tag:blogger.com,1999:blog-7296557409688326452.post3832291780460998283..comments2023-09-28T04:35:57.294-07:00Comments on Daily Life - Something Trivial , Something Small : Yahoo Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)essayjeanshttp://www.blogger.com/profile/11019920613685827608noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-7296557409688326452.post-74665998143765318922016-09-08T01:53:39.247-07:002016-09-08T01:53:39.247-07:00Since the Yahoo administration was begun, it has e...Since the Yahoo administration was begun, it has experienced large portions of alterations to propel the value of administration to their clients. At whatever point Yahoo does these strategy updates, they will need to until further notice deny section to their administrations. <a href="http://annaduncan.livejournal.com/1079.html" rel="nofollow">http://annaduncan.livejournal.com/1079.html</a>Marryhttps://www.blogger.com/profile/00280876054880607665noreply@blogger.comtag:blogger.com,1999:blog-7296557409688326452.post-29772371800362674342014-10-03T05:41:40.896-07:002014-10-03T05:41:40.896-07:00http://news.ccidnet.com/art/1032/20140504/5447527_...http://news.ccidnet.com/art/1032/20140504/5447527_1.html<br /><br />今晨,继OpenSSL漏洞后,开源安全软件再曝安全漏洞。新加坡南洋理工大学研究人员Wang Jing发现,Oauth2.0授权接口的网站存“隐蔽重定向”漏洞,黑客可利用该漏洞给钓鱼网站“变装”,用知名大型网站链接引诱用户登录钓鱼网站,一 旦用户访问钓鱼网站并成功登陆授权,黑客即可读取其在网站上存储的私密信息。据悉,腾讯QQ、新浪微博、Facebook、Google等国内外大量知名 网站受影响,360网络攻防实验室已紧急公布了修复方案,企业和个人用户均可通过360安全卫士防范该漏洞攻击。<br /><br />Oauth是一个被广泛应用的开放登陆协议,允许用户让第三方应用访问该用户在某一网站 上存储的私密的信息(如照片,视频,联系人列表),而无需将用户名和密码提供给第三方应用。这次曝出的漏洞,可将Oauth2.0的使用方(第三方网站) 的回跳域名劫持到恶意网站去,黑客利用XSS漏洞攻击就能随意操作被授权的账号,读取用户的隐私信息。像腾讯、新浪微博等社交网站一般对登陆回调地址没有 任何限制,极易遭黑客利用。 Anonymoushttps://www.blogger.com/profile/04711374055063504976noreply@blogger.comtag:blogger.com,1999:blog-7296557409688326452.post-12758864394247294332014-05-04T18:05:22.481-07:002014-05-04T18:05:22.481-07:00Hey Bradley,
Thanks for your interest. I am very ...Hey Bradley,<br /><br />Thanks for your interest. I am very glad that you shared it.<br /><br />More Detail:<br />http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html<br />http://tetraph.com/covert_redirect/essayjeanshttps://www.blogger.com/profile/11019920613685827608noreply@blogger.comtag:blogger.com,1999:blog-7296557409688326452.post-14965849124321311912014-05-04T18:04:07.331-07:002014-05-04T18:04:07.331-07:00This comment has been removed by the author.essayjeanshttps://www.blogger.com/profile/11019920613685827608noreply@blogger.comtag:blogger.com,1999:blog-7296557409688326452.post-48664781471968038172014-05-04T09:13:01.890-07:002014-05-04T09:13:01.890-07:00Thank you Wang for the vuln report and hard work. ...Thank you Wang for the vuln report and hard work. You have done us all a great service but as you say there ay not much that can be done at this time. By the way I have shared this with many of the people who follow my blog:)Anonymoushttps://www.blogger.com/profile/03817529429642793103noreply@blogger.com