Wednesday 1 October 2014

Serious security flaw in OAuth, OpenID discovered

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/




Following in the steps of the OpenSSL vulnerability Heartbleed, another major flaw has been found in popular open-source security software. This time, the holes have been found in the log-in tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.
Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability "Covert Redirect" flaw can masquerade as a log-in popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter.
For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication.
If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.
Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker's choice, which could potentially further compromise the victim.
Wang says he has already contacted Facebook and has reported the flaw, but was told that the company "understood the risks associated with OAuth 2.0," and that "short of forcing every single application on the platform to use a whitelist," fixing this bug was "something that can't be accomplished in the short term."
Facebook isn't the only site affected. Wang says he has reported this to Google, LinkedIn, and Microsoft, which gave him various responses on how they would handle the matter.




covertredirect.jpg
A sample list of websites that are affected by the Covert Redirect vulnerability. Wang Jing




Google (which uses OpenID) told him that the problem was being tracked, while LinkedIn said that the company has published a blog on the matter. Microsoft, on the other hand, said an investigation had been done and that the vulnerability existed on the domain of a third party and not on its own sites.
"Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks," said Wang.
"However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable," he added.
LinkedIn engineer Shikha Sehgal wrote a blog post about the creation of a whitelist for the site more than a month before Wang published his findings.
"In order to make the LinkedIn platform even more secure, and so we can comply with the security specifications of OAuth 2, we are asking those of you who use OAuth 2 to register your application's redirect URLs with us by April 11, 2014," she said.
Sehgal did not explicitly say that the measure was in response to a flaw in OAuth 2, but the social network did confirm to CNET that the vulnerability that Wang detailed is the same one that inspired the blog post.
PayPal also has addressed the flaw.
"When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability," James Barrese, PayPal's CTO, said in a blog post on Friday. PayPal declined to add details about those measures.
Jeremiah Grossman, founder and interim CEO at WhiteHat Security, a website security firm, agreed with Wang's findings after looking at the data.
"While I can't be 100 percent certain, I could have sworn I've seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known WONTFIX," Grossman said.
"This is to say, it's not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws."
Further corroborating Wang's findings is Chris Wysopal, CTO at programming code verification firm Veracode.
Wsyopal told CNET that it looks to be a "very real issue" and that OAuth 2.0 looks vulnerable to phishing and redirect attacks.
"Given the trust users put in Facebook and other major OAuth providers I think it will be easy for attackers to trick people into giving some access to their personal information stored on those services," he said.
Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks.
While this issue isn't as severe as Heartbleed, it's relatively easy to do so unless the flaw gets patched, which according to Wang, is quite difficult to implement due to third-party sites having "little incentive" to fix the problem. Cost is a factor, as well as the view that the host company (such as Facebook) bears the responsibility for making the attacks appear more credible.

Update, 4:13 p.m. PT: adds statement from PayPal.
Update, 2:06 p.m. PT: adds further comment from LinkedIn.



http://www.osvdb.org/creditees/12822-wang-jing
http://tetraph.tumblr.com/



1 comment:

  1. http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml

    几周前,OpenSSL网站加密工具曝出的“Heartbleed”漏洞,已经将整个互联网安全领域震翻了一回。尽管绝大多数网站都在第一时间修复了它,但是一个新的问题又浮出了水面。一名安全研究人员发现了两款登录系统上的重大漏洞,而想要修复它们,却比Heartbleed要困难得多。

    据Cnet报道,新加坡南洋理工大学一位名叫Wang Jing的博士生,发现了OAuth和OpenID开源登录工具的“隐蔽重定向”漏洞(Covert Redirect)。

    这可导致攻击者创建一个使用真实站点地址的弹出式登录窗口——而不是使用一个假的域名——以引诱上网者输入他们的个人信息。

    鉴于OAuth和OpenID被广泛用于各大公司——如微软、Facebook、Google、以及LinkedIn——Wang表示他已经向这些公司已经了汇报。

    ReplyDelete