OAuth 2.0 and OpenID have serious Covert Redirect (http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html) vulnerability.
The
vulnerabilities affects most major internet companies OAuth 2.0 and
OpenID prodivers, such as Facebook, Google, Yahoo, LinkedIn, Microsoft,
QQ, Taobao, Weibo, VK, Mail.Ru, PayPal, GitHub, Sohu and so on. I will
introduce their vulnerabilities in detail one by one in the near future.
The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect.
The
vulnerability could lead to Open Redirect Attacks
(https://www.owasp.org/index.php/Open_redirect) to both clients and
providers of OAuth 2.0 or OpenID. For OAuth 2.0, these attacks might
jeopardize “the token” of the site users, which could be used to access
user information. In the case of Facebook, the information could
include the basic ones, such as email address, age, locale, work
history, etc. If “the token” has greater privilege (the user needs to
consent in the first place though), the attacker could obtain more
sensitive information, such as mailbox, friends list and online
presence, and even operate the account on the user's behalf.
For
OpenID, the attackers may get user's information directly. Compounded
by the large number of companies involved, this vulnerability could lead
to huge consequences if left unresolved.
Unfortunately,
it is difficult to patch the problem because the system is shared by a
large host company (the provider) and numerous third-party websites (the
clients) that use OAuth 2.0 and OpenID to gain access to the large user
base of the host company. The vulnerability is usually due to the
existing weakness in the third-party websites. However, they have little
incentive to fix the problem. One concern is the cost and the other is
that in their view, the host company is responsible for making the
attacks appear more credible; therefore, it is not solely their problem.
Then, the onus would fall onto the Big Brother (the provider). However,
to the provider, the problem does not originate from its own website.
Even if it is willing to take on the responsibility, it has to gain
cooperation from all the different clients, which is nonetheless a
daunting task.
I have reported the vulnerability to related companies.
Facebook
said "they] understand the risks associated with OAuth 2.0. However,
short of forcing every single application on the platform to use a
whitelist, [fixing the vulnerability] isn't something that can be
accomplished in the short term."
Google said "[they] are aware of the problem and are tracking it at the moment."
LinkedIn said "have published a blog post on how [they] intend to address [the problem]."
( Blog address: https://developer.linkedin.com/blog/register-your-oauth-2-redirect-urls )
Microsoft
answered after they did an investigation and concluded that the
vulnerability exists in the domain of a third-party, different from the
one reported by Wang (login.live.com). They recommended me to report the
issue to the third-party instead.
Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation.
Taobao just closed my report without giving any reason.
Yahoo did not reply me months after my report.
I did not report to VK.com, Mail.Ru and so on because I do not know their contact email related to security.
Posed by:
WANG Jing (王晶), a mathematics PhD student from Nanyang Technological University. He got his bachelar degree of Mathematics from University of Science and Technology of China.
WANG Jing (王晶), a mathematics PhD student from Nanyang Technological University. He got his bachelar degree of Mathematics from University of Science and Technology of China.
No comments:
Post a Comment