Published on May 3rd, 2014 📆 | 6549 Views ⚑


Serious security flaw in OAuth and OpenID discovered

Wang Jing, a Chinese mathematics Ph.D student at the Nanyang Technological University in Singapore, found that the OAuth and OpenID open source login tools are vulnerable to the "Covert Redirect" exploit.
The login tools ‘OAuth’ and ‘OpenID’ protocols are the commonly used open standard for authorization. OAuth designed as a way for users to sign in or sign up for other services using an existing identity of a site such as Google, Facebook, Microsoft or Twitter, whereas OpenID is a decentralized authentication system for the Internet that allows users to log in at websites across the internet with same digital identity.
The Covert Redirect vulnerability could affect those who use ‘OAuth’ and ‘OpenID’ protocols to ‘login’ to the websites such as Facebook, Google, Yahoo, LinkedIn, Microsoft, VK, Mail.Ru, PayPal, GitHub and many others.

[adsense size='1']

The "Covert Redirect" flaw masquerade as a login popup from the affected sites that could allow an attacker to steal personal data from users and redirect them to a website of the attacker's choice, which could potentially further compromise the victim.
By clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app and to hoax the user into giving up their information instead on legitimate websites, the Covert Redirect flaw uses the real site address for authentication.
Once the user login, the attacker could get the personal data, which in the case of Facebook, could include the email address, birth date, contacts, work history, etc.
But, if in case “the token” has greater privilege, the attacker could obtain more sensitive information including the mailbox, friends list, online presence and most possibly even operate and control the user’s account.

In a blog post yesterday Jing explained, for OAuth 2.0, the attacks could risk “the token” of the site users and whenever users authorize the login the attacker could then use that to access users’ private information. In case of OpenID, the attacker could get users’ information directly, as it’s immediately transferred from the provider upon request.
However, this isn't the first time the issue has been raised and  the root cause is a lack of token whitelisting in OAuth 2.0.
Facebook uses OAuth and something similar to OpenID. When he reported the Facebook about the vulnerability, Facebook said “they understand the risks associated with OAuth 2.0. However, short of forcing every single application on the platform to use a whitelist, [fixing the vulnerability] isn't something that can be accomplished in the short term.
Facebook isn't the only site affected, Jing reported the vulnerability to some more companies who use both OAuth and OpenID including Google, LinkedIn, Microsoft and Yahoo to discuss the problem.
[adsense size='1']
Google uses OpenID and told Jing, “they are aware of the problem and are tracking it at the moment,” whereas LinkedIn told they have acknowledged the problem back in march and “published a blog post on how [they] intend to address [the problem].”
Microsoft replied after they investigated the matter and concluded that the vulnerability exists in the domain of a third-party which is different from the one Jing reported and recommended him to report the issue to the third-party instead.
Yahoo did not reply months after he reported.

They have little incentive to fix the problem,” Jing wrote regarding the companies, “One concern is the cost and the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem.

According to Jing, there is no speedy fix for the vulnerability. “In the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable,” Jing wrote.
Wang believes it's unlikely that this flaw will be patched any time soon. He says neither the authentication companies such as Google, Microsoft, Facebook, nor the client companies are taking responsibility for fixing the issue.
However, to take advantage of Covert redirect vulnerability, it requires interaction from users i.e. Victim has to click on a link or visit a malicious website, and then they have to click on a Facebook login button and agree to authorize the login and release of information.
So far, the security experts hasn't labelled this vulnerability as a major security flaw as Heartbleed, but still it’s a threat.

Tagged with:

Comments are closed.