OAuth and OpenID login tools have large security defect.

Published on May 3, 2014 By DrJBHL In Personal Computing

We were all pretty frightened by the ‘Heartbleed’ exploit.

This may be worse, because there’s no ‘easy fix’ to the “Covert Redirect” vulnerability in both the open source login systems to steal your data and redirect you to unsafe sites. Read about this one on Neowin, then went to the original source at c|net.

Beware of links that ask you to login through Facebook. The OAuth 2.0 and OpenID modules ate vulnerable.

These modules are used by many websites including Google, Facebook, Microsoft and LinkedIn…among many others.

“For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication.

If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.

Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker's choice, which could potentially further compromise the victim.” – c|net

It’s even worse when sites notified of the vulnerability answer thusly:

“Wang says he has already contacted Facebook and has reported the flaw, but was told that the company "understood the risks associated with OAuth 2.0," and that "short of forcing every single application on the platform to use a whitelist," fixing this bug was "something that can't be accomplished in the short term." – ibid

Here’s a list (partial) of affected sites from c|net:

Google: “The problem is being tracked.” MS said, “…an investigation had been done and that the vulnerability existed on the domain of a third party and not on its own sites.”

The researcher who found this vulnerability said, “Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,". At least LinedIn requested a list or redirect urls from the app makers.

At least PayPal took this seriously:

"When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability," James Barrese, PayPal's CTO, said in a blog post on Friday. PayPal declined to add details about those measures.” – ibid

WhiteHat security and Veracode have verified the vulnerability.

“Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks.”

Source:

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

Comments

Uvah

on May 03, 2014

Now I'm wondering what's next. This is some crazy s**t!

ElanaAhova

on May 06, 2014

Just connecting to the web is perilous!

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!