Friday 2 May 2014

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID ( 与 OAuth 2.0 and OpenID 有关的 Covert Redirect 漏洞 )


OAuth 2.0 and OpenID have serious Covert Redirect (http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html) vulnerability.

The vulnerabilities affects most major internet companies OAuth 2.0 and OpenID prodivers, such as Facebook,  Google, Yahoo, LinkedIn, Microsoft, QQ, Taobao, Weibo, VK, Mail.Ru, PayPal, GitHub, Sohu and so on. I will introduce their vulnerabilities in detail one by one in the near future.

The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. 





The vulnerability could lead to Open Redirect Attacks (https://www.owasp.org/index.php/Open_redirect) to both clients and providers of OAuth 2.0 or OpenID. For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information.  In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user's behalf. 

For OpenID, the attackers may get user's information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved. 

Unfortunately, it is difficult to patch the problem because the system is shared by a large host company (the provider) and numerous third-party websites (the clients) that use OAuth 2.0 and OpenID to gain access to the large user base of the host company. The vulnerability is usually due to the existing weakness in the third-party websites. However, they have little incentive to fix the problem. One concern is the cost and the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. Then, the onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the different clients, which is nonetheless a daunting task.




I have reported the vulnerability to related companies. 

Facebook said "they] understand the risks associated with OAuth 2.0. However, short of forcing every single application on the platform to use a whitelist, [fixing the vulnerability] isn't something that can be accomplished in the short term."

Google said "[they] are aware of the problem and are tracking it at the moment."

LinkedIn said "have published a blog post on how [they] intend to address [the problem]." 
( Blog address: https://developer.linkedin.com/blog/register-your-oauth-2-redirect-urls )

Microsoft answered after they did an investigation and concluded that the vulnerability exists in the domain of a third-party, different from the one reported by Wang (login.live.com). They recommended me to report the issue to the third-party instead. 

Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation.

Taobao just closed my report without giving any reason.

Yahoo did not reply me months after my report.


I did not report to VK.com, Mail.Ru and so on because I do not know their contact email related to security.









Posed by:
WANG Jing (王晶), a mathematics PhD student from Nanyang Technological University. He got his bachelar degree of Mathematics from University of Science and Technology of China.






No comments:

Post a Comment