Covert Redirect: http://tetraph.com/covert_redirect/
A serious Covert Redirect ( http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html ) vulnerability related to OAuth 2.0 and OpenID was found.
Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu. 163, Alipay, Alibaba, Sina etc. I will introduce them one by one in my later posts.
The vulnerability could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID.
For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf.
For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved.
Who should be responsible for the vulnerability?
The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. The onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task.
In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.
As the internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one’s own site without paying attention to that of its neighbours.
How to patch the vulnerability?
The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.
An alternative solution is the providers developing a more thorough verification procedure to prevent such attacks.
I found this vulnerability at the beginning of February and I have reported it to related companies.
Facebook said “Short of forcing every single application on the platform to use a whitelist, which isn’t something that can be accomplished in the short term, do you have any recommendations on actions we can take here?”
In my reply, I suggested “For any URL, it has a particular value “&h”. If the URL is changed. there is no permission any more. That means the modified URL will not get any “&h”. Because it is illegal.”
Facebook agreed. “As you mentioned, that’s how our Linkshim system works. As I said, that doesn’t seem to be a feasible solution for an OAuth endpoint where the URL needs to be provided by a third-party site to arbitrary random users.”
Google said “[they] are aware of the problem and are tracking it at the moment.”
LinkedIn “[has] published a blog post on how [they] intend to address [the problem].”
( Blog address: https://developer.linkedin.com/blog/r… )
Microsoft answered after they did an investigation and concluded that the vulnerability exists in the domain of a third-party, different from the one reported by me (login.live.com). They recommended me to report the issue to the third-party instead.
Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation as soon as possible.
Taobao closed my report without providing a reason.
Yahoo did not reply me months after my report.
I did not report to VK, Mail.Ru and the others because I do not know the contact of their security teams.