Covert Redirect Vulnerability

The New York Times(Nytimes.com) Covert Redirect Web Security Bug Based on Google Doubleclick.net

Posted by

0

New-York-Times-office

(1) WebSite:

nytimes.com



“The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 117 Pulitzer Prizes, more than any other news organization.

The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady”, The New York Times is long regarded within the industry as a national “newspaper of record”. It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times.” (Wikipedia)

(2) Vulnerability Description:

The New York Times web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

The programming code flaw occurs at “adx_click.html?” page with “&goto” parameter, i.e.

http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ffacebook%2Ecom%2Fall%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion

(2.1) When a user is redirected from Nytimes to another site, Nytimes will check parameters “&sn1″ and “&sn2″. If the redirected URL’s domain is OK, Nytimes will allow the reidrection.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Nytimes to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Nytimes directly.

One of the vulnerable domain is,
doubleclick.net (Google’s Ad website)

(2.2) Use one of webpages for the following tests. The webpage address is “http://xingti.tumblr.com”. We can suppose that this webpage is malicious.

Vulnerable URL:
http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ffacebook%2Ecom%2Fall%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion

POC:
http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ftetraph%2Ecom%2Fblog%3F%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion


Blog Detail:
http://tetraph.blogspot.com/2014/05/nytimes-covert-redirect-vulnerability.html



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

More Articles:
http://tetraph.com/security/covert-redirect/nytimes-covert-redirect-vulnerability-based-on-google-doubleclick/
http://computerobsess.blogspot.com/2014/11/nytimes-covert-redirect-vulnerability.html
http://whitehatview.tumblr.com/post/102682917011/the-new-york-times-nytimes
https://mathfas.wordpress.com/2014/11/15/the-new-york-timesnytimes-com
http://tetraph.blog.163.com/blog/static/234603051201444111911779/
http://aga.ustc.edu.cn/news/view?id=2094http://webtech.lofter.com/post/1cd3e0d3_706aec6
http://www.inzeed.com/kaleidoscope/covert-redirect/nytimes-covert-redirect-vulnerability-based-on-google-doubleclick/
http://webcabinet.tumblr.com/post/118901188782/itinfotech-covert#notes
https://twitter.com/tetraphibious/status/559167627470180352
http://xingti.tumblr.com/post/121909911895/the-new-york-times-nytimes-com-covert-redirect
http://securityrelated.blogspot.com/2014/11/the-new-york-timesnytimes.html
https://tetraph.wordpress.com/2014/11/15/the-new-york-timesnytimes-com-covert-redirect

eBay Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

Posted by

0

ebay-logo

eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

(1) WebSite:
ebay.com



“eBay Inc. (stylized as ebay, formerly eBay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries.

 

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now” shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services.” (Wikipedia)

 



(2) Vulnerability Description:

eBay web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability occurs at “ebay.com/rover” page with “&mpre” parameter, i.e.

http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://www.google.com

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.


 

 

 

(2.1) When a user is redirected from eBay to another site, eBay will check whether the redirected URL belongs to domains in eBay’s whitelist, e.g.
google.com

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from eBay to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from eBay directly.

 

One of the vulnerable domain is,
http://googleads.g.doubleclick.net (Google’s Ad system)

 

 

 

(2.2) Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. We can suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

Poc Video:
https://www.youtube.com/watch?v=a4H-u17Y9ks

 

Blog Detail:
http://securityrelated.blogspot.com/2014/11/ebay-covert-redirect-vulnerability.html



 

 



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

Google Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

Posted by

0

go

 

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

— Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

 

 

 

(1) WebSite:
google.com

 

“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results.

 

The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Google web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks. 

The vulnerability exists at “Logout?” page with “&continue” parameter, i.e.

 
 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

 
 
 
 
 
 (2.1) When a user is redirected from Google to another site, Google will check whether the redirected URL belongs to domains in Google’s whitelist (The whitelist usually contains websites belong to Google), e.g.
docs.google.com
googleads.g.doubleclick.net

 
 
 

 

If this is true, the redirection will be allowed.

 

 

However, if the URLs in a redirected domain have open URL redirection  vulnerabilities themselves, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Google directly.

 

 

One of the vulnerable domain is,
googleads.g.doubleclick.net (Google’s Ad System)

 
 
 
 

 

 

 

(2.2) Use one webpage for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. We can suppose that this webpage is malicious.

 
 
 
 
 
 
 
 
 
 
 
 
 
 

Blog Detail:
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html

 

 

 

 

 

(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

 

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196.  X-Force reference number is 93031.

 
 
 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 
 
 
 
 
 
 

More Details:
http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html
http://seclists.org/fulldisclosure/2014/Nov/29
http://cxsecurity.com/issue/WLB-2014110106
http://tetraph.blog.163.com/blog/static/23460305120141145350181/
https://infoswift.wordpress.com/2014/05/25/google-web-security/
http://tetraph.tumblr.com/post/119490394042/securitypost#notes
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html
http://webtech.lofter.com/post/1cd3e0d3_706af10
https://twitter.com/tetraphibious/status/559165319575371776
http://tetraph.com/security/covert-redirect/google-based-on-googleads-g-doubleclick-net/
http://www.inzeed.com/kaleidoscope/computer-security/google-covert-g-doubleclick-net/
https://hackertopic.wordpress.com/2014/05/25/google-web-security/

 
 

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

Posted by

0

Anonymous-hackers

 

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

— Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com omnivoracious.com carlustblog.com Open Redirect Web Security Vulnerabilities

“Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

All kindlepost.com, omnivoracious.com, carlustblog.com are websites belonging to Amazon.

“The Kindle Post keeps Kindle customers up-to-date on the latest Kindle news and information and passes along fun reading recommendations, author interviews, and more.”

“Omnivoracious is a blog run by the books editors at Amazon.com. We aim to share our passion for the written word through news, reviews, interviews, and more. This is our space to talk books and publishing frankly and we welcome participation through comments. Please visit often or add us to your favorite RSS reader to keep up on the latest information.”

“Car Lust is, very simply, where interesting cars meet irrational emotion. It’s a deeply personal exploration of the hidden gems of the automotive world; a twisted look into a car nut’s mind; and a quirky look at the broader automotive universe – a broader universe that lies beneath the new, the flashy, and the trendy represented in the car magazines.”

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Vulnerabilities Description:

Amazon has a computer bug security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks. This allows hackers to do phishing attacks to Amazon users.

 

When a user is redirected from amazon to another site, amazon will check a variable named “token”. Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon.

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Use a website for the following tests. The website is “http://www.diebiyi.com/articles“. Suppose this website is malicious,

 

 


(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on kindlepost.com

(1.1) Kindle Daily Post Open Redirect Security Vulnerability

Vulnerable Links:

Poc:

 

 

(1.2) Amazon Covert Redirect Based on kindlepost.com

Vulnerable URL of Amazon:

POC:

 

 

kindlepost_com

 

 

 

(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on omnivoracious.com

(2.1) Omnivoracious Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(2.2) Amazon Covert Redirect Based on omnivoracious.com

Vulnerable URL:

POC:

 

 

omnivoracious_com

 

 

 

(3) Car Lust Open Redirect & Amazon Covert Redirect Based on carlustblog.com

(3.1) Car Lust Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(3.2) Amazon Covert Redirect Based on carlustblog.com

Vulnerable URL:

POC:

 

 

carlustblog_com

 

 

 

Vulnerabilities Disclosure:

The vulnerabilities were reported to Amazon in 2014. Amazon has patch the vulnerabilities.

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/23
http://lists.openwall.net/full-disclosure/2015/01/12/2
http://www.tetraph.com/blog/computer-security/amazon-covert-redirect/
https://progressive-comp.com/?l=full-disclosure&m=142104346821481&w=1
http://computerobsess.blogspot.com/2015/06/amazon-covert-redirect_17.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1429
http://tetraph.blog.163.com/blog/static/23460305120155176411897/
http://diebiyi.com/articles/security/amazon-covert-redirect/
https://itswift.wordpress.com/2015/01/17/amazon-covert-redirect/
http://marc.info/?l=full-disclosure&m=142104346821481&w=4
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirec
http://www.inzeed.com/kaleidoscope/computer-web-security/amazon-covert-redirect/

XSS攻撃に対して脆弱先立ち2013年にニューヨーク·タイムズ紙の記事へのすべてのリンク

Posted by

0

XSS攻撃に対して脆弱先立ち2013年にニューヨーク·タイムズ紙の記事へのすべてのリンク

 

 

2013の前に公開されたニューヨーク·タイムズ(NYT)の資料へのURLは、Webブラウザのコンテキストで実行されるコードを提供できるXSS(クロスサイトスクリプティング)攻撃に対して脆弱であることが見出されている。

 

NYTimesのの設計に基づいて、ほぼ2013年前にすべてのURLが(記事のすべてのページを)影響を受けます。実際には、「印刷」ボタン、「単一ページ」ボタンを含むすべての記事ページには、「ページ*」ボタン、「次ページ」ボタンが影響を受けます。

 

324748_1280x720

 

NYTimesのは、そのサーバに送信されたURLを復号化し、2013年以来、このメカニズムを変更しました。これは今メカニズムはるかに安全になります。

 

し かし、2013年前にすべてのURLは古いメカニズムを使用しています。これは2013年前にほとんどすべての記事ページはまだXSS攻撃に対して脆弱で あることを意味します。私はNYTimesの前にURLをフィルタリングしない理由はコストだと思います。それは前にすべての投稿記事のデータベースを変 更する(マネー&人的資本)あまりかかります。

 

この脆弱性は、物理の学校と数理科学(SPMS)、南洋理工大学、シンガポールから数学の博士課程の学生によって(Wang Jing) 発見されました。

 

王によって与えられたPOCとブログの説明、
https://www.youtube.com/watch?v=RekCK5tjXWQ
http://tetraph.com/security/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/

 

 

一方、王は「ニューヨーク·タイムズ紙は、これはより良い保護メカニズムです。今新しいメカニズムを採用しています。」と述べた

 

記事が古い場合でも、ページがまだ関連しています
最近の記事への攻撃は間違いなく大きな影響を持っていただろうが、2012年、あるいはそれ以上の年齢の記事は廃止されてから遠く離れている。彼らはまだ攻撃の文脈において関連があるでしょう。

 

サイバー犯罪者は、高い成功率、すべての複数と標的型攻撃を潜在的な被害者へのリンクを送信し、記録するさまざまな方法を考案することができる。

 

XSSとは何ですか?
ク ロスサイトスクリプティング(XSS)は、典型的には、Webアプリケーションで見つかったコンピュータセキュリティの脆弱性の一種です。 XSSは、他のユーザが閲覧するWebページにクライアント側のスクリプトを注入するために、攻撃を可能にします。クロスサイトスクリプティングの脆弱性 は、同一生成元ポリシーとしてアクセス制御をバイパスするために攻撃者によって使用されてもよい。ウェブサイト上で行わクロスサイトスクリプティングは、 2007年のようにSymantecが文書化されたすべてのセキュリティ脆弱性の約84%を占めた(ウィキペディア)

 

 

 

 

 

 

Otra brecha de seguridad amenaza parte de Internet

Posted by

0

Un nuevo fallo de seguridad amenaza Internet. En este caso se trata de Covert Redirect y ha sido descubierto por un estudiante chino en Singapur. Las empresas tienen en sus manos solucionar este problema.

encrypt

 

Cuando aún resuenan los ecos de Heartbleed y el terremoto que sacudió la red, nos acabamos de enterar que otra brecha de seguridad compromete Internet. En este caso se trata de un fallo que afecta a páginas como Google, Facebook, Microsoft, Linkedin, Yahoo, PayPal, GitHub o Mail.ru que usan estas herramientas de código abierto para autenticar a sus usuarios.

 

Este error permitiría a un atacante haga creer a un usuario que una nueva ventana que redirija a Facebook es segura cuando en realidad no lo es. Hasta aquí la técnica se parece al phishing pero lo que hace lo hace diferente es que Covert Redirect, que así se llama el nuevo exploit, usa el dominio real pero hace un bypass del servidor para conseguir la info. Lo mejor que podemos hacer cuando estemos navegando y pulsemos en un sitio que abre un pop up que nos pide logearnos en Facebook o Google es cerrar esa ventana para evitar que nos redirija a sitios sospechosos.

 

Wang Jing, estudiante de doctorado en la Universidad Técnica de Nanyang (Singapur), es quien ha descubierto la vulnerabilidad y le ha puesto nombre. El problema, según Jing, es que ni el proveedor ni la compañía quieren responsabilizarse de esta brecha ya que costaría mucho tiempo y dinero. Seguramente, ahora que se conoce el caso, las compañías se pondrán manos a la obra.

 

Artículos Relacionados:

Falha de segurança afetam logins de Facebook, Google e Microsoft

Posted by

0

covert_redirect3

Um estudante de PHD de Singapura, Wang Jing, identificou a falha, chamada de “Covert Redirect”, que consegue usar domínios reais de sites para verificação de páginas de login falsas, enganando os internautas.

 

Os cibercriminosos podem criar links maliciosos para abrir janelas pop-up do Facebook pedindo que o tal aplicativo seja autorizado. Caso seja realizada esta sincronização, os dados pessoais dos usuários serão passados para os hackers.

 

Wang afirma que já entrou em contato com o Facebook, porém recebeu uma resposta de que “entende os riscos de estar associado ao OAuth 2.0″ e que corrigir a falha “é algo que não pode ser feito por enquanto”.

 

O Google afirmou que o problema está sendo rastreado, o LinkedIn publicou nota em que garante que já tomou medidas para evitar que a falha seja explorada, e a Microsoft negou que houvesse vulnerabilidade em suas páginas, apenas nas de terceiros.

 

A recomendação do descobridor da falha para os internautas é que evitem fazer o login com dados de confirmação de Facebook, Google ou qualquer outro serviço sem terem total certeza de que estão em um ambiente seguro.

 

 

Especialistas: erro é difícil de corrigir

O site CNET ouviu dois especialistas em segurança virtual sobre o assunto. Segundo Jeremiah Grossman, fundador e CEO interino da WhiteHat Security, afirma que a falha “não é fácil de corrigir”. Segundo Chris Wysopal, diretor da Veracode, a falha pode enganar muita gente.

 

“A confiança que os usuários dão ao Facebook e outros serviços que usam OAuth pode tornar mais fácil para os hackers enganarem as pessoas para que elas acabem dando suas informações pessoais a ele”, afirma Wsyopal.

 

 

 

notícias relacionadas:

하트블리드 이어 ‘오픈ID’와 ‘오쓰 (OAuth)’서도 심각한 보안 결함

Posted by

0

covert_redirect_logo_tetraph


‘하트블리드(Heartbleed)’ 버그에 이어 가입자 인증 및 보안용 오픈소스 SW인 ‘오픈ID’와‘오쓰(OAuth)’에도 심각한 결함이 발견됐다고 씨넷, 벤처비트 등 매체들이 보도했다.

 

싱 가폴난양대학교에 재학중인 ‘왕 징(Wang Jing)’ 박사는 수 많은 웹사이트와 구글, 페이스북, 링크드인, MS, 페이팔 등에서 사용하고 있는 로그인 툴인 ‘OAuth’와‘오픈ID’에 치명적인 결함이 발견됐다고 밝혔다. ‘코버트리디렉트(Covert Redirect)’라고 일컬어지는 이 결함은 감염된 도메인의 로그인 팝업을 통해 해킹이 이뤄진다.

 

가 령 인터넷 사용자들이 악의적인 피싱 사이트를 클릭하면 가입자 인증을 위해 페이스북 팝업 윈도가 뜨는데 가입자를 속이 기위해 가짜 도메인 이름을 사용하는 것이 아니라 진짜 사이트의 도메인을 활용한다고 한다. 만일 가입자가 로그인을 하면 합법적인 사이트가 아니라 피싱사이트로 e메일 주소, 생일, 연락처 등 개인 정보들이 흘러들어간다.

 

왕 은 페이스북 등 업체에 이 같은 결함을 알렸으며 페이스북은 결함이 OAuth 2.0가 연관된 것으로 인식하고 있지만 짧은 시간내 해결될 수는 없을 것이란 답을 얻은 것으로 알려졌다. 왕은 이번 결함이 구글, 링크드인, 마이크로소프트, 페이스북, 페이팔 등 다수의 오픈ID와 OAuth를 활용하는 기업들이 영향을 받을 것으로 예상했다.

 

왕 은 “제3의 애플리케이션 개발자들이 화이트리스트를 엄격하게 적용하면 해커 공격의 빌미를 제공하지 않을 것”이라고 말했다. 하지만 “실제로 많은 애플리케이션 개발자들이 여러가지 이유로 이런 조치를 취하지않고 있다는 게 OAuth 2.0과 오픈ID의 결함 문제를 심각하게 만들고 있다”고 덧붙였다.

 

 



 

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID

Posted by

0

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID

 

A serious Covert Redirect vulnerability related to OAuth 2.0 and OpenID has been found. Almost all major providers of OAuth 2.0 and OpenID are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.

 

 

It could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID. 

 

For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf. 

 

For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved. 

 

 

More Details:
Blog Youtube
Q&A

Why is it a serious vulnerability?

▪ It enables Open Redirect Attacks
▪ It could lead to sensitive information leakage
▪ It has wide coverage: most of the major internet companies that provide authentication/authorization services
▪ It is difficult to patch

 

How widespread is the vulnerability?

Almost all major OAuth 2.0 and OpenID providers are affected.

List of affected major OAuth 2.0 and OpenID providers:
Website Company Blog Detail POC Video
facebook.com Facebook Blog Youtube
google.com Google Blog Youtube
linkedin.com LinkedIn Blog Youtube
yahoo.com Yahoo Blog Youtube
live.com Microsoft Blog Youtube
vk.com VK Blog Youtube
qq.com Tencent Blog Youtube
weibo.com Sina Blog Youtube
paypal.com PayPal Blog Youtube
mail.ru Mail.Ru Blog Youtube
taobao.com Alibaba Blog Youtube
sina.com.cn Sina Blog Youtube
sohu.com Sohu Blog Youtube
163.com 163 Blog Youtube
github.com GitHub Blog Youtube
alipay.com Alibaba Blog Youtube
★ Website ranking is based on Alexa.

 

Who should be responsible for the vulnerability?

The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. The onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task.

In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.

As the internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one’s own site without paying attention to that of its neighbours.

 

 

How to patch the vulnerability?

The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.

An alternative solution is the providers developing a more thorough verification procedure to prevent such attacks.

 

 

What is the meaning of the logo?

The logo depicts the three parties involved in the attack: the provider (top-left), the third-party application used by the client (bottom) and the attacker (top-right).

Due to the loophole in the third-party application, the attacker is able to attack the provider through the application. The client therefore acts as a bridge between the provider and the attacker, albeit unintentionally. The attack could be seen as a redirect from the client but it is preceded or masked by a redirect from the provider to the client.

 

 

Why it is called Covert Redirect Vulnerability?

A Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation.

The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. An Open Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT ANY validation (OWASP). If a website is exposed to Open Redirect attack, it is often because of its own negligence.

On the other hand, the Covert Redirect vulnerability related to OAuth 2.0 and OpenID is, in the author’s view, a result of the provider’s overconfidence in its clients/partners. The provider relies on the clients to provide a list of “trustworthy” domains and assumes all would be safe. However, without sufficient verification of the redirected URLs, no safety could be guaranteed.

 

 

Who found the vulnerability?

The vulnrability was found by WANG Jing, a PhD student in mathematics from Nanyang Technological University.

Reference

Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID

Posted by

0

Covert Redirect: http://tetraph.com/covert_redirect/

I found a serious Covert Redirect ( http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html ) vulnerability related to OAuth 2.0 and OpenID.

Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu. 163, Alipay, Alibaba, Sina etc. I will introduce them one by one in my later posts.

The vulnerability could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID.

For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf.

For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved.

Who should be responsible for the vulnerability?

The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. The onus would fall onto the Big Brother (the provider). However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task.
In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.

As the internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one’s own site without paying attention to that of its neighbours.

How to patch the vulnerability?

The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.

An alternative solution is the providers developing a more thorough verification procedure to prevent such attacks.

I found this vulnerability at the beginning of February and I have reported it to related companies.

Facebook said “Short of forcing every single application on the platform to use a whitelist, which isn’t something that can be accomplished in the short term, do you have any recommendations on actions we can take here?”

In my reply, I suggested “For any URL, it has a particular value “&h”. If the URL is changed. there is no permission any more. That means the modified URL will not get any “&h”. Because it is illegal.”

Facebook agreed. “As you mentioned, that’s how our Linkshim system works. As I said, that doesn’t seem to be a feasible solution for an OAuth endpoint where the URL needs to be provided by a third-party site to arbitrary random users.”

Google said “[they] are aware of the problem and are tracking it at the moment.”

LinkedIn “[has] published a blog post on how [they] intend to address [the problem].”

( Blog address: https://developer.linkedin.com/blog/r… )

Microsoft answered after they did an investigation and concluded that the vulnerability exists in the domain of a third-party, different from the one reported by me (login.live.com). They recommended me to report the issue to the third-party instead.

Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation as soon as possible.

Taobao closed my report without providing a reason.

Yahoo did not reply me months after my report.

I did not report to VK, Mail.Ru and the others because I do not know the contact of their security teams.

Published by:

Wang Jing (PhD student of Mathematics)
Nanyang Technological University & University of Science and Technology of China & No.1 Middle School of Jiaonan (Huangdao)

More Details:
Covert Redirect:
http://tetraph.com/covert_redirect/
Covert Redirect Related to OAuth 2.0 and OpenID:
http://tetraph.com/covert_redirect/oa…
Blog:
http://tetraph.com/blog/
Youtube:
http://www.youtube.com/user/tetraph/