Yahoo Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

Yahoo Deal To Buy Tumblr

 

Yahoo Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
yahoo.com

 

 

“Yahoo Inc. (styled as Yahoo!) is an American multinational technology company headquartered in Sunnyvale, California. It is globally known for its Web portal, search engine Yahoo Search, and related services, including Yahoo Directory, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Groups, Yahoo Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most popular sites in the United States. According to news sources, roughly 700 million people visit Yahoo websites every month. Yahoo itself claims it attracts “more than half a billion consumers every month in more than 30 languages.” Yahoo was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 1, 1995. Marissa Mayer, a former Google executive, serves as CEO and President of the company.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Yahoo web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 


(2.1) Vulnerability Detail:

Yahoo’s OpenID system is susceptible to Attacks. More specifically, the authentication of parameter “&openid.return_to” in OpenID system is insufficient. It can be misused to design Open Redirect Attacks to Yahoo.

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerability was reported to Yahoo. Yahoo do not reply the report for months.

 

 

The vulnerabilities occurs at page “/openid/op/auth?” with parameter “&openid.return_to”, e.g.
https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Ftree.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=J3IvS0xNnpIPn34CEn0hiEWBXYqhaV941hmD.Yx2_vv8JZk2gWSEWoOjpjKYvkNSvP3mUGcz1J1UoIIvaNWTjwMhrKyizwARZNZwooVUVGEvA9sau2DcXoMbLRuhkJ_HOS.O_w–&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry [1]

 

 

Before acceptance of third-party application:

 

When a logged-in Yahoo user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&openid.return_to”.

 

If a user has not logged onto Yahoo and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

 

A logged-in Yahoo user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) Yahoo would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&openid.return_to” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Yahoo to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Yahoo directly. The number of Yahoo’s OpenID client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Yahoo’s OpenID system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Yahoo’s authentication system and attack more easily.

 

It might be of Yahoo’s interest to patch up against such attacks.

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://qianqiuxue.tumblr.com/“. Can suppose it is malicious.

 

Below is an example of a vulnerable third-party domain:
rhogroupee.com

 

 

Vulnerable URL in this domain:
http://www.rhogroupee.com/join/context/GENERAL/redirect/http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ftree.html

 

Vulnerable URL from Yahoo that is related to rhogroupee.com:
https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fuser-social-network-login%252FauthProvider%252F11%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.rhogroupee.com&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=J3IvS0xNnpIPn34CEn0hiEWBXYqhaV941hmD.Yx2_vv8JZk2gWSEWoOjpjKYvkNSvP3mUGcz1J1UoIIvaNWTjwMhrKyizwARZNZwooVUVGEvA9sau2DcXoMbLRuhkJ_HOS.O_w–&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry

 

POC:
https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Ftree.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=J3IvS0xNnpIPn34CEn0hiEWBXYqhaV941hmD.Yx2_vv8JZk2gWSEWoOjpjKYvkNSvP3mUGcz1J1UoIIvaNWTjwMhrKyizwARZNZwooVUVGEvA9sau2DcXoMbLRuhkJ_HOS.O_w–&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry

 

 

 

(2.3) The following URLs have the same vulnerabilities.

https://open.login.yahooapis.jp/openid/op/auth?openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.aOpenIDc_handle=NzyCQVND6Ye3gpqIwY2OfibN1TEgEdBdWuFF5f7u0i7vypb6Wc24wHAU9yq38HAVL0ZLMpiYwFsXLRYkDwkrXarvXvAdUgQJG.spVXE0E3pKSlcC.fGzVxuv4Rlz97CrHA–&openid.ui.lang=&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ui.mode=popup&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.realm=http%3A%2F%2Fblogos.com%2F&openid.return_to=http%3A%2F%2Fblogos.com%2Fauth%2Fopenid%2Fyahoo_jp%2Fauthorized%2F

https://login.yahoo.com/config/login?.intl=us&.src=openid&.partner=&.pd=c%3DmZmAFpe.2e7WuWzcHD2ZPYQ-%26ockey%3Dwww.rhogroupee.com%2Fsite%26op%3D1&occrumb=whzgUu25n/7&.done=https%3A%2F%2Fopen.login.yahoo.com%2Fopenid%2Fop%2Fstart%3Fz%3DxInDXI3UxbcCGVeYz0i4ughRSKZSWISpvv91_Uz_XJAiweKdA17AACUzm8IeiLbOCmUn1FcbHfhAcL5Kt66Aa9WnFGbYStqsZkoniGY5xN_EblGXfoCIwAqNMnw1ee_ycMa0xhBAHzQ22FwkhSFPRWP34tKQ_2aagPZ7pgHQyBrNb0xg8pyYTJMtsab5RY1dGP.u4EV7Ayq6Sno.XKNpJaFNyIgttiRS0rdNS7pE1U5kCxFUAPuSjC8QLmP1lTJy5Tsjk2tLkQCKftBzt7G7n0bJaLjDcOv4uEe1X1vkcOgp4lxufA0Qvt9aJnGDhcDj4MEVIfuPeuN.fhfeBgsktxsuof64h0.xrmz1Aw8qTQ57gJibGRJ291Vv_2RF79uaWXDay.DN.5A8Q9_agN6iWDRIKjb8sLKYYR42N2Fk1Nq8hbrP92rsEM0mYHlKIsDXdNlrrK8tM_Jy1E64PDIz8rllNXqlCQ.idF4p4Yi3TzIeeTdYm7gbBleqIsbcEuigfg6n_i6iGmpY%26.scrumb%3D0

 

 

POC Video:
https://www.youtube.com/watch?v=1FZ6yfsp09U

 


Blog Detail:
http://tetraph.blogspot.com/2014/05/yahoos-openid-covert-redirect.html




(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.



 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/








Related Articles:
http://tetraph.com/security/covert-redirect/yahoos-openid-covert-redirect-vulnerablity/
https://twitter.com/tetraphibious/status/559167044256407555
http://securityrelated.blogspot.com/2014/06/yahoo-website-bug.html
http://tetraph.blog.163.com/blog/static/234603051201444023436/
http://webtech.lofter.com/post/1cd3e0d3_706aef5
http://whitehatview.tumblr.com/post/119490381041/securitypost#notes
https://inzeed.wordpress.com/2014/05/26/yahoo-openid-hack/
http://computerobsess.blogspot.com/2014/06/yahoo-website-bug.html
http://www.inzeed.com/kaleidoscope/covert-redirect/yahoos-openid-covert-redirect-vulnerablity/
https://webtechwire.wordpress.com/2014/05/26/yahoo-openid-hack/

 

Advertisements

Alibaba Taobao OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

1688-taobao

 

Alibaba Taobao OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
taobao.com

 

 

“Taobao (simplified Chinese: 淘宝网; traditional Chinese: 淘寶網; pinyin: Táobǎo Wǎng; literally: “searching for treasure website”) is a Chinese website for online shopping similar to eBay and Amazon that is operated in China by Alibaba Group. Founded by Alibaba Group on May 10, 2003, Taobao Marketplace facilitates consumer-to-consumer (C2C) retail by providing a platform for small businesses and individual entrepreneurs to open online stores that mainly cater to consumers in Chinese-speaking regions (Mainland China, Hong Kong, Macau and Taiwan) and also abroad. With around 760 million product listings as of March 2013, Taobao Marketplace is one of the world’s top 10 most visited websites according to Alexa. For the year ended March 31, 2013, the combined gross merchandise volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Taobao web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 

 

(2.1) Vulnerability Detail:

Taobao’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Taobao.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerabilities occurs at page “/authorize?” with parameter “&redirect_uri”, e.g.
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://store.tv.sohu.com/web/login.do%3Fbru%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html [1]

 

 

Before acceptance of third-party application:

When a logged-in Taobao user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Taobao and clicks the URL ([1]) above, the same situation will happen upon login.

 

 

After acceptance of third-party application:

A logged-in Taobao user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) Taobao would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Taobao to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Taobao directly. The number of Taobao’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Taobao’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Taobao’s authentication system and attack more easily.

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “https://computerpitch.wordpress.com/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
sohu.com

 

Vulnerable URL in this domain:
http://store.tv.sohu.com/web/login.do?bru=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

Vulnerable URL from Taobao that is related to sohu.com:
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://sohu.com

 

POC:
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://store.tv.sohu.com/web/login.do%3Fbru%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

 

 

 

(2.3) The following URLs have the same vulnerabilities.
https://login.taobao.com/member/login.jhtml?sign=8uBo%2FBShyXsFVd4q%2FREkfg%3D%3D&timestamp=2014-03-19+09%3A24%3A22&sub=true&style=mini_top&need_sign=top&full_redirect=true&from=mini_top&from_encoding=utf-8&TPL_redirect_url=https%3A%2F%2Foauth.taobao.com%2Fauthorize%3Fstate%3D1%26response_type%3Dcode%26client_id%3D21112101%26redirect_uri%3Dhttp%253A%252F%252Fwww.paidai.com%252Fuser%252Foauth_taobao.php

 

 

POC Video:
https://www.youtube.com/watch?v=aZVCZK03-Rw



Blog Detail:
http://tetraph.blogspot.com/2014/05/alibaba-taobao-oauth-20-covert-redirect.html







(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/









Related Articles:
http://tetraph.com/security/covert-redirect/alibaba-taobao-oauth-2-0-covert-redirect
http://www.inzeed.com/kaleidoscope/covert-redirect/alibaba-taobao-bug
http://computerobsess.blogspot.com/2014/05/alibaba-taobao-service-exploit.html
https://twitter.com/essayjeans/status/558976811573321728
https://webtechwire.wordpress.com/2014/06/06/taobao-vulnerability/
http://inzeed.tumblr.com/post/119493913816/securitypost-itinfotech-continuan-los
http://essayjeans.lofter.com/post/1cc7459a_7069892
http://securityrelated.blogspot.com/2014/05/alibaba-taobao-service-exploit.html
http://tetraph.blog.163.com/blog/static/2346030512014463745630/
http://diebiyi.com/articles/security/covert-redirect/alibaba-taobao-oauth-2-0
https://hackertopic.wordpress.com/2014/06/01/alibaba-taobao-bug/

 

 

 

===========

 

 


阿里巴巴 淘宝 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)




(1) 域名:

taobao.com



” 淘宝网是亚太地区较大的网络零售商圈,由阿里巴巴集团在2003年5月10日投资创立。淘宝网现在业务跨越C2C(个人对个人)、B2C(商家对个人)两 大部分。截止2014年,淘宝网注册会员超5亿人每天有超过1.2亿的活跃用户,在线商品数达到10亿件,淘宝网和天猫平台的交易额总额超过了1.5万 亿。” (百度百科)







(2) 漏洞描述:

阿里巴巴 淘宝 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。




这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。




 


(2.1) 漏洞细节:

Taobao 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Taobao 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Taobao 的 URL跳转 攻击。

 

 

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type”=sensitive_info,token,code…

“&scope”=get_user_info,email…

 

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

 

漏洞地点 “/authorize?”,参数”&redirect_uri”, e.g.
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://store.tv.sohu.com/web/login.do%3Fbru%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html [1]

 

 

 

同意三方 App 前:

当一个已经登录的 Taobao 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。

 

 

如果没有登录的Taobao 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

 

 

同意三方 App 后:

已经登录的 Taobao 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

 

如果 Taobao 用户没有登录,攻击依然可以在要求他登录的Taobao的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 

 

 

 

(2.1.1) Taobao 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

 

因此,Taobao 用户意识不到他会被先从 Taobao 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Taobao 直接跳转到有害网页是一样的。

 

 

因为 Taobao 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

 

在同意三方 App 之前,Taobao 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

 

同意三方 App 后, 攻击者可以完全绕过 Taobao 的 URL跳转 验证系统。

 

 

 

 

(2.2) 用了一个页面进行了测试, 页面是 “http://lifegreen.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

 

下面是一个有漏洞的三方 domain:
sohu.com

 

 

这个 domain 有漏洞的 URL:
http://store.tv.sohu.com/web/login.do?bru=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

 

Taobao 与 sohu.com 有关的有漏洞的 URL:
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://sohu.com

 

 

 

POC:
https://oauth.taobao.com/authorize?client_id=21263967&response_type=code&state=O2CRSF7bdf17633d9f4934bb7f4e937eef6d59&redirect_uri=http://store.tv.sohu.com/web/login.do%3Fbru%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 



(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向也可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。







Netease OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

Screenshot from 2015-06-28 13:46:06

 

Netease OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
163.com

 

 

“NetEase, Inc. (simplified Chinese: 网易; traditional Chinese: 網易; pinyin: Wǎng Yì) is a Chinese Internet company that operates 163.com, a popular web portal ranked 27 by Alexa as of April 2014. 163.com is one of the largest Chinese Internet content providers, and as such frequently appears in the top 10 domains used in spam.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Netease web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

 

 

 

 

(2.1) Vulnerability Detail:

163’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to 163.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

Before acceptance of third-party application:

When a logged-in 163 user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto 163 and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

A logged-in 163 user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) 163 would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks. 

 

Hence, a user could be redirected from 163 to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from 163 directly. The number of 163’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

More seriously, some third-party websites may allow all URLs (even not belong to themselves) for “&redirect_uri” parameter.

 

Before acceptance of the third-party application, 163’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass 163’s authentication system and attack more easily.

 

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://mathpost.tumblr.com/“. We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
yhd.com

 

POC Video:
https://www.youtube.com/watch?v=0KF65swbl8A

 


Blog Detail:
http://tetraph.blogspot.com/2014/05/163s-oauth-20-covert-redirect-system.html







(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. 



 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. 
(@justqdjing)
http://tetraph.com/wangjing/









Related Articles:
http://tetraph.com/security/covert-redirect/163s-oauth-2-0-covert-redirect
https://twitter.com/buttercarrot/status/558906604641198081
https://itinfotechnology.wordpress.com/2014/06/02/netease-system-bug/
http://germancast.blogspot.com/2014/06/netease-hacking.html
http://essaybeans.lofter.com/post/1cc77d20_706b68a
http://diebiyi.com/articles/security/covert-redirect/163s-oauth-2-0-covert-redirect
http://lifegrey.tumblr.com/post/120698901934/whitehatview-internet-users-threatened
http://securityrelated.blogspot.com/2014/07/netease-web-service-bug.html
http://www.inzeed.com/kaleidoscope/covert-redirect/163s-oauth-2-0-covert-redirect
http://tetraph.blog.163.com/blog/static/23460305120144715554901/
https://inzeed.wordpress.com/2014/06/08/netease-163-bug/

 



=============










网易 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向) 





(1) 域名:
163.com


” 网易 (NASDAQ: NTES)是中国领先的互联网技术公司,利用最先进的互联网技术,加强人与人之间信息的交流和共享,实现“网聚人的力量”。创始人兼CEO是丁磊。 在开 发互联网应用、服务及其它技术方面,网易始终保持业界的领先地位,并在中国互联网行业内率先推出了包括中文全文检索、全中文大容量免费邮件系统、无限容量 免费网络相册、免费电子贺卡站、网上虚拟社区、网上拍卖平台、24小时客户服务中心在内的业内领先产品或服务,还通过自主研发推出了一款率先取得白金地位 的国产网络游戏。网易公司推出了门户网站、在线游戏、电子邮箱、在线教育、电子商务、在线音乐、网易bobo等多种服务。” (百度百科)







(2) 漏洞描述:

 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。



这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。





(2.1) 漏洞细节:

163 的 OAuth 2.0 系统可能遭到攻击。更确切地说, 163 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 163 的 URL跳转 攻击。

 

 

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type”=sensitive_info,token,code…

“&scope”=get_user_info,email…

 

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

 

漏洞地点 “oauth2/authorize.do?”,参数”&redirect_uri”, e.g.
http://reg.163.com/open/oauth2/authorize.do?client_id=3898477018&redirect_uri=http%3A%2F%2Fweibo.yihaodian.com%2Fweibo%2FunionLoginAction.action%3Fstate%3Dtophttps%3A%2F%2Ftetraph.com&response_type=code&state=06c7f1548bedaf6a8e19cec28d9435c8 [1]

 

 

 

同意三方 App 前:

当一个已经登录的 163 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。

 

 

如果没有登录的 163 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

 

 

同意三方 App 后:

已经登录的 163 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

 

如果 163 用户没有登录,攻击依然可以在要求他登录的163的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 

 

 

 

(2.1.1) 163 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

 

因此,163 用户意识不到他会被先从 163 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 163 直接跳转到有害网页是一样的。

 

 

因为 163 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

 

更严重的是,有的 App 允许参数”&redirect_uri” 设置为任意 URL (不仅是属于这个 App domain 的 URL)。这样就可已从163 直接跳转,但是这种情况下,返回的 URL 里不包含敏感信息。

 

 

在同意三方 App 之前,163 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

 

同意三方 App 后, 攻击者可以完全绕过 163 的 URL跳转 验证系统。

 

 

 

 

(2.2) 用了一个页面进行了测试, 页面是 “http://lifegreen.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code(两次跳转才有敏感信息,&redirect_uri 直接跳转没有)。

 

 

下面是一个有漏洞的三方 domain:
yhd.com

 

 

163 与 yhd.com 有关的有漏洞的 URL:
http://reg.163.com/open/oauth2/authorize.do?client_id=3898477018&redirect_uri=https%3A%2F%2Fpassport.yhd.com%2Fnetease%2Fcallback.do&response_type=code&state=1dca59aafb0ccfd17accfe22436eb813

 

 

POC:
http://reg.163.com/open/oauth2/authorize.do?client_id=3898477018&redirect_uri=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E6%258B%25BE%25E7%25A7%258B.html

 

 

 

POC 视频:
https://www.youtube.com/watch?v=0KF65swbl8A

 


博客细节:
http://tetraph.blogspot.com/2014/05/163s-oauth-20-covert-redirect-system.html

 

 




(3) 什么是隐蔽重定向? 

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。







Sina Weibo OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

china

Sina Weibo OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 

 

(1) Domain:
weibo.com

“Sina Weibo (NASDAQ: WB) is a Chinese microblogging (weibo) website. Akin to a hybrid of Twitter and Facebook, it is one of the most popular sites in China, in use by well over 30% of Internet users, with a market penetration similar to the United States’ Twitter. It was launched by SINA Corporation on 14 August 2009, and has 503 million registered users as of December 2012. About 100 million messages are posted each day on Sina Weibo. In March 2014, Sina Corporation announced a spinoff of Weibo as a separate entity and filed an IPO under the symbol WB. Sina retains 56.9% ownership in Weibo. The company began trading publicly on April 17, 2014. “Weibo” (微博) is the Chinese word for “microblog”. Sina Weibo launched its new domain name weibo.com on 7 April 2011, deactivating and redirecting from the old domain, t.sina.com.cn to the new one. Due to its popularity, the media sometimes directly uses “Weibo” to refer to Sina Weibo. However, there are other Chinese microblogging/weibo services including Tencent Weibo, Sohu Weibo and NetEase Weibo.” (Wikipedia)

(2) Vulnerability Description:

Weibo web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

(2.1) Vulnerability Detail:

Weibo’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Weibo.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerabilities occurs at page “oauth2/authorize?” with parameter “&redirect_uri”, e.g.
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [1]

 

Before acceptance of third-party application:

When a logged-in Weibo user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Weibo and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

A logged-in Weibo user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

(2.1.1) Weibo would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Weibo to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Weibo directly. The number of Weibo’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Weibo’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Weibo’s authentication system and attack more easily.

 

Used one of webpages for the following tests. The webpage is “https://biyiniao.wordpress.com/“. We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
cjcp.com.cn

 

Vulnerable URL in this domain:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=sina&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

Vulnerable URL from Weibo that is related to cjcp.com.cn:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code

 

POC:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dsina%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A5%2525AD%2525E6%252598%2525A5.html&response_type=code [2]

 

(2.2) Another method for attackers.


Attackers enter the following URL in browser,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=sina&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

Then, attackers can get URL below,
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [3]

 

If users click URL [3], the same thing will happen as URL [2].

 

 

 

POC Video:
https://www.youtube.com/watch?v=eKozHxrk4js

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/sina-weibo-oauth-20-covert-redirect.html

 

 



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

Related Articles:
http://diebiyi.com/articles/security/covert-redirect/sinas-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
http://tetraph.com/security/covert-redirect/sina-weibo-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
https://redysnowfox.wordpress.com/2014/08/02/sina-exploit/
http://qianqiuxue.tumblr.com/post/118901060925/itinfotech-covert#notes
http://webtechhut.blogspot.com/2014/07/sina-bug.html
https://twitter.com/yangziyou/status/614745661704015873
http://tetraph.blog.163.com/blog/static/2346030512014463356551/
http://biboying.lofter.com/post/1cc9f4f5_706b6c3
http://frenchairing.blogspot.fr/2014/07/sina-hacking.html
http://www.inzeed.com/kaleidoscope/covert-redirect/sina-weibo-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
https://biyiniao.wordpress.com/2014/06/07/sina-research/

==========

 

新浪 微博 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
weibo.com

” 新浪微博是一个由新浪网推出,提供微型博客服务类的社交网站。用户可以通过网页、WAP页面、手机客户端、手机短信、彩信发布消息或上传图片。新浪可以把 微博理解为“微型博客”或者“一句话博客”。用户可以将看到的、听到的、想到的事情写成一句话,或发一张图片,通过电脑或者手机随时随地分享给朋友,一起 分享、讨论;还可以关注朋友,即时看到朋友们发布的信息” (百度百科)

 

 

(2) 漏洞描述:

新浪 微博 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。


(2.1) 漏洞细节:
Weibo 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Weibo 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Weibo 的 URL跳转 攻击。

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type”=sensitive_info,token,code…

“&scope”=get_user_info%2Cadd_share…

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

漏洞地点 “oauth2/authorize?”,参数”&redirect_uri”, e.g.
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [1]

 

同意三方 App 前:

当一个已经登录的 Weibo 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。


如果没有登录的 Weibo 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

同意三方 App 后:

已经登录的 Weibo 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

如果 Weibo 用户没有登录,攻击依然可以在要求他登录的Weibo的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 


(2.1.1) Weibo 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

因此,Weibo 用户意识不到他会被先从 Weibo 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Weibo 直接跳转到有害网页是一样的。

 

因为 Weibo 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

在同意三方 App 之前,Weibo 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

同意三方 App 后, 攻击者可以完全绕过 Weibo 的 URL跳转 验证系统。

 

用了一个页面进行了测试, 页面是 “http://tetraphlike.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

下面是一个有漏洞的三方 domain:
cjcp.com.cn

 

这个 domain 有漏洞的 URL:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=Weibo&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 

Weibo 与 cjcp.com.cn 有关的有漏洞的 URL:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code

 

POC:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dsina%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A5%2525AD%2525E6%252598%2525A5.html&response_type=code [2]

 



(2.2) 攻击的另一个方法.


攻击者在浏览器输入 URL,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=sina&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

然后,攻击者可以得到 URL,
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [3]

 

如果用户点击 URL [3], 发生的事情和 URL [2] 一样.

 




(2.3)下面的 URLs 有同样的漏洞.
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fsiteuser%2Foauth_sina.php%3Ffrom%3Dweibo&response_type=code

 

POC 视频:
https://www.youtube.com/watch?v=eKozHxrk4js

 

博客细节:
http://tetraph.blogspot.com/2014/05/sina-weibo-oauth-20-covert-redirect.html

 

 

 

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567; Bugtraq ID 是 67196; X-Force ID 是 93031。

 

 

 

 



Alibaba Alipay Online Website OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

Alipay-Wallet-Reaches-190-Mn-Annual-Active-Users

 

Alibaba Alipay Online Website OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 

 

(1) Domain:
alipay.com

 

“Alipay.com is a third-party online payment platform with no transaction fees. It was launched in China in 2004 by Alibaba Group and its founder Jack Ma. According to analyst research report, Alipay has the biggest market share in China with 300 million users and control of just under half of China’s online payment market in February 2014. According to Credit Suisse, the total value of online transactions in China grew from an insignificant size in 2008 to around RMB 4 trillion (US$660 billion) in 2012. Alipay provides an escrow service, in which consumers can verify whether they are happy with goods they have bought before releasing money to the seller. This service was offered for what the company says are China’s weak consumer protection laws, which have reduced consumer confidence in C2C and even B2C quality control.” (Wikipedia)

 

 

 

(2) Vulnerability Description:

Alipay web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 
 


(2.1) Vulnerability Detail:

Alipay’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&goto” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Alipay.

 

At the same time, it can be used to collect sensitive information of both third-party app and users (sensitive information is contained in HTTP header.).

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 
 
 
 

Before acceptance of third-party application:

When a logged-in Alipay user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&goto”.

 

If a user has not logged onto Alipay and clicks the URL ([1]) above, the same situation will happen upon login.

 
 

After acceptance of third-party application:

A logged-in Alipay user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 
 
 

 

(2.1.1) Before acceptance of the third-party application, Alipay’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Alipay’s authentication system and attack more easily.

 
 

Used one of  webpages for the following tests. The webpage is “http://lifegreen.lofter.com/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

 

Below is an example of a vulnerable third-party domain:
cjcp.com.cn

 
 
 

If users click URL [2], attacks happen.

 
 
 




POC Video:
https://www.youtube.com/watch?v=lhqwC9RQl44


Blog Detail:
http://tetraph.blogspot.com/2014/05/alibaba-alipays-oauth-20-covert.html






 

(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196.  X-Force reference number is 93031.

 
 
 
 



Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. 
(@justqdjing)
http://tetraph.com/wangjing/










Related Articles:
http://tetraph.com/security/covert-redirect/alibaba-alipays-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
http://securityrelated.blogspot.com/2014/07/alibaba-alipay-bug.html
http://whitehatpost.lofter.com/post/1cc773c8_72e71f9
https://vulnerabilitypost.wordpress.com/2014/06/02/alibaba-alipay-exploit/
https://twitter.com/yangziyou/status/614368472705818624
blog.163.com/tetraph/blog/static/2346030512014471384217
http://whitehatview.tumblr.com/post/119488487851/securitypost-itinfotech-falha-de-seguranca#notes
http://computerobsess.blogspot.com/2014/07/alibaba-alipay-bug.html
https://computertechhut.wordpress.com/2014/06/06/alibaba-alipay-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/alibaba-alipays-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/

 

 

 


=============

 

阿里巴巴 支付宝 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向) 





(1) 域名:
alipay.com


” 支付宝(中国)网络技术有限公司是国内领先的第三方支付平台,致力于提供“简单、安全、快速”的支付解决方案。支付宝公司从2004年建立开始,始终以 “信任”作为产品和服务的核心。旗下有“支付宝”与“支付宝钱包”两个独立品牌。自2014年第二季度开始成为当前全球最大的移动支付厂商。支付宝主要提 供支付及理财服务。包括网购担保交易、网络支付、转账、信用卡还款、手机充值、水电煤缴费、个人理财等多个领域。在进入移动支付领域后,为零售百货、电影 院线、连锁商超和出租车等多个行业提供服务。还推出了余额宝等理财服务。支付宝与国内外180多家银行以及VISA、MasterCard国际组织等机构 建立战略合作关系,成为金融机构在电子支付领域最为信任的合作伙伴。” (百度百科)







(2) 漏洞描述:

阿里巴巴 支付宝网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。



这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

 

 

 

 

(2.1) 漏洞细节:

Alipay 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Alipay 对 OAuth 2.0 系统的 parameter “&goto“ 验证不够充分。可以用来构造对 Alipay 的 URL跳转 攻击。

 

 

与此同时,这个漏洞可以用来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里), 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

漏洞地点 “login/express.htm?”,参数”&goto”, e.g.

https://auth.alipay.com/login/express.htm?goto=https%3A%2F%2Fmemberexprod.alipay.com%2Fauthorize%2FuserAuthQuickLoginAction.htm%3Fe_i_i_d%3D41da904223e68d291bfb0eecbff264e1 [1]

 

同意三方 App 前:

 

当一个已经登录的 Alipay 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&goto” 的 URL。

 

如果没有登录的Alipay 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

同意三方 App 后:

 

已经登录的 Alipay 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

如果 Alipay 用户没有登录,攻击依然可以在要求他登录的Alipay的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)

 

 

 

(2.1.1) 因为 Alipay 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

在同意三方 App 之前,Alipay 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

同意三方 App 后, 攻击者可以完全绕过 Alipay 的 URL跳转 验证系统。

 

用了一个页面进行了测试, 页面是 “http://canghaixiao.tumblr.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

下面是一个有漏洞的三方 domain:
cjcp.com.cn

 

这个 domain 有漏洞的 URL:
http://uc.cjcp.com.cn/?m=pay&a=login&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Foutings%2F%25E5%2590%25AC%25E6%25B5%25B7.html

 

攻击者在浏览器输入 URL,
http://uc.cjcp.com.cn/?m=pay&a=login&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Foutings%2F%25E5%2590%25AC%25E6%25B5%25B7.html

 

 

然后,攻击者可以得到 URL,

https://auth.alipay.com/login/express.htm?goto=https%3A%2F%2Fmemberexprod.alipay.com%2Fauthorize%2FuserAuthQuickLoginAction.htm%3Fe_i_i_d%3D41da904223e68d291bfb0eecbff264e1 [2]

 

如果用户点击 URL [2], 攻击发生。

 


POC 视频:
https://www.youtube.com/watch?v=lhqwC9RQl44

 

 

 

博客细节:
http://tetraph.blogspot.com/2014/05/alibaba-alipays-oauth-20-covert.html

 

 





(3) 什么是隐蔽重定向? 

 

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567;  Bugtraq ID 是 67196;  X-Force ID 是 93031。

 
 
 





 

相关文章:
http://tetraph.com/security/covert-redirect/alibaba-alipays-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
http://securityrelated.blogspot.com/2014/07/alibaba-alipay-bug.html
http://whitehatpost.lofter.com/post/1cc773c8_72e71f9
https://vulnerabilitypost.wordpress.com/2014/06/02/alibaba-alipay-exploit/
https://twitter.com/yangziyou/status/614368472705818624
blog.163.com/tetraph/blog/static/2346030512014471384217
http://whitehatview.tumblr.com/post/119488487851/securitypost-itinfotech-falha-de-seguranca#notes
http://computerobsess.blogspot.com/2014/07/alibaba-alipay-bug.html
https://computertechhut.wordpress.com/2014/06/06/alibaba-alipay-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/alibaba-alipays-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/

 

互聯網登錄系統曝出重大漏洞 – Covert Redirect

Algerian-hacker
 

繼OpenSSL漏洞後,開源安全軟件再曝安全漏洞。新加坡南洋理工大學研究人員,物理和數學科學學院博士生王晶 (Wang Jing) 發現,OAuth 2.0, OpenID 授權接口的網站存隱蔽重定向漏洞、英文名為“Covert Redirect”。

 

攻擊者創建壹個使用真實站點地址的彈出式登錄窗口——而不是使用壹個假的域名——以引誘上網者輸入他們的個人信息。

 

黑客可利用該漏洞給釣魚網站“變裝”,用知名大型網站鏈接引誘用護登錄釣魚網站,壹旦用護訪問釣魚網站並成功登六授權,黑客即可讀取其在網站上存儲的私密信息。

 

騰訊,阿裏巴巴,QQ、新浪微博、淘寶網,支付寶,網易,PayPal, eBay, Amazon, Facebook、Google, LinkedIn, Yahoo, VK.com, Microsoft, Mail.ru, Github, WordPress 等國內外大量知名網站受影響。

 

鑒於OAuth和OpenID被廣泛用於各大公司——如微軟、Facebook、Google、以及 LinkedIn——Wang表示他已經向這些公司已經了匯報。Wang聲稱,微軟已經給出了答復,調查並證實該問題出在第三方系統,而不是該公司的自 有 站點。Facebook也表示,“短期內仍無法完成完成這兩個問題的修復工作,只得迫使每個應用程序平臺采用白名單”。至於Google,預計該公司 會追 蹤OpenID的問題;而LinkedIn則聲稱它將很快在博客中說明這壹問題。

 

OAuth 是壹個被廣泛應用的開放登六協議,允許用護讓第三方應用訪問該用護在某壹網站上存儲的私密的信息(如照片,視頻,聯系人列表),而無需將用護名和密碼提供給第三方應用。這次曝出的漏洞,可將Oauth2.0的使用方(第三方網站)的回跳域名劫持到惡意網站去,黑客利用XSS漏洞攻擊就能隨意操作被授權的帳號,讀取用護的隱私信息。像騰訊、新浪微博等社交網站壹般對登六回調地址沒有任何限制,極易遭黑客利用。

 

 

 

相關資料,
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
http://tech.firstpost.com/news-analysis/after-heartbleed-major-covert-redirect-flaw-threatens-oauth-openid-and-the-internet-222945.html
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html
http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html
http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html
http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html
http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html
http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/
http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/
http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/
http://network.pconline.com.cn/471/4713896.html
http://media.sohu.com/20140504/n399096249.shtml/
http://it.people.com.cn/n/2014/0504/c1009-24969253.html
http://www.cnbeta.com/articles/288503.htm
http://www.inzeed.com/kaleidoscope/computer-security/oauth-2-0-and-openid-covert-redirect/
http://baike.baidu.com/link?url=0v9QZaGB09ePxHb70bzgWqlW-C9jieVguuDObtvJ_6WFY3h2vWnnjNDy4-jliDmqbT47SmdGS1_pZ4BbGN4Re_
http://itinfotech.tumblr.com/post/118850342491/covert-redirect
http://tetraph.com/covert_redirect/
http://ittechnology.lofter.com/post/1cfbf60d_6f09f58
https://zh.wikipedia.org/wiki/%E9%9A%B1%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E
http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E
http://www.csdn.net/article/2014-05-04/2819588