

 

(3) Car Lust Open Redirect & Amazon Covert Redirect Based on carlustblog.com

(3.1) Car Lust Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(3.2) Amazon Covert Redirect Based on carlustblog.com

Vulnerable URL:

POC:

 

 

carlustblog_com

 

 

 

Vulnerabilities Disclosure:

The vulnerabilities were reported to Amazon in 2014. Amazon has patch the vulnerabilities.

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/23
http://lists.openwall.net/full-disclosure/2015/01/12/2
http://www.tetraph.com/blog/computer-security/amazon-covert-redirect/
https://progressive-comp.com/?l=full-disclosure&m=142104346821481&w=1
http://computerobsess.blogspot.com/2015/06/amazon-covert-redirect_17.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1429
http://tetraph.blog.163.com/blog/static/23460305120155176411897/
http://diebiyi.com/articles/security/amazon-covert-redirect/
https://itswift.wordpress.com/2015/01/17/amazon-covert-redirect/
http://marc.info/?l=full-disclosure&m=142104346821481&w=4
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirec
http://www.inzeed.com/kaleidoscope/computer-web-security/amazon-covert-redirect/

Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs

facebook_3


Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs




Domain:
http://www.facebook.com



“Facebook is an online social networking service headquartered in Menlo Park, California. Its website was launched on February 4, 2004, by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The founders had initially limited the website’s membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006, anyone who is at least 13 years old is allowed to become a registered user of the website, though the age requirement may be higher depending on applicable local laws. Its name comes from a colloquialism for the directory given to it by American universities students.” (Wikipedia)



“Facebook had over 1.44 billion monthly active users as of March 2015.Because of the large volume of data users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. held its initial public offering in February 2012 and began selling stock to the public three months later, reaching an original peak market capitalization of $104 billion. As of February 2015 Facebook reached a market capitalization of $212 Billion.” (Wikipedia)





Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 



(1) General Vulnerabilities Description:

(1.1) Two Facebook vulnerabilities are introduced in this article.

Facebook has a computer cyber security bug problem. It can be exploited by Open Redirect attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.


Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do “Covert Redirect” to other websites such as Amazon, eBay, Go-daddy, Yahoo, 163, Mail.ru etc.

 

(1.1.1)

One Facebook Open Redirect vulnerability was reported to Facebook. Facebook adopted a new mechanism to patch it. Though the reported URL redirection vulnerabilities are patched. However, all old generated URLs are still vulnerable to the attacks. Section (2) gives detail of it.

The reason may be related to Facebook’s third-party interaction system or database management system or both. Another reason may be related to Facebook’s design for different kind of browsers.

 

(1.1.2) Another new Open Redirect vulnerability related to Facebook is introduced, too. For reference, please read section (3).

The vulnerabilities can be attacked without user login. Tests were performed on IE (9.0) of Windows 8, Firefox (24.0) & Google Chromium 30.0.1599.114 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (12.10),Safari 6.1.6 of Mac OS X Lion 10.7.



(1.2) Facebook’s URL Redirection System Related to “*.php” Files

All URLs’ redirection are based on several files, such l.php, a.php, landing.php and so on.

The main redirection are based on file “l.php” (Almost all redirection links are using it right now).

For file “l.php”, one parameter “h” is used for authentication. When it mentions to file “a.php”, parameter “eid” is used for authentication. All those two files use parameter “u” for the url redirected to. In some other files such as “landing.php”, parameters such as “url”, “next” are used.

<1>For parameter “h”, two forms of authentication are used.

<a>h=HAQHyinFq

<b>h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA

<2>For parameter “eid”, one form of authentication is used.

<a>eid=AQLP8sRq6lbU0jz0lARx9A9uetB6FIF1N2-Yjj_ePj0d_ezubjstZeDo6qDsalKVJwy6uDb_hQ-9tBsA2dVoQRq0lniOu0os_gPe3gY5l8lYblhQSwBtdvgjXjNqaxLZMYoasr3vv46tFsh1fL7q4kjT2LFw52dnJWd4SE8qc0YuPWfgPeQywgM2wl0CoW-lftWkr2dX0dLcytyHjXnvhKfVS_pQBllszUzsPENxE6EuZ-53Lh188o56idnfyyk2L58pE7C94PF-za4ZVB0qbuA2EnPcSJI-7oIiIJmIhifHe0CYTzG512-Z_heN44VlyJHevhS9auAR8-lFCAIlYymnT_Qiwp92RxjNOfBypBvszQUrvB6PH3fANn1prfMBVm4RD_GFel14KVDS5USswbTOTkL3sZNhHUqqPHwBwU3JFePMMuwsfesigH85B_AxCsXUIWN7klKGSq8bPPsKSHttsa9hkkMpSfRKL7D_xwW4dU2xlmfGWil7jYRJmwfbOeF0zujk1FRBuM757tbfFMav-J-K9npbdrDrCuUVqV__Tf7CGZ89nPl-M2d09pE9enJj0OBXOaSXZX16LKaYnv1Wh4GKme7C-EOunITxyQtp1zy-48Uaz9mxO2x4bw7sBDfzDStF_Al8_0SMjWNTh-J38rBHAgT96X-dPFI43HU3x3fVymE9szrclBpvTaSfYezatgMzf77s3lQrQAMSlwSSRIzRuoFvQBmWKT0T5ZFgH5ykhYKhNMiKj577UO5g2Ojm-_-KKF4N_DBuG5R-I6EOSlhok2xUkpKVDnDcxZFTLxGmx5xc56J5kZLjJ96wnF2fH09Q19Qc2aU3xYFlEFrKjrlLpwGyOyCDx7_z7y1O4Efqew3Fa0Cb9s6Kk2jpLF5XEIaYzzXOLAffxXG6icBJVovb9RPmiZ5s9dKYYotLol68_X04O05bEvVccPEh-IQwX_VTMt3f23be2MECEqR2l1A1ZkJx4qP00GI1pZhU_CXAnjSaTNmtaINRUeSsLNEZZsPwpWJMfeeGSwuof9krC05eSWjO0jH9tua0KteMYhj8i-3dwSBp4f7nMcFwH5ltfCLhMCYNB8rxgzcAczyhLIo2UY-3FSaJXBZ0lvuZBvnj7myUnyc2lCcy-fWh93MRRaJrrinjtfr9fDSMHM9Cja5xi0eG3Vs0aClnWbeJZA79TvmYt7E53HfwGuv5-EJOqRh3cwZF-53uPHA73ikUk3xTApjQunJM4uIBhpy7iBIgn_OXXo3X03YUJtJcDuC20ocJbZ310VHliox5tYZF2oiMaOfgo9Y9KeqgsrJgwPCJeif4aB0Ne4g_oM_Tuqt2pXbdgoCawHIApF087eFKJqejp0jpEkJerXPyK-IqsD_SQfIm_2WJSkzwzATwQKs

 

 

 


(2) Vulnerability Description 1:

(2.1) A security researcher reported two Open Redirect vulnerabilities to Facebook in 2013. The following are the two links reported.

Though a new mechanism was adopted. However, all old generated redirections still work by parameter “h” and “eid”.

 

 

(2.2) A website was used for the following tests. The website is “http://www.tetraph.com/“. Suppose this website is malicious.

(2.2.1)

<1>First test

<a>file: “l.php”

<b>URL parameter: “u”

<c>authentication parameter: “h”

<d>form: “h=HAQHyinFq”.

<e>The authentication has no relation with all other parameters, such as “s”.

Examples:

URL 1:

Redirect Forbidden:

Redirect Works:

 

URL 2:

Redirect Forbidden:

Redirect Works:

 

 

(2.2.2)

<2>Second test. It is the same situation as above.

<a>file: “l.php”,

<b>url parameter “u”

<c>authentication parameter: “h”

<d>form: “h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA”.

<e>The authentication has no relation to all other parameters, such as “env”, “s”.

 

Examples:

URL 1:

Redirect Forbidden:

 

URL 2:

Redirect Forbidden:

Redirect Works:

 

 

 

(3) Facebook File “a.php” Open Redirect Security Vulnerability

 

(3.1)

<a>file: “a.php”

<b>parameter “u”

<c> authentication parameter: “eid”

<d> form: “eid=5967147530925355409.6013336879369.AQKBG5nt468YgKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT21fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYjyVjTv4km2FOEp7WP3w65aVUKP_w”.

<e>The authentication has no relation to all other parameters, such as “mac”, “_tn_”.

Examples:

Vulnerable URL:

https://www.facebook.com/a.php?u=http%3A%2F%2Ffb-nym.adnxs.com%2Ffclick%3Fclickenc%3Dhttp%253A%252F%252Fbs.serving-sys.com%252FBurstingPipe%252FadServer.bs%253Fcn%253Dtf%2526c%253D20%2526mc%253Dclick%2526pli%253D8782431%2526PluID%253D0%2526ord%253D%257BCACHEBUSTER%257D%26cp%3D%253Fdi%253DzGxX6INl-T9QvRSibN_3P5qZmZmZmfk_UL0Uomzf9z_ObFfog2X5P_WPPCuD-to_CKEeLew3cQIQkc9SAAAAAHQcDQB2BQAAKAcAAAIAAAD4iq8AanMCAAAAAQBVU0QAVVNEAGMASABq4DoFka4BAgUCAQUAAIgAkinLswAAAAA.%252Fcnd%253D%252521qQYdPgjeqqYBEPiVvgUY6uYJIAA.%252Freferrer%253Dfacebook.com%252F&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468YgKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT21fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYjyVjTv4km2FOEp7WP3w65aVUKP_w

POC:

 

(3.2) Facebook Login Page Covert Redirect Security Vulnerability

Vulnerable URL Related to Login.php Based on a.php:

https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.php%3Fu%3Dhttp%253A%252F%252Fwww.rp.edu.sg%252Fopenhouse2014%252F%253Futm_source%253Dfacebook%2526utm_medium%253Dcpc%2526utm_campaign%253Dopenhouse2014%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid%3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROStFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWHDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJtC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN_tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dHx1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwWxeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7EcZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBtj5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1695OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8sVupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSred73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs

POC:

https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.php%3Fu%3Dhttp%253A%252F%252Fwww.stackoverflow.com%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid%3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROStFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWHDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJtC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN_tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dHx1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwWxeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7EcZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBtj5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1695OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8sVupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSred73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs





Those vulnerabilities were reported to Facebook in 2014 and they have been patched.





Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Facebook has patched some of them. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” All the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. Large number of Facebook bugs were published here. FD also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.








(4) Amazon Covert Redirect Security Vulnerability Based on Facebook

Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do “Covert Redirect” to other websites such as Amazon.


Domain:
http://www.amazon.com


“American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

 

The vulnerability exists at “redirect.html?” page with “&location” parameter, e.g.

 

(4.1) When a user is redirected from Amazon to another site, Amazon will check parameters “&token”. If the redirected URL’s domain is OK, Amazon will allow the reidrection.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Amazon to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Amazon directly.

One of the vulnerable domain is,
http://www.facebook.com

 

(4.2) Use one of webpages for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. Suppose it is malicious.

Vulnerable URL:

POC:

 

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/22
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1428
http://lists.openwall.net/full-disclosure/2015/01/12/1
http://marc.info/?l=full-disclosure&m=142104333521454&w=4
http://diebiyi.com/articles/security/facebook-open-redirect/
https://www.facebook.com/essaybeans/posts/570476126427191
http://germancast.blogspot.de/2015/06/facebook-web-security-0day-bug.html
https://mathfas.wordpress.com/2015/01/11/facebook-open-redirect/
http://essaybeans.lofter.com/post/1cc77d20_7300027
http://qianqiuxue.tumblr.com/post/120750458855/itinfotech-facebook-web-security-0day-bug
https://www.facebook.com/permalink.php?story_fbid=472994806188548&id=405943696226993
https://mathfas.wordpress.com/2015/01/11/facebook-open-redirect/
http://www.tetraph.com/blog/phishing/facebook-open-redirect/
http://itinfotech.tumblr.com/post/120750347586/facebook-web-security-0day-bug
http://ittechnology.lofter.com/post/1cfbf60d_72fd108
http://russiapost.blogspot.ru/2015/06/facebook-web-security-0day-bug.html
https://twitter.com/tetraphibious/status/606676645265567744
https://plus.google.com/u/0/110001022997295385049/posts/hb6seddG561
http://whitehatpost.blog.163.com/blog/static/24223205420155501020837/
http://www.inzeed.com/kaleidoscope/computer-security/facebook-open-redirect/







Yahoo and Yahoo Japan May be Vulnerable to Spams

175801847

Yahoo and Yahoo Japan May be Vulnerable to Spams
 
Student security researcher Wang Jing from School of Physical and Mathematical Sciences at Nanyang Technological University, Singapore, has found new security vulnerabilities related to Yahoo. After reporting several Open Redirect vulnerabilities to Yahoo. Yahoo’s responses were “It is working as designed”. It seems that Yahoo do not take the vulnerabilities seriously at all.
 
Based on Wang’s report on Full Disclosure “Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “this intended behavior”. However, these vulnerabilities were patched later.“
 
The vulnerability of Yahoo occurs at “ard.yahoo.com” page. While the vulnerability of Yahoo Japan happens at sensitive page “http://order.store.yahoo.co.jp”.
Proof of concept on YouTube were also released to illustrate exploits.
 
(1)Yahoo Open Redirect
https://www.youtube.com/watch?v=k4eFLsTyZkg
(2)Yahoo Japan Unvalidated Redirects and Forwards (URF)
https://www.youtube.com/watch?v=2SM78WKAVr8
 
In fact, Yahoo’s users were attacked based on redirection this year. Base onCNET on January 4, 2014, “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware.”
 
Wang wrote that the attack could work without a user being logged in. And his tests were using Firefox (33.0) in Ubuntu (14.04) and IE (10.0.9200.16521) in Windows 8.
 
Redirect can ensure a good user experience. However, if it is not properly provided. Attackers can use this to trick users. This is common in Phishing attacks and Spams.
 
On 21 December, 2014. Yahoo.com’s Alexa ranking is 4. While Yahoo.co.jp’s Alexa ranking is 17. Both of them are very popular around the world. From Wikipedia, “Yahoo during July 2013 surpassed Google on the number of United States visitors to its Web sites for the first time since May 2011, set at 196 million United States visitors, having increased by 21 percent in a year.”
 
Open redirect is listed in OWASP top 10. The general consensus of it is “avoiding such flaws is extremely important, as they are a favorite target of phishers trying to gain the user’s trust.”