Thursday, 8 May 2014

RenRen.com Online Website OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)























RenRen.com Online Website OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)



(1) Domain:
renren.com



"The Renren Network (Chinese: 人人网; pinyin: Rénrénwǎng; literally: "Everyone's Website"), formerly known as the Xiaonei Network (Chinese: 校内网; literally: "on-campus network") is a Chinese social networking service. It is popular among college students. In February 2011, Renren made a pre-IPO announcement that it had 160 million registered users. Later, in April 2011, it had to update its statement accurately to "a total of 31 million active monthly users." Renren Inc. has its headquarters in Chaoyang District, Beijing. Renren also has offices in Shanghai and Guangzhou." (Wikipedia)








(2) Vulnerability Description:

Renren web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 











(2.1) Vulnerability Detail:
Renren's OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter "&redirct_uri" in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Renren.

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),
"&response_type"=sensitive_info,token...
"&scope"=get_user_info%2Cadd_share...


It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.


The vulnerabilities occurs at page "/oauth/grant?" with parameter "&redirect_uri", e.g.




Before acceptance of third-party application:
When a logged-in Renren user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter "&redirect_uri".



If a user has not logged onto Renren and clicks the URL ([1]) above, the same situation will happen upon login.



After acceptance of third-party application:
A logged-in Renren user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).




For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.


(2.1.1) Renren would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the "&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks. 

Hence, a user could be redirected from Renren to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Renren directly. The number of Renren's OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

Before acceptance of the third-party application, Renren's OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

Once the user accepts the application, the attackers could completely bypass Renren's authentication system and attack more easily.






(2.2) Use one of webpages for the following tests. The webpage is "https://zuiyuxiang.wordpress.com/". Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

Below is an example of a vulnerable third-party domain:
sohu.com



Vulnerable URL in this domain:
Vulnerable URL from Renren that is related to sohu.com:
POC:


Blog Detail:
http://tetraph.blogspot.com/2014/05/renrencom-oauth-20-covert-redirect.html







(3) What is Covert Redirect? 


Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.



Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196.  X-Force reference number is 93031.






Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)










Related Articles:
http://tetraph.com/security/covert-redirect/renren-com-oauth-2-0-covert-redirect-vulnerability-infomation-leakage-open-redirect/
http://www.inzeed.com/kaleidoscope/covert-redirect/renren-com-oauth-2-0-covert-redirect-vulnerability-infomation-leakage-open-redirect/
http://itsecurity.lofter.com/post/1cfbf9e7_7069705
http://tetraph.blog.163.com/blog/static/23460305120144625556157/
https://mathfas.wordpress.com/2014/10/15/renren-com-oauth-2-0-covert-redirect-vulnerability-infomation-leakage-open-redirect/
http://computerobsess.blogspot.com/2014/10/renrencom-oauth-20-covert-redirect.html
https://twitter.com/buttercarrot/status/558906041404911616
https://vulnerabilitypost.wordpress.com/2014/10/15/renren-com-oauth-2-0-covert-redirect-vulnerability-infomation-leakage-open-redirect/
http://whitehatview.tumblr.com/post/119488487851/securitypost-itinfotech-falha-de-seguranca
http://securityrelated.blogspot.com/2014/10/renrencom-oauth-20-covert-redirect.html





=================




人人网 (renren.com) 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向) 




(1) 域名:
renren.com

"人人网是中国领先的实名制社交网络平台。人人网在用户数、页面浏览量、访问次数和用户花费时长等方面均占据优势地位。用户可以在这一平台上相互交流,分享信息和用户自创内容,玩在线游戏,听音乐,参与团购,并享受一系列其它服务。2015年1月30日,人人网发消息称将下线站内信功能。" (百度百科)








(2) 漏洞描述:
人人网网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。


这个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。






(2.1) 漏洞细节:
Renren 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Renren 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Renren 的 URL跳转 攻击。

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),
"&response_type"=sensitive_info,token,code...a
"&scope"=get_user_info,email...




它也增加了对第三方网站 URL跳转 攻击的成功率。
漏洞地点 "/oauth/grant?",参数"&redirect_uri", e.g.
http://graph.renren.com /oauth/grant?client_id=7e7b2e3482954a5a84403d718e563c30& response_type=code&display=page& scope=read_user_blog+read_user_checkin+read_user_feed+read_user_guestbook+read_user_invitation+read_user_like_history+read_user_message+read_user_notification+read_user_photo+read_user_status+read_user_album+read_user_comment+read_user_share+read_user_request+publish_checkin+publish_blog+publish_feed+publish_share+write_guestbook+send_invitation+send_request+send_message+send_notification+photo_upload+status_update+create_album+publish_comment+operate_like+email& amp;secure=true&origin=00000&x_renew=true& redirect_uri=http://store.tv.sohu.com/web/login.do?bru=http: //tetraph.com/essayjeans/seasons/祭春.html [1]




同意三方 App 前:
当一个已经登录的 Renren 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 "&redirect_uri" 的 URL。


如果没有登录的Renren 用户点击 URL ([1]), 他登录后会发生同样的事情。



同意三方 App 后:
已经登录的 Renren 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。




如果 Renren 用户没有登录,攻击依然可以在要求他登录的Renren的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。






(2.1.1) Renren 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 "&redirect_uri" 是被三方 App 设置的,但攻击者可以修改此参数的值。




因此,Renren 用户意识不到他会被先从 Renren 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Renren 直接跳转到有害网页是一样的。



因为 Renren 的 OAuth 2.0 客户很多,这样的攻击可以很常见。


在同意三方 App 之前,Renren 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。



同意三方 App 后, 攻击者可以完全绕过 Renren 的 URL跳转 验证系统。








(2.2) 用一个页面进行了测试, 页面是 "http://mathdaily.lofter.com/". 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。




下面是一个有漏洞的三方 domain:
sohu.com




这个 domain 有漏洞的 URL:
http://store.tv.sohu.com/web/login.do?bru=http://tetraph.com/essayjeans/seasons/祭春.html



Renren 与 sohu.com 有关的有漏洞的 URL:
http://graph.renren.com/oauth/grant?client_id=7e7b2e3482954a5a84403d718e563c30&response_type=code&display=page&scope=read_user_blog+read_user_checkin+read_user_feed+read_user_guestbook+read_user_invitation+read_user_like_history+read_user_message+read_user_notification+read_user_photo+read_user_status+read_user_album+read_user_comment+read_user_share+read_user_request+publish_checkin+publish_blog+publish_feed+publish_share+write_guestbook+send_invitation+send_request+send_message+send_notification+photo_upload+status_update+create_album+publish_comment+operate_like+email&secure=true&origin=00000&x_renew=true&redirect_uri=https://passport.sohu.com/openlogin/callback/renren



POC:
http://graph.renren.com /oauth/grant?client_id=7e7b2e3482954a5a84403d718e563c30& response_type=code&display=page& scope=read_user_blog+read_user_checkin+read_user_feed+read_user_guestbook+read_user_invitation+read_user_like_history+read_user_message+read_user_notification+read_user_photo+read_user_status+read_user_album+read_user_comment+read_user_share+read_user_request+publish_checkin+publish_blog+publish_feed+publish_share+write_guestbook+send_invitation+send_request+send_message+send_notification+photo_upload+status_update+create_album+publish_comment+operate_like+email& amp;secure=true&origin=00000&x_renew=true& redirect_uri=http://store.tv.sohu.com/web/login.do?bru=http: //tetraph.com/essayjeans/seasons/祭春.html







POC 视频:
https://www.youtube.com/watch?v=D-X8qAO2q_I


博客细节:
http://tetraph.blogspot.com/2014/05/renrencom-oauth-20-covert-redirect.html








(3) 什么是隐蔽重定向? 

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS - Cross-site Scripting) 问题。


隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF - Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567;  Bugtraq ID 是 67196;  X-Force ID 是 93031。


















NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com





















NetEase (163.comOnline Website Covert Redirect Web Security Bugs Based on Google.com



(1) Domain:
163.com


"
NetEase, Inc. (simplified Chinese: 网易; traditional Chinese: 網易; pinyin: Wǎng Yì) is a Chinese Internet company that operates 163.com, a popular web portal ranked 27 by Alexa as of April 2014. 163.com is one of the largest Chinese Internet content providers, and as such frequently appears in the top 10 domains used in spam." (Wikipedia)







(2) Vulnerability Description:
163 web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 





The programming code flaw occurs at page "redirect.html?" with parameter "&url", e.g.
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCkQFjAA&url=http%3A%2F%2Fwww.tetraph.com%2F&ei=F-M2U-iiM4HoiAej74HADA&usg=AFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg&sig2=bdrpWjJ-87ZbUWuQivt5vA&bvm=bv.63808443,d.aGc






(2.1) When a user is redirected from 163 to another site, 163 will check whether this URL belongs to a domain on 163's whitelist. If this is true, the redirection will be permitted.




However, if the URLs in a whitelisted domain have open URL redirection vulnerabilities themselves, a user could be redirected from 163 to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from 163 directly.







(2.2) Used one of webpages for the following tests. The webpage is "http://whitehatpostlike.lofter.com/". Can suppose it is malicious.





Below is an example of a vulnerable domain:
google.com





Vulnerable URL from 163 that is related to yhd.com:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://fusion.google.com






POC:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fblog







POC video:
https://www.youtube.com/watch?v=8QqKQml1QCE


Blog Detail:
http://tetraph.blogspot.com/2014/05/163com-netease-covert-redirect-based-on.html






(3) What is Covert Redirect? 
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.



Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. 





Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)





More Details:
http://tetraph.com/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
https://computertechhut.wordpress.com/2014/05/02/netease-hack/

http://webtechhut.blogspot.com/2014/05/163-bug.html
http://tetraph.blog.163.com/blog/static/234603051201452375727342/
http://diebiyi.com/articles/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://testingcode.lofter.com/post/1cd26eb9_72e71fd
http://canghaixiao.tumblr.com/post/119486195192/itinfotech-covert
https://twitter.com/tetraphibious/status/559166137343037440
https://biyiniao.wordpress.com/2014/05/28/163-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://computerobsess.blogspot.com/2014/09/163-website-vulnerability.html






==============






网易 (NetEase) 网站 隐蔽重定向 (Covert Redirect) 网络安全漏洞 基于 谷歌 (Google.com)




(1) 域名:
163.com



"网易 (NASDAQ: NTES)是中国领先的互联网技术公司,利用最先进的互联网技术,加强人与人之间信息的交流和共享,实现“网聚人的力量”。创始人兼CEO是丁磊。在开发互联网应用、服务及其它技术方面,网易始终保持业界的领先地位,并在中国互联网行业内率先推出了包括中文全文检索、全中文大容量免费邮件系统、无限容量免费网络相册、免费电子贺卡站、网上虚拟社区、网上拍卖平台、24小时客户服务中心在内的业内领先产品或服务,还通过自主研发推出了一款率先取得白金地位的国产网络游戏。网易公司推出了门户网站、在线游戏、电子邮箱、在线教育、电子商务、在线音乐、网易bobo等多种服务。" (百度百科)








(2) 漏洞描述:
163 网站有有一个计算机安全问题,黑客可以对它用隐蔽重定向 (Covert Redirect) 网络攻击。

这个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。






漏洞地点 "redirect.html?",参数"&url", e.g.

http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCkQFjAA&url=http%3A%2F%2Fwww.tetraph.com%2F&ei=F-M2U-iiM4HoiAej74HADA&usg=AFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg&sig2=bdrpWjJ-87ZbUWuQivt5vA&bvm=bv.63808443,d.aGc 





(2.1) 163 对跳转的页面存在一个 domain whitelist, 如果跳转的页面属于这些 domain, 则允许跳转。




但是这些被whitelist domain 本身可能有 URL 跳转漏洞。因此,163 用户意识不到他会被先从 163 跳转到有漏洞的网页,然后从此网页跳转到有害的网页。这与从 163 直接跳转到有害网页是一样的。








(2.2) 用了一个页面进行了测试, 页面是 "http://shellmantis.tumblr.com/". 可以假定它是有害的。




下面是一个有漏洞的 domain:

google.com





163 与 google.com 有关的有漏洞的 URL:

http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://fusion.google.com




POC:


http://blog.163.com/pub/redirect.html?fromsubscribe&url=https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fblog






POC 视频:

https://www.youtube.com/watch?v=8QqKQml1QCE




博客细节:
http://tetraph.blogspot.com/2014/05/163com-netease-covert-redirect-based-on.html










(3) 什么是隐蔽重定向? 
隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS - Cross-site Scripting) 问题。

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF - Cross-site Request Forgery) 一起利用。
























相关文章:
http://tetraph.com/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
https://computertechhut.wordpress.com/2014/05/02/netease-hack/

http://webtechhut.blogspot.com/2014/05/163-bug.html
http://tetraph.blog.163.com/blog/static/234603051201452375727342/
http://diebiyi.com/articles/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://testingcode.lofter.com/post/1cd26eb9_72e71fd
http://canghaixiao.tumblr.com/post/119486195192/itinfotech-covert
https://twitter.com/tetraphibious/status/559166137343037440
https://biyiniao.wordpress.com/2014/05/28/163-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://computerobsess.blogspot.com/2014/09/163-website-vulnerability.html





Tuesday, 6 May 2014

Sina OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

















Sina OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
sina.com



"Sina (新浪) is a Chinese online media company for Chinese communities around the world. Sina operates four major business lines: Sina Weibo, Sina Mobile, Sina Online, and Sina.net. Sina has over 100 million registered users worldwide. Sina was recognized by Southern Weekend as the "China's Media of the Year" in 2003.Sina owns Sina Weibo, a Twitter-like microblog social network, which has 56.5 percent of the Chinese microblogging market based on active users and 86.6 percent based on browsing time over Chinese competitors such as Tencent and Baidu. The social networking service has more than 500 million users and millions of posts per day, and is adding 20 million new users per month, says the company. The top 100 users now have over 180 million followers combined. Sina.com is the largest Chinese-language web portal. It is run by Sina Corporation, which was founded in 1999. The company was founded in China, and its global financial headquarters have been based in Shanghai since October 1, 2001." (Wikipedia)







(2) Vulnerability Description:
Sina web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 




The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 








(2.1) Vulnerability Detail:
Sina's OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter "&redirct_uri" in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Sina.






At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),
"&response_type"=sensitive_info,token...
"&scope"=get_user_info%2Cadd_share...





It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.





The vulnerabilities occurs at page "/authorize?" with parameter "&redirect_uri", e.g.
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fuser%2Flogin.php%3Fref%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fmemories%2F%25E9%259B%25A8%25E6%25A2%25A6%25E9%259B%25A8%25E9%259F%25B5.html&response_type=code [1]





Before acceptance of third-party application:
When a logged-in Sina user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter "&redirect_uri".




If a user has not logged onto Sina and clicks the URL ([1]) above, the same situation will happen upon login.





After acceptance of third-party application:
A logged-in Sina user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).



For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.






(2.1.1) Sina would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the "&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.



Hence, a user could be redirected from Sina to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Sina directly. The number of Sina's OAuth 2.0 client websites is so huge that such Attacks could be commonplace.



Before acceptance of the third-party application, Sina's OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.




Once the user accepts the application, the attackers could completely bypass Sina's authentication system and attack more easily.




(2.2) One of webpages was used for the following tests. The webpage is "http://tetraphlike.lofter.com/". Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.





Below is an example of a vulnerable third-party domain:
paidai.com





Vulnerable URL in this domain:
http://www.paidai.com/user/login.php?ref=http://tetraph.com/essayjeans/memories/%E9%9B%A8%E6%A2%A6%E9%9B%A8%E9%9F%B5.html




Vulnerable URL from Sina that is related to paidai.com:
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fsiteuser%2Foauth_sina.php%3Ffrom%3Dweibo&response_type=code



POC:
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fuser%2Flogin.php%3Fref%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fmemories%2F%25E9%259B%25A8%25E6%25A2%25A6%25E9%259B%25A8%25E9%259F%25B5.html&response_type=code







POC Video:

https://www.youtube.com/watch?v=5MWNG4UlZUc


Blog Detail:
http://tetraph.blogspot.com/2014/05/sinas-oauth-20-covert-redirect.html








(3) What is Covert Redirect? 
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.



Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. 






Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)









Related Articles:
http://tetraph.com/security/covert-redirect/sinas-oauth-2-0-covert-redirect
https://twitter.com/essayjeans/status/558976278854770688
http://diebiyi.com/articles/security/covert-redirect/sina-weibo-oauth-2-0

https://hackertopic.wordpress.com/2014/09/28/sina-exploit/
http://japanbroad.blogspot.jp/2014/09/sina-hacking.html
http://tetraph.blog.163.com/blog/static/23460305120144715917495/
http://homehut.lofter.com/post/1d226c81_7069918

http://xingti.tumblr.com/post/119489954830/securitypost-sicherheitslucke-in-oauth-2-0-und
https://infoswift.wordpress.com/2014/09/11/sina-bugs/
http://computerobsess.blogspot.com/2014/06/sina-web-service-attack.html
http://www.inzeed.com/kaleidoscope/covert-redirect/sinas-oauth-2-0-covert-redirect






================








新浪 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向) 




(1) 域名:
sina.com



"新浪(NASDAQ:SINA),是一家网络公司的名称,以服务大中华地区与海外华人为己任,新浪拥有多家地区性网站,通过旗下五大业务主线为用户提供网络服务,网下的北京新浪、香港新浪、台北新浪、北美新浪等覆盖全球华人社区的全球最大中文门户网站,2012年11月新浪注册用户已突破4亿。新浪公司是一家服务于中国及全球华人社群的网络媒体公司。新浪通过门户网站新浪网、移动门户手机新浪网和社交网络服务及微博客服务微博组成的数字媒体网络,帮助广大用户通过互联网和移动设备获得专业媒体和用户自生成的多媒体内容(UGC)并与友人进行兴趣分享。" (百度百科)







(2) 漏洞描述:
新浪 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。


这个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。







(2.1) 漏洞细节:
Sina 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Sina 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Sina 的 URL跳转 攻击。



与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里), 
"&response_type"=sensitive_info,token,code...
"&scope"=get_user_info,email...




它也增加了对第三方网站 URL跳转 攻击的成功率。





漏洞地点 "/authorize?",参数"&redirect_uri", e.g.
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fuser%2Flogin.php%3Fref%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fmemories%2F%25E9%259B%25A8%25E6%25A2%25A6%25E9%259B%25A8%25E9%259F%25B5.html&response_type=code [1]






同意三方 App 前:
当一个已经登录的 Sina 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 "&redirect_uri" 的 URL。


如果没有登录的Sina 用户点击 URL ([1]), 他登录后会发生同样的事情。



同意三方 App 后:
已经登录的 Sina 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

如果 Sina 用户没有登录,攻击依然可以在要求他登录的Sina的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。





(2.1.1) Sina 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 "&redirect_uri" 是被三方 App 设置的,但攻击者可以修改此参数的值。


因此,Sina 用户意识不到他会被先从 Sina 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Sina 直接跳转到有害网页是一样的。


因为 Sina 的 OAuth 2.0 客户很多,这样的攻击可以很常见。


在同意三方 App 之前,Sina 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。


同意三方 App 后, 攻击者可以完全绕过 Sina 的 URL跳转 验证系统。






(2.2) 用了一个页面进行了测试, 页面是 "http://qianqiuxue.tumblr.com/". 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。




下面是一个有漏洞的三方 domain:
paidai.com


这个 domain 有漏洞的 URL:
http://www.paidai.com/user/login.php?ref=http://tetraph.com/essayjeans/memories/%E9%9B%A8%E6%A2%A6%E9%9B%A8%E9%9F%B5.html




Sina 与 paidai.com 有关的有漏洞的 URL:
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fsiteuser%2Foauth_sina.php%3Ffrom%3Dweibo&response_type=code





POC:
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fuser%2Flogin.php%3Fref%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fmemories%2F%25E9%259B%25A8%25E6%25A2%25A6%25E9%259B%25A8%25E9%259F%25B5.html&response_type=code






POC 视频:
https://www.youtube.com/watch?v=5MWNG4UlZUc


博客细节:

http://tetraph.blogspot.com/2014/05/sinas-oauth-20-covert-redirect.html









(3) 什么是隐蔽重定向? 
隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS - Cross-site Scripting) 问题。


隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF - Cross-site Request Forgery) 一起利用。