Friday 2 May 2014

Godaddy Online Website Covert Redirect Web Security Bugs Based on Google.com
















Godaddy Online Website Covert Redirect Web Security Bugs Based on Google.com




(1) Domain:

godaddy.com


"GoDaddy is a publicly traded Internet domain registrar and web hosting company. As of 2014, GoDaddy was said to have had more than 59 million domain names under management, making it the world's largest ICANN-accredited registrar. It serves more than 12 million customers and employs more than 4,000 people. The company is known for its celebrity spokespeople, Super Bowl ads and as being an online provider for small businesses. In addition to a postseason college football bowl game, it sponsors NASCAR. It has been involved in several controversies related to security and privacy. In addition to domain registration and hosting, GoDaddy also sells e-business related software and services." (Wikipedia)








(2) Vulnerability Description:

Godaddy web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 





The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 




The vulnerability occurs at "redirect.aspx?" page with "&target" parameter, i.e.

http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.google.com







(2.1) When a user is redirected from Godaddy to another site, Godaddy will check whether the redirected URL belongs to domains Godaddy's whitelist, e.g.

google.com
apple.com




If this is true, the redirection will be allowed.




However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Godaddy to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Godaddy directly.




One of the vulnerable domain is,

google.com






(2.2) Use one of webpages for the following tests. The webpage address is "http://diebiyi.com/articles/". Can suppose that this webpage is malicious.



Vulnerable URL:

http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.godaddy.com


POC:

http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fservice%3Dwise%26continue%3Dhttp%253A%252F%252Fgoogleads.g.doubleclick.net%252Faclk%253Fsa%253DL%2526ai%253DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%2526num%253D0%2526sig%253DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%2526client%253Dca-pub-0466582109566532%2526adurl%253Dhttp%253A%252F%252Fwww.tetraph.com%252Fcontact.html





POC Video:

https://www.youtube.com/watch?v=gS4n825Yx28



Blog Detail:

http://tetraph.blogspot.com/2014/05/godaddy-covert-redirect-vulnerability.html






(3) What is Covert Redirect? 
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.



Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. 






Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)









Related Articles:
https://twitter.com/tetraphibious/status/559167679353720834
http://tetraph.blog.163.com/blog/static/234603051201444111919171/

3 comments:

  1. http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

    A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed "Covert Redirect" by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.

    Attackers could exploit the flaw to disguise and launch phishing attempts from legitimate websites, said the flaw's finder, Ph.D. student Wang Jing of the Nanyang Technological University in Singapore.

    ReplyDelete
  2. Thanks for another excellent post. Where else could anybody get that type of info in such an ideal way of writing? In my opinion, my seeking has ended now. godaddy workspace login

    ReplyDelete
  3. I can recommend primarily decent and even responsible tips, as a result view it: Visto turistico per l'India

    ReplyDelete