Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID

 

A serious Covert Redirect vulnerability related to OAuth 2.0 and OpenID has been found. Almost all major providers of OAuth 2.0 and OpenID are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.

 

 

It could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID. 

 

For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf. 

 

For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved. 

 

 

More Details:
Blog Youtube
Q&A

Why is it a serious vulnerability?

▪ It enables Open Redirect Attacks
▪ It could lead to sensitive information leakage
▪ It has wide coverage: most of the major internet companies that provide authentication/authorization services
▪ It is difficult to patch

 

How widespread is the vulnerability?

Almost all major OAuth 2.0 and OpenID providers are affected.

List of affected major OAuth 2.0 and OpenID providers:
Website Company Blog Detail POC Video
facebook.com Facebook Blog Youtube
google.com Google Blog Youtube
linkedin.com LinkedIn Blog Youtube
yahoo.com Yahoo Blog Youtube
live.com Microsoft Blog Youtube
vk.com VK Blog Youtube
qq.com Tencent Blog Youtube
weibo.com Sina Blog Youtube
paypal.com PayPal Blog Youtube
mail.ru Mail.Ru Blog Youtube
taobao.com Alibaba Blog Youtube
sina.com.cn Sina Blog Youtube
sohu.com Sohu Blog Youtube
163.com 163 Blog Youtube
github.com GitHub Blog Youtube
alipay.com Alibaba Blog Youtube
★ Website ranking is based on Alexa.

 

Who should be responsible for the vulnerability?

The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. The onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task.

In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.

As the internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one’s own site without paying attention to that of its neighbours.

 

 

How to patch the vulnerability?

The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.

An alternative solution is the providers developing a more thorough verification procedure to prevent such attacks.

 

 

What is the meaning of the logo?

The logo depicts the three parties involved in the attack: the provider (top-left), the third-party application used by the client (bottom) and the attacker (top-right).

Due to the loophole in the third-party application, the attacker is able to attack the provider through the application. The client therefore acts as a bridge between the provider and the attacker, albeit unintentionally. The attack could be seen as a redirect from the client but it is preceded or masked by a redirect from the provider to the client.

 

 

Why it is called Covert Redirect Vulnerability?

A Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation.

The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. An Open Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT ANY validation (OWASP). If a website is exposed to Open Redirect attack, it is often because of its own negligence.

On the other hand, the Covert Redirect vulnerability related to OAuth 2.0 and OpenID is, in the author’s view, a result of the provider’s overconfidence in its clients/partners. The provider relies on the clients to provide a list of “trustworthy” domains and assumes all would be safe. However, without sufficient verification of the redirected URLs, no safety could be guaranteed.

 

 

Who found the vulnerability?

The vulnrability was found by WANG Jing, a PhD student in mathematics from Nanyang Technological University.

Covert Redirect Vulnerability

Covert Redirect Vulnerability

Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation. This is often the of result of a website’s overconfidence in its partners. In another word, the Covert Redirect vulnerability exists because there is not sufficient validation of the redirected URLs that belong to the domain of the partners.

Two main validation methods that would lead to Covert Redirect Vulnerability:
(1) Validation using a matched domain-token pair
(2) Validation using a whitelist

Q&A

Why is it called Covert Redirect Vulnerability?

The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. An Open Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT ANY validation (OWASP). If a website is exposed to Open Redirect attack, it is often because of its own negligence.

A Covert Redirect resembles an Open Redirect however it is preceded by a normal redirect from the Website to a partner that is exposed to Open Redirect attacks. Covert Redirect vulnerability exists because of the Website’s overconfidence in its partners, consequently giving leeway to the attackers. The Website relies on its partners to provide a list of “trustworthy” domains and assumes all would be safe. However, without sufficient verification of the redirected URLs, no safety could be guaranteed.

What is Covert Redirect based on validation using a matched domain-token pair?

The Website checks the domain name against the token (assigned to the partner as a means for verification) in the redirected URL. If the pair is on the approved list in its database, the Website would allow the redirection. However, if the URL belongs to a domain that has Open Redirect vulnerability, users could be redirected from the Website to the vulnerable site and then to a malicious site.

Some Examples,

Website Company Blog Detail POC Video
amazon.com Amazon Blog Youtube
nytimes.com NYTimes Blog Youtube

What is Covert Redirect based on validation using a whitelist?

The Website preserves a whitelist of domains to which they allow redirection. The whitelist usually comprises of well-known web giants, e.g. Google, Facebook and LinkedIn.

Before a user is redirected out of the Website, it will check whether the redirected URL belongs to the domains on its whitelist. If it does, the Website will authorize the redirection. However, if the URL belongs to a domain that has Open Redirect vulnerability, then the user could be redirected from the Website to the vulnerable site and then to a malicious site.

Some Examples,

Website Company Blog Detail POC Video
ebay.com eBay Blog Youtube
wordpress.com WordPress Blog Youtube
odnoklassniki.ru Odnoklassniki.ru Blog Youtube
godaddy.com GoDaddy Blog Youtube
youku.com Youku Blog Youtube

The validation system related to OAuth 2.0 and OpenID could be viewed as using a semi-whitelist. The list is not specified by the Website (provider) but rather by the partners (clients).
OAuth 2.0 and OpenID Covert Redirect

Who should be responsible for the vulnerability?

The vulnerability is in general due to the existing weakness in the partner websites; therefore, the Website might not feel it is responsible to patch up the vulnerability. To the partners, they may be unaware of the vulnerability or do not bother to fix it. In my view, the Website should be responsible for the vulnerability because attacks are mainly targeted at them.

How widespread is the vulnerability?

Its sphere of influence is almost as wide as that of Open Redirect vulnerability.

Why is it a serious vulnerability?

▪ Enable Open Redirect Attacks
▪ Wide coverage (It could potentially affect as many websites as Open Redirect could do)
▪ Possibility of sensitive information leakage (such as Covert Redirect vulnerability related to OAuth 2.0 and OpenID)

How to patch the vulnerability?

The Website(s) need to carry out sufficient verification of the URLs for redirection.

What is the meaning of the logo?

The logo depicts the three parties involved in the attack: the website of interest (“the Website” hereafter; top-left), the partner (bottom) and the attacker (top-right).

Due to the loophole in the partnership, the attacker is able to attack the Website through the link between them. The partner therefore acts as a bridge between the Website and the attacker, albeit unintentionally.

The entire logo is made up of two hemispheres that look like mirror images of each other, except that the colors are different. The attack could be seen as a redirect from the partner but it is preceded or masked by a redirect from the Website to the partner. The blue background of the left hemisphere signifies the purview of the Website who is only aware of the first redirect and believes it to be safe. However, there is an attendant malicious redirect from the client to the attacker, which appears “invisible” to the Website. Thus, a white background is chosen for the right hemisphere to represent the space in which the second redirect occurs. To the attacker, the second redirect may be the real attack while the first one only a camouflage.

Who found the Covert Redirect Vulnerability?

The vulnrability was found by WANG Jing, a PhD student in mathematics from Nanyang Technological University.

From:

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID

Covert Redirect: http://tetraph.com/covert_redirect/

I found a serious Covert Redirect ( http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html ) vulnerability related to OAuth 2.0 and OpenID.

Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu. 163, Alipay, Alibaba, Sina etc. I will introduce them one by one in my later posts.

The vulnerability could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID.

For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf.

For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved.

Who should be responsible for the vulnerability?

The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. The onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task.
In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.

As the internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one’s own site without paying attention to that of its neighbours.

How to patch the vulnerability?

The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.

An alternative solution is the providers developing a more thorough verification procedure to prevent such attacks.

I found this vulnerability at the beginning of February and I have reported it to related companies.

Facebook said “Short of forcing every single application on the platform to use a whitelist, which isn’t something that can be accomplished in the short term, do you have any recommendations on actions we can take here?”

In my reply, I suggested “For any URL, it has a particular value “&h”. If the URL is changed. there is no permission any more. That means the modified URL will not get any “&h”. Because it is illegal.”

Facebook agreed. “As you mentioned, that’s how our Linkshim system works. As I said, that doesn’t seem to be a feasible solution for an OAuth endpoint where the URL needs to be provided by a third-party site to arbitrary random users.”

Google said “[they] are aware of the problem and are tracking it at the moment.”

LinkedIn “[has] published a blog post on how [they] intend to address [the problem].”

( Blog address: https://developer.linkedin.com/blog/r… )

Microsoft answered after they did an investigation and concluded that the vulnerability exists in the domain of a third-party, different from the one reported by me (login.live.com). They recommended me to report the issue to the third-party instead.

Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation as soon as possible.

Taobao closed my report without providing a reason.

Yahoo did not reply me months after my report.

I did not report to VK, Mail.Ru and the others because I do not know the contact of their security teams.

Published by:

Wang Jing (PhD student of Mathematics)
Nanyang Technological University & University of Science and Technology of China & No.1 Middle School of Jiaonan (Huangdao)

More Details:
Covert Redirect:
http://tetraph.com/covert_redirect/
Covert Redirect Related to OAuth 2.0 and OpenID:
http://tetraph.com/covert_redirect/oa…
Blog:
http://tetraph.com/blog/
Youtube:
http://www.youtube.com/user/tetraph/

Yahoo Website Service 0Day Open Redirect Vulnerability

Those two attacks don’t even need users to login yahoo. The test is on all browsers in all computer systems.

Use “test works” to denote that url redirection works.

 

 

POC link:
http://www.youtube.com/watch?v=GTd1Gkj6OUY

 

 

Now use a website for the following tests. The website is “http://www.tetraph.com/essaybeans/reflections/solitude.html“. Can think this website is malicious, because it is fully under control.

 

 

 

url:
http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.facebook.com%2Fcampaign%2Flanding.php%3Fcampaign_id%3D127305407328718

 

 

 

POC:
http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.google.com
http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.tetraph.com

 

 

Credit:
WANG Jing,  Nanyang Technological University, Singapore
http://www.tetraph.com/wangjing/

 

 

 

 

References:
http://seclists.org/fulldisclosure/2014/Feb/119
http://www.csoonline.com/article/2136232/application-security/open-redirect-on-yahoo.html

 

Odnoklassniki.ru (OK.RU) Online Website Covert Redirect Web Security Bugs Based on Google.com

maxresdefault

 

Odnoklassniki.ru (OK.RU) Online Website Covert Redirect Web Security Bugs Based on Google.com

 



(1) Domain:
Odnoklassniki.ru

 

“Odnoklassniki, OK.ru (Russian: Одноклассники -Classmates) is a social network service for classmates and old friends. It is popular in Russia and former Soviet Republicsz. The site was developed by Albert Popkov on March 4, 2006. The website currently claims that it has more than 200 million registered users and 45 million daily unique visitors. Users have to be at least seven years old to make an account. Odnoklassniki also currently has an Alexa Internet traffic ranking of 69 worldwide and 7 for Russia. Revenues in the first quarter of 2008 for Odnoklassniki amounted to $3.3 million. The site has been online for at least eight years. Compared with internet averages, Odnoklassniki.ru’s users tend to be under the age of 35, and they tend to be men earning less than $30,000 who have postgraduate educations and browse from home. The site is particularly popular among users in Kyrgyzstan (where it is ranked #4) and Armenia (#5).” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:
Odnoklassniki.ru web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 

The vulnerability occurs at “odnoklassniki.ru/dk?” page with “&st.link” parameter, i.e.
http://www.odnoklassniki.ru/dk?cmd=logExternal&st.cmd=logExternal&st.name=62335557910585&st.link=http%3A%2F%2Fgoogle.com

 

 

 

(2.1) When a user is redirected from Odnoklassniki.ru to another site, Odnoklassniki.ru will check whether the redirected URL belongs to domains Odnoklassniki.ru’s whitelist, e.g.
google.com

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Odnoklassniki.ru to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Odnoklassniki.ru directly.

 

One of the vulnerable domain is,
google.com

 

 

 

(2.2) Use one of webpages for the following tests. The webpage address is “http://tetraphlike.lofter.com/“. Can suppose that this webpage is malicious.

 

Vulnerable URL:
http://www.odnoklassniki.ru/dk?cmd=logExternal&st.cmd=logExternal&st.name=62335557910585&st.link=http%3A%2F%2Fodnoklassniki.ru

 

 

POC:
http://www.odnoklassniki.ru/dk?cmd=logExternal&st.cmd=logExternal&st.name=62335557910585&st.link=https%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fservice%3Dwise%26continue%3Dhttp%253A%252F%252Fgoogleads.g.doubleclick.net%252Faclk%253Fsa%253DL%2526ai%253DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%2526num%253D0%2526sig%253DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%2526client%253Dca-pub-0466582109566532%2526adurl%253Dhttp%253A%252F%252Fwww.tetraph.com%252Fkaleidoscope.html

 

 

POC video:
https://www.youtube.com/watch?v=Cf_-xPsYD-s

 


Blog Detail:
http://tetraph.blogspot.com/2014/05/odnoklassnikiru-covert-redirect.html







(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.



Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

More Details:
http://tetraph.com/security/covert-redirect/odnoklassniki-ru-covert-redirect-vulnerability-based-on-google/
http://securityrelated.blogspot.com/2014/10/odnoklassnikiru-covert-redirect.html
http://whitehatpost.lofter.com/post/1cc773c8_706b5e4
https://mathfas.wordpress.com/2014/10/15/odnoklassniki-ru-covert-redirect-vulnerability-based-on-google/
https://twitter.com/yangziyou/status/614327346808664064
http://ithut.tumblr.com/post/119494119203/securitypost
https://vulnerabilitypost.wordpress.com/2014/10/15/odnoklassniki-ru-covert-redirect-vulnerability-based-on-google/
http://tetraph.blog.163.com/blog/static/23460305120144511829839/
http://computerobsess.blogspot.com/2014/10/odnoklassnikiru-covert-redirect.html
http://www.inzeed.com/kaleidoscope/covert-redirect/odnoklassniki-ru-covert-redirect-vulnerability-based-on-google/

 

 

 

===========

 

 

 

 

 

Одноклассники (социальная сеть)

 

«Однокла́ссники» (OK.ru) — социальная сеть, принадлежащая Mail.Ru Group. Седьмой по популярности сайт в России, Казахстане и на Украине, 67-й — в мире. Проект запущен 4 марта 2006 года.

 

По данным собственной статистики сайта, на июль 2011 года зарегистрировано более ▲ 100 миллионов пользователей, на март 2012 года более ▲ 148 миллионов пользователей, а на 1 января 2013 года более ▲ 205 млн пользователей. Посещаемость сайта — ▲ более 44 миллионов посетителей в сутки. (ru.wikipedia)

优酷 (Youku) 网站 隐蔽重定向 (Covert Redirect) 网络安全漏洞 基于 百度 (Baidu.com)

youku3

 

 

 

优酷 (Youku) 网站 隐蔽重定向 (Covert Redirect) 网络安全漏洞 基于 百度 (Baidu.com)

 

(1) 域名:
youku.com

 

” 优酷是中国领先的视频分享网站,由古永锵在2006年6月21日创立,优酷网以 “快者为王”为产品理念,注重用户体验,不断完善服务策略,其卓尔不群的“快速播放,快速发布,快速搜索”的产品特性,充分满足用户日益增长的多元化互动 需求,使之成为中国视频网站中的领军势力。优酷网现已成为互联网拍客聚集的阵营。美国东部时间2010年12月8日,优酷网成功在纽约证券交易所挂牌上 市。2014年4月28日,优酷土豆集团宣布与阿里巴巴(滚动资讯)集团建立战略投资与合作伙伴关系。2014年,优酷正式宣布多屏日视频播放量(VV) 突破6亿,截至2014年6月,中国网络视频用户规模达4.39亿。” (百度百科)

 

 

 

(2) 漏洞描述:

优酷网站有有一个计算机安全问题,黑客可以对它用隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

(2.1) Youku 对跳转的页面存在一个 domain white-list, 如果跳转的页面属于这些 domain, 则允许跳转。

 

但是这些被whitelist domain 本身可能有 URL 跳转漏洞。因此,Youku 用户意识不到他会被先从 Youku 跳转到有漏洞的网页,然后从此网页跳转到有害的网页。这与从 Youku 直接跳转到有害网页是一样的。

 

下面是一个有漏洞的 domain:
baidu.com

 

 

 

(2.2) 用了一个页面进行了测试, 页面是 “http://aibiyi.lofter.com/“. 可以假定它是有害的。

Youku 与 baidu.com 有关的有漏洞的 URL:
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com

 

 

POC:
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com/ulink?url=http%3A%2F%2Fwww.tetraph.com/chinese.html

 

 

POC 视频:
https://www.youtube.com/watch?v=m7_NSa9CJ2A

 

博客细节:
http://tetraph.blogspot.com/2014/05/youku-covert-redirect-based-on-baiducom.html

 

 

 

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567; Bugtraq ID 是 67196; X-Force ID 是 93031。

 

 

 

 

 

相关文章:
http://tetraph.com/security/covert-redirect/youku
http://ittechnology.lofter.com/post/1cfbf60d_7063549
http://securityrelated.blogspot.com/2014/10/youkucovertredirectbaiducom.html
https://tetraph.wordpress.com/2014/10/15/youku
http://webcabinet.tumblr.com/post/119496186352/securitypost#notes
https://mathfas.wordpress.com/2014/10/15/youku
https://twitter.com/essayjeans/status/558977106223190016
http://www.inzeed.com/kaleidoscope/covert-redirect/youku
http://tetraph.blog.163.com/blog/static/234603051201445102713900/
http://computerobsess.blogspot.com/2014/10/youkucovertredirectbaiducom.html
http://diebiyi.com/articles/security/covert-redirect/youku_bug

 

 

 

 

 

===========

 

 

Youku Online Website Covert Redirect Web Security Bugs Based on Baidu.com

 


(1) Domain:
Youku.com

 

“Youku Inc., formerly Youku.com Inc., doing business as Youku (simplified Chinese: 优酷; traditional Chinese: 優酷; pinyin: yōukù; literally: “excellent (and) cool”), is a video hosting service based in China. Youku has its headquarters on the fifth floor of Sinosteel Plaza (S: 中钢国际广场, T: 中鋼國際廣場, P: Zhōnggāng Guójì Guǎngchǎng) in Haidian District, Beijing. On March 12, 2012, Youku reached an agreement to acquire Tudou in a stock-for-stock transaction, the new entity being named Youku Tudou Inc. It has more than 500 million active users.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Youku web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

The programming code flaw occurs at “click.php?” page with “&url” parameter, i.e.
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com/ulink?url=http%3A%2F%2Fwww.163.com



 

(2.1) When a user is redirected from Youku to another site, Youku will check whether the redirected URL belongs to domains in its white-list, e.g.
baidu.com

 

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Youku to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Youku directly.

 

 

 

One of the vulnerable domain is,
baidu.com

 

 

 

(2.2) Use one webpage for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. Can suppose that this webpage is malicious.

 

 

POC video:
https://www.youtube.com/watch?v=m7_NSa9CJ2A

 

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/youku-covert-redirect-based-on-baiducom.html

 

 

 

 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

Kaixin Online Website OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

kaixin001

 

Kaixin Online Website OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 

 

(1) Domain:
kaixin.com

“Kaixin001 (Chinese: 开心网; pinyin: Kāixīnwǎng; literally: “Happy Net”) is a leading social networking website launched in March 2008. In 2010, Kaixin001 ranks as the 13th most popular website in China and 67th overall according to Alexa Internet. On 20 May 2009, Kaixin001 formally sued Qianxiang Group for unfair competition. Qianxiang Group runs one of China’s popular social networks Renren. It purchased the kaixin.com domain and launched a Kaixin001 clone. This enables Renren to confuse users and attract some Kaixin001 potential users to the Kaixin.com clone. In October 2011, Kaixin001 won a victory. The Beijing Second Intermediate People’s Court ordered Oak Pacific to cease all use of kaixin.com and pay 400,000 renminbi ($60,000) in damages. The other main competition for Kaixin001 is Weibo.com, which is like a hybrid of Twitter and Facebook. Weibo.com has 140 million users and is owned by Sina.com.” (Wikipedia)

 

 

 

(2) Vulnerability Description:

Kaixin web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

(2.1) Vulnerability Detail:

Kaixin’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Kaixin.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

 

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerabilities occurs at page “/authorize?” with parameter “&redirect_uri”, e.g.
http://api.kaixin001.com /oauth2/authorize?client_id=232383298458c9b3c19540c63bc4cb0d& response_type=code&redirect_uri=http://store.tv.sohu.com/web /login.do?bru=http://tetraph.com/essayjeans/seasons/祭春.html [1]

 

 

Before acceptance of third-party application:

When a logged-in user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Kaixin and clicks the URL ([1]) above, the same situation will happen upon login.

 

 

After acceptance of third-party application:

A logged-in user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) Kaixin would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Kaixin to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Kaixin directly. The number of Kaixin’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Kaixin’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Kaixin’s authentication system and attack more easily.

 

 

 

(2.2) One of webpages was used for the following tests. The webpage is “http://mathpost.tumblr.com/“. We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
sohu.com

 

Vulnerable URL in this domain:
http://store.tv.sohu.com/web/login.do?bru=http://tetraph.com/essayjeans/seasons/祭春.html

 

 

Vulnerable URL from related to sohu.com:
http://api.kaixin001.com/oauth2/authorize?client_id=232383298458c9b3c19540c63bc4cb0d&response_type=code&redirect_uri=http://passport.sohu.com

 

 

POC:
http://api.kaixin001.com /oauth2/authorize?client_id=232383298458c9b3c19540c63bc4cb0d& response_type=code&redirect_uri=http://store.tv.sohu.com/web /login.do?bru=http://tetraph.com/essayjeans/seasons/祭春.html

 

 

POC Video:
https://www.youtube.com/watch?v=pxObbQZIQjY

 



Blog Detail:
http://tetraph.blogspot.com/2014/06/kaixin001comoauth20covertredirect.html

 

 

 

 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

Related Articles:
http://tetraph.com/security/covert-redirect/kaixin_0day
http://securityrelated.blogspot.com/2014/10/kaixin001com-oauth-20-covert-redirect.html
http://www.inzeed.com/kaleidoscope/covert-redirect/kaixin_attack
https://mathfas.wordpress.com/2014/10/15/kaixin_bug
http://ittechnology.lofter.com/post/1cfbf60d_7063617
http://diebiyi.com/articles/security/covert-redirect/kaixin_bug
http://tetraph.blog.163.com/blog/static/2346030512014463021829/
http://webcabinet.tumblr.com/post/119496528752/securitypost-une-faille-dans-lintegration#notes
http://computerobsess.blogspot.com/2014/10/kaixin001com-oauth-20-covert-redirect.html
https://twitter.com/buttercarrot/status/558906553961426944
https://vulnerabilitypost.wordpress.com/2014/10/15/kaixin_attack_expoit

 

 

 

=============

 

 

 

 

开心网 (kaixin001.com) 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
kaixin001.com

 


” 开心网由北京开心人信息技术有限公司创办于2008年3月,是国内第一家以办公室白领用户群体为主的社交网站。开心网为广大用户提供包括日记、相册、动态 记录、转帖、社交游戏在内的丰富易用的社交工具,使其与家人、朋友、同学、同事在轻松互动中保持更加紧密的联系。截至2012年4月底,网站注册用户已突 破1.3亿,已发展成为中国最领先和最具影响力的实名化社交网站。” (百度百科)







 

 

(2) 漏洞描述:

开心网网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

(2.1) 漏洞细节:

Kaixin 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Kaixin 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Kaixin 的 URL跳转 攻击。

 

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type”=sensitive_info,token,code…

“&scope”=get_user_info,email…

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

 

漏洞地点 “/authorize?”,参数”&redirect_uri”, e.g.
http://api.kaixin001.com /oauth2/authorize?client_id=232383298458c9b3c19540c63bc4cb0d& response_type=code&redirect_uri=http://store.tv.sohu.com/web /login.do?bru=http://tetraph.com/essayjeans/seasons/祭春.html [1]

 

 

同意三方 App 前:

当一个已经登录的 Kaixin 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。

如果没有登录的Kaixin 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

 

同意三方 App 后:

已经登录的 Kaixin 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

如果 Kaixin 用户没有登录,攻击依然可以在要求他登录的Kaixin的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 

 

 

(2.1.1) Kaixin 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

因此,Kaixin 用户意识不到他会被先从 Kaixin 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Kaixin 直接跳转到有害网页是一样的。

 

因为 Kaixin 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

在同意三方 App 之前,Kaixin 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

同意三方 App 后, 攻击者可以完全绕过 Kaixin 的 URL跳转 验证系统。

 

 

 

(2.2) 用了一个页面进行了测试, 页面是 “https://redysnowfox.wordpress.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

下面是一个有漏洞的三方 domain:
sohu.com

 

这个 domain 有漏洞的 URL:
http://store.tv.sohu.com/web/login.do?bru=http://tetraph.com/essayjeans/seasons/祭春.html

 

 

Kaixin 与 sohu.com 有关的有漏洞的 URL:
http://api.kaixin001.com/oauth2/authorize?client_id=232383298458c9b3c19540c63bc4cb0d&response_type=code&redirect_uri=http://passport.sohu.com

 

 

POC:
http://api.kaixin001.com /oauth2/authorize?client_id=232383298458c9b3c19540c63bc4cb0d& response_type=code&redirect_uri=http://store.tv.sohu.com/web /login.do?bru=http://tetraph.com/essayjeans/seasons/祭春.html

 

 

POC 视频:
https://www.youtube.com/watch?v=pxObbQZIQjY



博客细节:
http://tetraph.blogspot.com/2014/06/kaixin001comoauth20covertredirect.html

 

 

 

 

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567; Bugtraq ID 是 67196; X-Force ID 是 93031。

 

 

相关文章:
http://tetraph.com/security/covert-redirect/kaixin_0day
http://securityrelated.blogspot.com/2014/10/kaixin001com-oauth-20-covert-redirect.html
http://www.inzeed.com/kaleidoscope/covert-redirect/kaixin_attack
https://mathfas.wordpress.com/2014/10/15/kaixin_bug
http://ittechnology.lofter.com/post/1cfbf60d_7063617
http://diebiyi.com/articles/security/covert-redirect/kaixin_bug
http://tetraph.blog.163.com/blog/static/2346030512014463021829/
http://webcabinet.tumblr.com/post/119496528752/securitypost-une-faille-dans-lintegration#notes
http://computerobsess.blogspot.com/2014/10/kaixin001com-oauth-20-covert-redirect.html
https://twitter.com/buttercarrot/status/558906553961426944
https://vulnerabilitypost.wordpress.com/2014/10/15/kaixin_attack_expoit

============