Friday, 20 June 2014

开心网 (kaixin001.com) 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)


















开心网 (kaixin001.com) 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向) 




(1) 域名:kaixin001.com


” 开心网由北京开心人信息技术有限公司创办于2008年3月,是国内第一家以办公室白领用户群体为主的社交网站。开心网为广大用户提供包括日记、相册、动态 记录、转帖、社交游戏在内的丰富易用的社交工具,使其与家人、朋友、同学、同事在轻松互动中保持更加紧密的联系。截至2012年4月底,网站注册用户已突 破1.3亿,已发展成为中国最领先和最具影响力的实名化社交网站。” (百度百科)








(2) 漏洞描述:
开心网网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。


这个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。
 
 
 
 

(2.1) 漏洞细节:
Kaixin 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Kaixin 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Kaixin 的 URL跳转 攻击。

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),
“&response_type”=sensitive_info,token,code…
“&scope”=get_user_info,email…

它也增加了对第三方网站 URL跳转 攻击的成功率。




同意三方 App 前:
当一个已经登录的 Kaixin 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。
如果没有登录的Kaixin 用户点击 URL ([1]), 他登录后会发生同样的事情。


同意三方 App 后:
已经登录的 Kaixin 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

如果 Kaixin 用户没有登录,攻击依然可以在要求他登录的Kaixin的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。



(2.1.1) Kaixin 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。

因此,Kaixin 用户意识不到他会被先从 Kaixin 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Kaixin 直接跳转到有害网页是一样的。

因为 Kaixin 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

在同意三方 App 之前,Kaixin 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。
同意三方 App 后, 攻击者可以完全绕过 Kaixin 的 URL跳转 验证系统。



(2.2) 用了一个页面进行了测试, 页面是 “https://redysnowfox.wordpress.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

下面是一个有漏洞的三方 domain:
sohu.com













(3) 什么是隐蔽重定向? 
 
隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。
 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567;  Bugtraq ID 是 67196;  X-Force ID 是 93031。
 
 
 












========




Kaixin Online Website OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)


(1) Domain:kaixin.com

“Kaixin001 (Chinese: 开心网; pinyin: Kāixīnwǎng; literally: “Happy Net”) is a leading social networking website launched in March 2008. In 2010, Kaixin001 ranks as the 13th most popular website in China and 67th overall according to Alexa Internet. On 20 May 2009, Kaixin001 formally sued Qianxiang Group for unfair competition. Qianxiang Group runs one of China’s popular social networks Renren. It purchased the kaixin.com domain and launched a Kaixin001 clone. This enables Renren to confuse users and attract some Kaixin001 potential users to the Kaixin.com clone. In October 2011, Kaixin001 won a victory. The Beijing Second Intermediate People’s Court ordered Oak Pacific to cease all use of kaixin.com and pay 400,000 renminbi ($60,000) in damages. The other main competition for Kaixin001 is Weibo.com, which is like a hybrid of Twitter and Facebook. Weibo.com has 140 million users and is owned by Sina.com.” (Wikipedia)




(2) Vulnerability Description:
Kaixin web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 
 
 


(2.1) Vulnerability Detail:
Kaixin’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Kaixin.

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…
“&scope”=get_user_info%2Cadd_share…


It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.



Before acceptance of third-party application:
When a logged-in user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

If a user has not logged onto Kaixin and clicks the URL ([1]) above, the same situation will happen upon login.


After acceptance of third-party application:
A logged-in user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.



(2.1.1) Kaixin would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

Hence, a user could be redirected from Kaixin to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Kaixin directly. The number of Kaixin’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

Before acceptance of the third-party application, Kaixin’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

Once the user accepts the application, the attackers could completely bypass Kaixin’s authentication system and attack more easily.



 
(2.2) One of webpages was used for the following tests. The webpage is “http://mathpost.tumblr.com/“. We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

Below is an example of a vulnerable third-party domain:
sohu.com














(3) What is Covert Redirect? 
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 
Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196.  X-Force reference number is 93031.
 
 
 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/










No comments:

Post a Comment