Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID
A serious Covert Redirect
vulnerability related to OAuth 2.0 and OpenID has been found. Almost
all major providers of OAuth 2.0 and OpenID are affected, such as
Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal, GitHub, QQ,
Taobao, Weibo, VK, Mail.Ru, Sohu, etc.
It could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID.
For OAuth 2.0, these attacks
might jeopardize “the token” of the site users, which could be used to
access user information. In the case of Facebook, the information could
include the basic ones, such as email address, age, locale, work
history, etc. If “the token” has greater privilege (the user needs to
consent in the first place though), the attacker could obtain more
sensitive information, such as mailbox, friends list and online
presence, and even operate the account on the user's behalf.
For OpenID, the attackers may
get user's information directly. Compounded by the large number of
companies involved, this vulnerability could lead to huge consequences
if left unresolved.
More Details:
| Blog | Youtube |
Q&A
Why is it a serious vulnerability?
▪ It enables Open Redirect Attacks
▪ It could lead to sensitive information leakage
▪ It has wide coverage: most of the major internet companies that provide authentication/authorization services
▪ It is difficult to patch
▪ It could lead to sensitive information leakage
▪ It has wide coverage: most of the major internet companies that provide authentication/authorization services
▪ It is difficult to patch
How widespread is the vulnerability?
Almost all major OAuth 2.0 and OpenID providers are affected.
Almost all major OAuth 2.0 and OpenID providers are affected.
List of affected major OAuth 2.0 and OpenID providers:
| Website | Company | Blog Detail | POC Video |
| facebook.com | Blog | Youtube | |
| google.com | Blog | Youtube | |
| linkedin.com | Blog | Youtube | |
| yahoo.com | Yahoo | Blog | Youtube |
| live.com | Microsoft | Blog | Youtube |
| vk.com | VK | Blog | Youtube |
| qq.com | Tencent | Blog | Youtube |
| weibo.com | Sina | Blog | Youtube |
| paypal.com | PayPal | Blog | Youtube |
| mail.ru | Mail.Ru | Blog | Youtube |
| taobao.com | Alibaba | Blog | Youtube |
| sina.com.cn | Sina | Blog | Youtube |
| sohu.com | Sohu | Blog | Youtube |
| 163.com | 163 | Blog | Youtube |
| github.com | GitHub | Blog | Youtube |
| alipay.com | Alibaba | Blog | Youtube |
| ... | ... | ... | ... |
★ Website ranking is based on Alexa.
Who should be responsible for the vulnerability?
The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. The onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task.
In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.
As the internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one's own site without paying attention to that of its neighbours.
The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. The onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task.
In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.
As the internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one's own site without paying attention to that of its neighbours.
How to patch the vulnerability?
The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.
An alternative solution is the providers developing a more thorough verification procedure to prevent such attacks.
The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.
An alternative solution is the providers developing a more thorough verification procedure to prevent such attacks.
What is the meaning of the logo?
The logo depicts the three parties involved in the attack: the provider (top-left), the third-party application used by the client (bottom) and the attacker (top-right).
Due to the loophole in the third-party application, the attacker is able to attack the provider through the application. The client therefore acts as a bridge between the provider and the attacker, albeit unintentionally. The attack could be seen as a redirect from the client but it is preceded or masked by a redirect from the provider to the client.
The logo depicts the three parties involved in the attack: the provider (top-left), the third-party application used by the client (bottom) and the attacker (top-right).
Due to the loophole in the third-party application, the attacker is able to attack the provider through the application. The client therefore acts as a bridge between the provider and the attacker, albeit unintentionally. The attack could be seen as a redirect from the client but it is preceded or masked by a redirect from the provider to the client.
Why it is called Covert Redirect Vulnerability?
A Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation.
The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. An Open Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT ANY validation (OWASP). If a website is exposed to Open Redirect attack, it is often because of its own negligence.
On the other hand, the Covert Redirect vulnerability related to OAuth 2.0 and OpenID is, in the author’s view, a result of the provider’s overconfidence in its clients/partners. The provider relies on the clients to provide a list of “trustworthy” domains and assumes all would be safe. However, without sufficient verification of the redirected URLs, no safety could be guaranteed.
A Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation.
The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. An Open Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT ANY validation (OWASP). If a website is exposed to Open Redirect attack, it is often because of its own negligence.
On the other hand, the Covert Redirect vulnerability related to OAuth 2.0 and OpenID is, in the author’s view, a result of the provider’s overconfidence in its clients/partners. The provider relies on the clients to provide a list of “trustworthy” domains and assumes all would be safe. However, without sufficient verification of the redirected URLs, no safety could be guaranteed.
Who found the vulnerability?
The vulnrability was found by WANG Jing, a PhD student in mathematics from Nanyang Technological University.
The vulnrability was found by WANG Jing, a PhD student in mathematics from Nanyang Technological University.
No comments:
Post a Comment