OAuth and OpenID login tools have large security defect.

By on May 3, 2014 8:27:14 AM from JoeUser Forums JoeUser Forums


Join Date 04/2002


We were all pretty frightened by the ‘Heartbleed’ exploit.

This may be worse, because there’s no ‘easy fix’ to the “Covert Redirect” vulnerability in both the open source login systems to steal your data and redirect you to unsafe sites. Read about this one on Neowin, then went to the original source at c|net.

Beware of links that ask you to login through Facebook. The OAuth 2.0 and OpenID modules ate vulnerable.

These modules are used by many websites including Google, Facebook, Microsoft and LinkedIn…among many others.

“For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication.

If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.

Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker's choice, which could potentially further compromise the victim.” – c|net

It’s even worse when sites notified of the vulnerability answer thusly:

“Wang says he has already contacted Facebook and has reported the flaw, but was told that the company "understood the risks associated with OAuth 2.0," and that "short of forcing every single application on the platform to use a whitelist," fixing this bug was "something that can't be accomplished in the short term." – ibid

Here’s a list (partial) of affected sites from c|net:

Google: “The problem is being tracked.” MS said, “…an investigation had been done and that the vulnerability existed on the domain of a third party and not on its own sites.”

The researcher who found this vulnerability said, “Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,". At least LinedIn requested a list or redirect urls from the app makers.

At least PayPal took this seriously:

"When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability," James Barrese, PayPal's CTO, said in a blog post on Friday. PayPal declined to add details about those measures.” – ibid

WhiteHat security and Veracode have verified the vulnerability.

“Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks.”



Locked Post 2 Replies
Search this post
Subscription Options

Reason for Karma (Optional)
Successfully updated karma reason!
May 3, 2014 8:31:17 AM from WinCustomize Forums WinCustomize Forums

Now I'm wondering what's next. This is some crazy s**t!

Reason for Karma (Optional)
Successfully updated karma reason!
May 6, 2014 7:53:31 PM from Elemental Forums Elemental Forums

Just connecting to the web is perilous!

Reason for Karma (Optional)
Successfully updated karma reason!
Stardock Forums v1.0.0.0    #101114  walnut1   Server Load Time: 00:00:00.0000078   Page Render Time:

Home | About | Privacy | Upload Guidelines | Terms of Service | Help
WinCustomize © 2016 Stardock Corporation. All Rights Reserved.