Friday 2 May 2014

LinkedIn Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)



















LinkedIn Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)



(1) Domain:
linkedin.com


"LinkedIn /ˌlɪŋkt.ˈɪn/ is a business-oriented social networking service. Founded in December 2002 and launched on May 5, 2003, it is mainly used for professional networking. In 2006, LinkedIn increased to 20 million members. As of March 2015, LinkedIn reports more than 364 million acquired users in more than 200 countries and territories. The site is available in 24 languages, including Arabic, Chinese, English, French, German, Italian, Portuguese, Spanish, Dutch, Swedish, Danish, Romanian, Russian, Turkish, Japanese, Czech, Polish, Korean, Indonesian, Malay, and Tagalog. As of 2 July 2013, Quantcast reports LinkedIn has 65.6 million monthly unique U.S. visitors and 178.4 million globally, a number that as of 29 October 2013 has increased to 184 million. In June 2011, LinkedIn had 33.9 million unique visitors, up 63 percent from a year earlier and surpassing MySpace. LinkedIn filed for an initial public offering in January 2011 and traded its first shares on May 19, 2011, under the NYSE symbol "LNKD"." (Wikipedia)








(2) Vulnerability Description:

LinkedIn web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 











(2.1) Vulnerability Detail:

Linkedin's OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter "&redirct_uri" in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Linkedin.



It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.



LinkedIn replied with thanks and said that they  “have published a blog post on how [they] intend to address [the problem]."



Blog address:
https://developer.linkedin.com/blog/register-your-oauth-2-redirect-urls







The vulnerabilities occurs at page "/oauth2/authorization?" with parameter "&redirect_uri", e.g.
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=773svxj8m007qf&state=5316b8f3ea22a6.60933041&redirect_uri=http%3A%2F%2Fwww.inc.com%2Flogout%3Fret%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Fthatday.html [1]





When a logged-in Linkedin user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter "&redirect_uri".




If a user has not logged onto Linkedin and clicks the URL ([1]) above, the same situation will happen upon login.








(2.1.1) Linkedin would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the "&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.



Hence, a user could be redirected from Linkedin to a vulnerable URL in that domain first and  later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Linkedin directly. The number of Linkedin's OAuth 2.0 client websites is so huge that such Attacks could be commonplace.




Linkedin's OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.




At the same time, attackers could completely bypass Linkedin's authentication system and attack more easily.




It might be of Linkedin's interest to patch up against such attacks.








(2.2) Use one of webpages for the following tests. The webpage is "http://homehut.lofter.com/". Can suppose it is malicious.




Below is an example of a vulnerable third-party domain:
inc.com




Vulnerable URL in this domain:
http://www.inc.com/logout?ret=http://www.tetraph.com/essayjeans/poems/thatday.html




Vulnerable URL from Linkedin that is related to inc.com:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=773svxj8m007qf&state=53169feb993957.93834988&redirect_uri=http%3A%2F%2Fdev-www.inc.com%2Fpatch%2Freflex%2Flib%2Flinkedin%2Fstartlogin.php





POC:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=773svxj8m007qf&state=5316b8f3ea22a6.60933041&redirect_uri=http%3A%2F%2Fwww.inc.com%2Flogout%3Fret%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Fthatday.html








POC Video:
https://www.youtube.com/watch?v=iif6eq2cvso

Blog Detail:
http://tetraph.blogspot.com/2014/05/linkedin-oauth-20-covert-redirect.html








(3) What is Covert Redirect? 
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.


Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. 






Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)









Related Articles:
http://tetraph.com/security/covert-redirect/linkedin-oauth-2-0-covert-redirect-vulnerability/

1 comment:

  1. http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml

    几周前,OpenSSL网站加密工具曝出的“Heartbleed”漏洞,已经将整个互联网安全领域震翻了一回。尽管绝大多数网站都在第一时间修复了它,但是一个新的问题又浮出了水面。一名安全研究人员发现了两款登录系统上的重大漏洞,而想要修复它们,却比Heartbleed要困难得多。

    据Cnet报道,新加坡南洋理工大学一位名叫Wang Jing的博士生,发现了OAuth和OpenID开源登录工具的“隐蔽重定向”漏洞(Covert Redirect)。

    这可导致攻击者创建一个使用真实站点地址的弹出式登录窗口——而不是使用一个假的域名——以引诱上网者输入他们的个人信息。

    鉴于OAuth和OpenID被广泛用于各大公司——如微软、Facebook、Google、以及LinkedIn——Wang表示他已经向这些公司已经了汇报。

    ReplyDelete