eBay Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

ebay-logo

eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

(1) WebSite:
ebay.com



“eBay Inc. (stylized as ebay, formerly eBay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries.

 

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now” shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services.” (Wikipedia)

 



(2) Vulnerability Description:

eBay web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability occurs at “ebay.com/rover” page with “&mpre” parameter, i.e.

http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://www.google.com

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.


 

 

 

(2.1) When a user is redirected from eBay to another site, eBay will check whether the redirected URL belongs to domains in eBay’s whitelist, e.g.
google.com

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from eBay to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from eBay directly.

 

One of the vulnerable domain is,
http://googleads.g.doubleclick.net (Google’s Ad system)

 

 

 

(2.2) Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. We can suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

Poc Video:
https://www.youtube.com/watch?v=a4H-u17Y9ks

 

Blog Detail:
http://securityrelated.blogspot.com/2014/11/ebay-covert-redirect-vulnerability.html



 

 



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

Advertisements

Google Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

go

 

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

— Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

 

 

 

(1) WebSite:
google.com

 

“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results.

 

The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Google web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability exists at “Logout?” page with “&continue” parameter, i.e.


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

(2.1) When a user is redirected from Google to another site, Google will check whether the redirected URL belongs to domains in Google’s whitelist (The whitelist usually contains websites belong to Google), e.g.
docs.google.com
googleads.g.doubleclick.net

 

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Google directly.

 

One of the vulnerable domain is,
googleads.g.doubleclick.net (Google’s Ad System)

 

 

 

(2.2) Use one webpage for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. We can suppose that this webpage is malicious.

Blog Detail:
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html

 

 

 

 

 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

 

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

More Details:
http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html
http://seclists.org/fulldisclosure/2014/Nov/29
http://cxsecurity.com/issue/WLB-2014110106
http://tetraph.blog.163.com/blog/static/23460305120141145350181/
https://infoswift.wordpress.com/2014/05/25/google-web-security/
http://tetraph.tumblr.com/post/119490394042/securitypost#notes
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html
http://webtech.lofter.com/post/1cd3e0d3_706af10
https://twitter.com/tetraphibious/status/559165319575371776
http://tetraph.com/security/covert-redirect/google-based-on-googleads-g-doubleclick-net/
http://www.inzeed.com/kaleidoscope/computer-security/google-covert-g-doubleclick-net/
https://hackertopic.wordpress.com/2014/05/25/google-web-security/

Attachments area
Preview YouTube video Google Covert Redirect Vulnerability Base Googleads.g.doubleclick.net – Bypass Open Redirect Filters

Google Covert Redirect Vulnerability Base Googleads.g.doubleclick.net – Bypass Open Redirect Filters

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

Anonymous-hackers

 

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

— Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com omnivoracious.com carlustblog.com Open Redirect Web Security Vulnerabilities

“Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

All kindlepost.com, omnivoracious.com, carlustblog.com are websites belonging to Amazon.

“The Kindle Post keeps Kindle customers up-to-date on the latest Kindle news and information and passes along fun reading recommendations, author interviews, and more.”

“Omnivoracious is a blog run by the books editors at Amazon.com. We aim to share our passion for the written word through news, reviews, interviews, and more. This is our space to talk books and publishing frankly and we welcome participation through comments. Please visit often or add us to your favorite RSS reader to keep up on the latest information.”

“Car Lust is, very simply, where interesting cars meet irrational emotion. It’s a deeply personal exploration of the hidden gems of the automotive world; a twisted look into a car nut’s mind; and a quirky look at the broader automotive universe – a broader universe that lies beneath the new, the flashy, and the trendy represented in the car magazines.”

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Vulnerabilities Description:

Amazon has a computer bug security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks. This allows hackers to do phishing attacks to Amazon users.

 

When a user is redirected from amazon to another site, amazon will check a variable named “token”. Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon.

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Use a website for the following tests. The website is “http://www.diebiyi.com/articles“. Suppose this website is malicious,

 

 


(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on kindlepost.com

(1.1) Kindle Daily Post Open Redirect Security Vulnerability

Vulnerable Links:

Poc:

 

 

(1.2) Amazon Covert Redirect Based on kindlepost.com

Vulnerable URL of Amazon:

POC:

 

 

kindlepost_com

 

 

 

(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on omnivoracious.com

(2.1) Omnivoracious Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(2.2) Amazon Covert Redirect Based on omnivoracious.com

Vulnerable URL:

POC:

 

 

omnivoracious_com

 

 

 

(3) Car Lust Open Redirect & Amazon Covert Redirect Based on carlustblog.com

(3.1) Car Lust Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(3.2) Amazon Covert Redirect Based on carlustblog.com

Vulnerable URL:

POC:

 

 

carlustblog_com

 

 

 

Vulnerabilities Disclosure:

The vulnerabilities were reported to Amazon in 2014. Amazon has patch the vulnerabilities.

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/23
http://lists.openwall.net/full-disclosure/2015/01/12/2
http://www.tetraph.com/blog/computer-security/amazon-covert-redirect/
https://progressive-comp.com/?l=full-disclosure&m=142104346821481&w=1
http://computerobsess.blogspot.com/2015/06/amazon-covert-redirect_17.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1429
http://tetraph.blog.163.com/blog/static/23460305120155176411897/
http://diebiyi.com/articles/security/amazon-covert-redirect/
https://itswift.wordpress.com/2015/01/17/amazon-covert-redirect/
http://marc.info/?l=full-disclosure&m=142104346821481&w=4
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirec
http://www.inzeed.com/kaleidoscope/computer-web-security/amazon-covert-redirect/

Attachments area
Preview YouTube video Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & Open Redirect Security

Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & Open Redirect Security

Sina OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

sina2

 

Sina OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)



 

(1) Domain:
sina.com

 

 

“Sina (新浪) is a Chinese online media company for Chinese communities around the world. Sina operates four major business lines: Sina Weibo, Sina Mobile, Sina Online, and Sina.net. Sina has over 100 million registered users worldwide. Sina was recognized by Southern Weekend as the “China’s Media of the Year” in 2003.Sina owns Sina Weibo, a Twitter-like microblog social network, which has 56.5 percent of the Chinese microblogging market based on active users and 86.6 percent based on browsing time over Chinese competitors such as Tencent and Baidu. The social networking service has more than 500 million users and millions of posts per day, and is adding 20 million new users per month, says the company. The top 100 users now have over 180 million followers combined. Sina.com is the largest Chinese-language web portal. It is run by Sina Corporation, which was founded in 1999. The company was founded in China, and its global financial headquarters have been based in Shanghai since October 1, 2001.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Sina web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 

 

(2.1) Vulnerability Detail:

Sina’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Sina.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerabilities occurs at page “/authorize?” with parameter “&redirect_uri”, e.g.
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fuser%2Flogin.php%3Fref%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fmemories%2F%25E9%259B%25A8%25E6%25A2%25A6%25E9%259B%25A8%25E9%259F%25B5.html&response_type=code [1]

 

 

Before acceptance of third-party application:

When a logged-in Sina user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Sina and clicks the URL ([1]) above, the same situation will happen upon login.

 

 

After acceptance of third-party application:

A logged-in Sina user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

 

(2.1.1) Sina would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Sina to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Sina directly. The number of Sina’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Sina’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Sina’s authentication system and attack more easily.

 

 

 

(2.2) One of webpages was used for the following tests. The webpage is “http://tetraphlike.lofter.com/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
paidai.com

 

Vulnerable URL in this domain:
http://www.paidai.com/user/login.php?ref=http://tetraph.com/essayjeans/memories/%E9%9B%A8%E6%A2%A6%E9%9B%A8%E9%9F%B5.html

 

Vulnerable URL from Sina that is related to paidai.com:
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fsiteuser%2Foauth_sina.php%3Ffrom%3Dweibo&response_type=code

 

POC:
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fuser%2Flogin.php%3Fref%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fmemories%2F%25E9%259B%25A8%25E6%25A2%25A6%25E9%259B%25A8%25E9%259F%25B5.html&response_type=code

 

 


POC Video:
https://www.youtube.com/watch?v=5MWNG4UlZUc



Blog Detail:
http://tetraph.blogspot.com/2014/05/sinas-oauth-20-covert-redirect.html








(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/









Related Articles:
http://tetraph.com/security/covert-redirect/sinas-oauth-2-0-covert-redirect
https://twitter.com/essayjeans/status/558976278854770688
http://diebiyi.com/articles/security/covert-redirect/sina-weibo-oauth-2-0
https://hackertopic.wordpress.com/2014/09/28/sina-exploit/
http://japanbroad.blogspot.jp/2014/09/sina-hacking.html
http://tetraph.blog.163.com/blog/static/23460305120144715917495/
http://homehut.lofter.com/post/1d226c81_7069918
http://xingti.tumblr.com/post/119489954830/securitypost-sicherheitslucke-in-oauth-2-0-und
https://infoswift.wordpress.com/2014/09/11/sina-bugs/
http://computerobsess.blogspot.com/2014/06/sina-web-service-attack.html
http://www.inzeed.com/kaleidoscope/covert-redirect/sinas-oauth-2-0-covert-redirect

 

 

 

 

================

 

 

新浪 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
sina.com



” 新浪(NASDAQ:SINA),是一家网络公司的名称,以服务大中华地区与海外华人为己任,新浪拥有多家地区性网站,通过旗下五大业务主线为用户提供网 络服务,网下的北京新浪、香港新浪、台北新浪、北美新浪等覆盖全球华人社区的全球最大中文门户网站,2012年11月新浪注册用户已突破4亿。新浪公司是 一家服务于中国及全球华人社群的网络媒体公司。新浪通过门户网站新浪网、移动门户手机新浪网和社交网络服务及微博客服务微博组成的数字媒体网络,帮助广大 用户通过互联网和移动设备获得专业媒体和用户自生成的多媒体内容(UGC)并与友人进行兴趣分享。” (百度百科)







(2) 漏洞描述:

新浪 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。



这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。





(2.1) 漏洞细节:

Sina 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Sina 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Sina 的 URL跳转 攻击。




与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type”=sensitive_info,token,code…

“&scope”=get_user_info,email…





它也增加了对第三方网站 URL跳转 攻击的成功率。






漏洞地点 “/authorize?”,参数”&redirect_uri”, e.g.
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fuser%2Flogin.php%3Fref%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fmemories%2F%25E9%259B%25A8%25E6%25A2%25A6%25E9%259B%25A8%25E9%259F%25B5.html&response_type=code [1]







同意三方 App 前:

当一个已经登录的 Sina 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。



如果没有登录的Sina 用户点击 URL ([1]), 他登录后会发生同样的事情。




同意三方 App 后:

已经登录的 Sina 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。


如果 Sina 用户没有登录,攻击依然可以在要求他登录的Sina的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。






(2.1.1) Sina 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。



因此,Sina 用户意识不到他会被先从 Sina 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Sina 直接跳转到有害网页是一样的。



因为 Sina 的 OAuth 2.0 客户很多,这样的攻击可以很常见。



在同意三方 App 之前,Sina 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。



同意三方 App 后, 攻击者可以完全绕过 Sina 的 URL跳转 验证系统。







(2.2) 用了一个页面进行了测试, 页面是 “http://qianqiuxue.tumblr.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。





下面是一个有漏洞的三方 domain:

paidai.com



这个 domain 有漏洞的 URL:
http://www.paidai.com/user/login.php?ref=http://tetraph.com/essayjeans/memories/%E9%9B%A8%E6%A2%A6%E9%9B%A8%E9%9F%B5.html





Sina 与 paidai.com 有关的有漏洞的 URL:
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fsiteuser%2Foauth_sina.php%3Ffrom%3Dweibo&response_type=code






POC:
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fuser%2Flogin.php%3Fref%3Dhttp%3A%2F%2Ftetraph.com%2Fessayjeans%2Fmemories%2F%25E9%259B%25A8%25E6%25A2%25A6%25E9%259B%25A8%25E9%259F%25B5.html&response_type=code

 

 

POC 视频:
https://www.youtube.com/watch?v=5MWNG4UlZUc

 

 

博客细节:
http://tetraph.blogspot.com/2014/05/sinas-oauth-20-covert-redirect.html

 




(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。



Microsoft Live Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

logo_msHotmailVertical_web

 

Microsoft Live Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
live.com

 

 

 

 

(2) Vulnerability Description:

Live web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 


(2.1) Vulnerability Detail:

Live’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Live.

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerability was reported to Microsoft. Microsoft replies “We have completed our investigation and concluded that the vulnerability exists in idp.plane.edu.au and not login.live.com. I would recommend reporting this issue to plane.edu.au. We will be closing this case.”

 

 

The vulnerabilities occurs at page “/oauth20_authorize.srf?” with parameter “&redirect_uri”, e.g.
https://login.live.com/oauth20_authorize.srf?client_id=0000000040069047&scope=wl.basic&response_type=code&redirect_uri=http%3A%2F%2Fidp.plane.edu.au%2Fsimplesaml%2Fmodule.php%2Fmultiauth%2Fselectsource.php%3FAuthState%3D_c96d1f2d80c2dd6116e61ac3f08a7fa4c9b4454d4b%253Ahttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html [1]

 

 

 

Before acceptance of third-party application:

When a logged-in Live user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Live and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

 

A logged-in Live user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

 

(2.1.1) Live would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Live to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Live directly. The number of Live’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Live’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Live’s authentication system and attack more easily.

 

It might be of Live’s interest to patch up against such attacks.

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://lifegrey.tumblr.com/“. Can suppose it is malicious.

 

Below is an example of a vulnerable third-party domain:
idp.plane.edu.au

 

 

Vulnerable URL in this domain:
http://idp.plane.edu.au/simplesaml/module.php/multiauth/selectsource.php?AuthState=_c96d1f2d80c2dd6116e61ac3f08a7fa4c9b4454d4b%3Ahttp%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html

 

 

Vulnerable URL from Live that is related to idp.plane.edu.au:
https://login.live.com/oauth20_authorize.srf?client_id=0000000040069047&scope=wl.basic&response_type=code&redirect_uri=http%3A%2F%2Fidp.plane.edu.au

 

 

POC:
https://login.live.com/oauth20_authorize.srf?client_id=0000000040069047&scope=wl.basic&response_type=code&redirect_uri=http%3A%2F%2Fidp.plane.edu.au%2Fsimplesaml%2Fmodule.php%2Fmultiauth%2Fselectsource.php%3FAuthState%3D_c96d1f2d80c2dd6116e61ac3f08a7fa4c9b4454d4b%253Ahttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html

 

 

 

(2.3) The following URLs have the same vulnerabilities.
https://oauth.live.com/authorize?client_id=0000000044072822&scope=wl.basic%20wl.offline_access%20wl.signin%20wl.birthday%20wl.emails%20wl.phone_numbers%20wl.postal_addresses%20wl.share%20wl.work_profile&response_type=code&redirect_uri=http://www.denglu.cc/dl_receiver.php&state=31482_windowslive_284401

 


POC Video:
https://www.youtube.com/watch?v=z3Eq6GJsHWI

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/microsoft-lives-oauth-20-covert.html



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/









Related Articles:
http://tetraph.com/security/covert-redirect/microsoft-lives-oauth-2-0-covert-redirect-vulnerablity/
https://twitter.com/tetraphibious/status/559168921534603264
https://tetraph.wordpress.com/2014/09/06/microsoft-live-vulnerability/
http://computerobsess.blogspot.com/2014/07/microsoft-live-exploit.html
http://webcabinet.tumblr.com/post/119496963567/securitypost
http://tetraph.blog.163.com/blog/static/2346030512014440315992/
http://securityrelated.blogspot.com/2014/07/microsoft-live-exploit.html
http://www.inzeed.com/kaleidoscope/covert-redirect/microsoft-lives-oauth-2-0-covert-redirect-vulnerablity/
http://whitehatpost.lofter.com/post/1cc773c8_706b622
https://computertechhut.wordpress.com/2014/09/02/microsoft-live-vulnerability/

 

Tencent QQ OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

qq-messenger-53

 

Tencent QQ OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 

 

 

(1) Domain:
qq.com

 

 

“Tencent QQ, popularly known as QQ, is an instant messaging software service developed by Chinese company Tencent Holdings Limited. QQ also offers a variety of services, including online social games, music, shopping, microblogging, movies, platform of games and group and voice chat. As of January 2015, there are 829 million active QQ accounts, with a peak of 176.4 million simultaneous online QQ users.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Tencent QQ web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 

 

(2.1) Vulnerability Detail:

QQ’s SSO system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in SSO system is insufficient. It can be misused to design Open Redirect Attacks to QQ.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

 

The vulnerabilities occurs at page “/oauth/show?” with parameter “&redirect_uri”, e.g.
http://openapi.qzone.qq.com/oauth/show?which=ConfirmPage&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share [1]

 

 

Before acceptance of third-party application:

 

When a logged-in QQ user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto QQ and clicks the URL ([1]) above, the same situation will happen upon login.

 

 

After acceptance of third-party application:

 

A logged-in QQ user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) QQ would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from QQ to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from QQ directly. The number of QQ’s SSO client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, QQ’s SSO system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass QQ’s authentication system and attack more easily.

 

Used one of webpages for the following tests. The webpage is “https://dailymem.wordpress.com/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
cjcp.com.cn

 

Vulnerable URL in this domain:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=qq&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 

Vulnerable URL from QQ that is related to cjcp.com.cn:
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share

 

POC:
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dqq%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A2%25258E%2525E5%2525A4%25258F.html&response_type=code&scope=get_user_info%2Cadd_share [2]

 

 

 

 

(2.2) Another method for attackers.

Attackers enter the following URL in browser,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=qq&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 

Then, attackers can get URL below,
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share [3]

 

If users click URL [3], the same thing will happen as URL [2].

 

 

 

(2.3) The following URLs have the same vulnerabilities.
http://openapi.qzone.qq.com/oauth/qzoneoauth_authorize?oauth_consumer_key=209717&oauth_token=14921471022138330625&oauth_callback=http://user.nipic.com/api/login/qq/callback.asp

https://graph.qq.com/oauth2.0/authorize?client_id=100246654&redirect_uri=http://youxi.baidu.com/tp/QQAuth.jsp&response_type=code

https://open.t.qq.com/cgi-bin/oauth2/authorize?client_id=801132217&response_type=code&redirect_uri=http://passport.tianya.cn/login/txwb.do

 

 

POC Video:
https://www.youtube.com/watch?v=-lxaX9xvUfE

 

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/tencent-qq-oauth-20-covert-redirect.html

 

 



 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

 

Related Articles:
http://tetraph.com/security/covert-redirect/tencent-qq-oauth-2-0-covert-redirect
https://twitter.com/yangziyou/status/615125849306632193
https://biyiniao.wordpress.com/2014/08/28/qq-bugs/
http://diebiyi.com/articles/security/covert-redirect/tencent-qq-oauth-2-0-covert-redirect
http://frenchairing.blogspot.com/2014/08/tencent-qq-exploit.html
http://tetraph.blog.163.com/blog/static/23460305120144631154854/
http://guyuzui.lofter.com/post/1ccdcda4_6f0b982
http://mathpost.tumblr.com/post/119490927560/itinfotech-id-oauth
http://www.inzeed.com/kaleidoscope/covert-redirect/tencent-qq-oauth-2-0
https://computertechhut.wordpress.com/2014/08/28/tencent-qq-bug/
http://computerobsess.blogspot.com/2014/05/tencent-qq-bug.html

 

 

 

 

===========

 

 

 


腾讯 QQ 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
qq.com

 

 

” 腾讯QQ(简称“QQ”)是腾讯公司开发的一款基于Internet的即时通信(IM)软件。腾讯QQ支持在线聊天、视频通话、点对点断点续传文件、共享 文件、网络硬盘、自定义面板、QQ邮箱等多种功能,并可与多种通讯终端相连。2015年,QQ继续为用户创造良好的通讯体验!其标志是一只戴着红色围巾的 小企鹅。目前QQ已经覆盖Microsoft Windows、OS X、Android、iOS、Windows Phone等多种主流平台” (百度百科)

 

 

 

 

 

(2) 漏洞描述:

腾讯 QQ 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

 

 

 

 

(2.1) 漏洞细节:

QQ 的 SSO 系统可能遭到攻击。更确切地说, QQ 对 SSO 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 QQ 的 URL跳转 攻击。

 

 

 

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

 

漏洞地点 “/oauth/show?”,参数”&redirect_uri”, e.g.
http://openapi.qzone.qq.com/oauth/show?which=ConfirmPage&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share [1]

 

 

 

同意三方 App 前:

当一个已经登录的 QQ 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。

 

 

如果没有登录的 QQ 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

 

 

同意三方 App 后:

已经登录的 QQ 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

 

如果 QQ 用户没有登录,攻击依然可以在要求他登录的QQ的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 

 

 

 

 

 

(2.1.1) QQ 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

 

因此,QQ 用户意识不到他会被先从 QQ 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 QQ 直接跳转到有害网页是一样的。

 

 

因为 QQ 的 SSO 客户很多,这样的攻击可以很常见。

 

 

在同意三方 App 之前,QQ 的 SSO 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

 

同意三方 App 后, 攻击者可以完全绕过 QQ 的 URL跳转 验证系统。

 

 

用了一个页面进行了测试, 页面是 “http://whitehatpostlike.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

 

下面是一个有漏洞的三方 domain:
cjcp.com.cn

 

 

这个 domain 有漏洞的 URL:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=qq&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 

 

QQ 与 cjcp.com.cn 有关的有漏洞的 URL:
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share

 

 

POC:
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dqq%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A2%25258E%2525E5%2525A4%25258F.html&response_type=code&scope=get_user_info%2Cadd_share [2]

 

 

 

 

(2.2) 攻击的另一个方法.


攻击者在浏览器输入 URL,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=qq&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 


然后,攻击者可以得到 URL,
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share [3]

 

如果用户点击 URL [3], 发生的事情和 URL [2] 一样.

 

 

 

 

(2.3)下面的 URLs 有同样的漏洞.
http://openapi.qzone.qq.com/oauth/qzoneoauth_authorize?oauth_consumer_key=209717&oauth_token=14921471022138330625&oauth_callback=http://user.nipic.com/api/login/qq/callback.asp

 

https://graph.qq.com/oauth2.0/authorize?client_id=100246654&redirect_uri=http://youxi.baidu.com/tp/QQAuth.jsp&response_type=code

 

 

https://open.t.qq.com/cgi-bin/oauth2/authorize?client_id=801132217&response_type=code&redirect_uri=http://passport.tianya.cn/login/txwb.do

 

 

 

POC 视频:
https://www.youtube.com/watch?v=-lxaX9xvUfE

 

 

博客细节:
http://tetraph.blogspot.com/2014/05/tencent-qq-oauth-20-covert-redirect.html

 

 

 

 

 

 

 

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向也可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。

 

 

 

 



Google Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

google2

 

 

Google Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)



(1) Domain:
google.com

 

“Google has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy.” (Wikipedia)

 

 

 

 

 

(2) Vulnerability Description:

Google web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 


(2.1) Vulnerability Detail:

Google’s OpenID system is susceptible to Attacks. More specifically, the authentication of parameter “&openid.return_to” in OpenID system is insufficient. It can be misused to design Open Redirect Attacks to Google.

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

Google replies “Thanks for the reporting this issue. we’re already tracking[the vulnerability] …”

 

 

The vulnerabilities occurs at page “/accounts/o8/ud?” with parameter “&openid.return_to”, e.g.
https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Fdistance.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=1.AMlYA9UWc8Nk_QfiFEpKcE9A7qm0ErEkNLgQcbOwTR_aLdEyFS4ybtZQ_V9-4ARxUqsGIpPFtRd9Mw&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry [1]

 

 

Before acceptance of third-party application:

 

When a logged-in Google user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&openid.return_to”.

 

If a user has not logged onto Google and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

 

A logged-in Google user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

 

(2.1.1) Google would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&openid.return_to” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Google directly. The number of Google’s OpenID client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Google’s OpenID system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Google’s authentication system and attack more easily.

 

It might be of Google’s interest to patch up against such attacks.

 

 

 

 

(2.2) Use one of webpages for the following tests. The webpage is “http://xingzhehong.lofter.com/“. Can suppose it is malicious.

 

Below is an example of a vulnerable third-party domain:
rhogroupee.com

 

 

Vulnerable URL in this domain:
http://www.rhogroupee.com/join/context/GENERAL/redirect/http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Fdistance.html

 

 

Vulnerable URL from Google that is related to rhogroupee.com:
https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fuser-social-network-login%252FauthProvider%252F10%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.rhogroupee.com%25252Fabout&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=1.AMlYA9UWc8Nk_QfiFEpKcE9A7qm0ErEkNLgQcbOwTR_aLdEyFS4ybtZQ_V9-4ARxUqsGIpPFtRd9Mw&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry

 

 

POC:
https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Fdistance.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=1.AMlYA9UWc8Nk_QfiFEpKcE9A7qm0ErEkNLgQcbOwTR_aLdEyFS4ybtZQ_V9-4ARxUqsGIpPFtRd9Mw&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry

 

 

 

 

(2.3) The following URL have the same vulnerabilities.
https://accounts.google.com/o/openid2/auth?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.return_to=http://www.rhogroupee.com/openIdRp?redirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fuser-social-network-login%252FauthProvider%252F10%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.rhogroupee.com&openid.realm=http://www.rhogroupee.com/openIdRp&openid.aOpenIDc_handle=1.AMlYA9VvMT-wTbwpTyi–6hxkiyJYb7Oou8Wt0nqDPzqfNZBqTsNOXWhVorwkAAIZmnQXwswhZYZYQ&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/extensions/sreg/1.1&openid.ext1.optional=nickname,email,emailVerified,dob,gender,country&openid.ns.sreg=http://openid.net/sreg/1.0&openid.sreg.optional=nickname,email,emailVerified,dob,gender,country&openid.ns.ext3=http://openid.net/srv/ax/1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http://schema.openid.net/namePerson/friendly&openid.ext3.type.Email=http://schema.openid.net/contact/email&openid.ext3.type.Birth+date=http://schema.openid.net/birthDate&openid.ext3.type.Gender=http://schema.openid.net/person/gender&openid.ext3.type.Country=http://schema.openid.net/contact/country/home&openid.ext3.required=Username,Email,Birth+date,Gender,Country

 

 

POC Video:
https://www.youtube.com/watch?v=GyNGBuHNoJ0

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/google-openid-covert-redirect.html





(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.



 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/









Related Articles:
http://tetraph.com/security/covert-redirect/google-openid-covert-redirect-vulnerability/
https://twitter.com/tetraphibious/status/559169163394940929
https://hackertopic.wordpress.com/2014/08/06/google-service-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/google-openid-covert-redirect-vulnerability/
http://tetraph.blog.163.com/blog/static/23460305120144385547287/
http://securitypost.tumblr.com/post/119439859067/itinfotech-id-oauth
http://securityrelated.blogspot.com/2014/06/google-web-service-bug.html
http://whitehatpost.lofter.com/post/1cc773c8_706b637
https://tetraph.wordpress.com/2014/07/11/google-service-exploit/
http://computerobsess.blogspot.com/2014/06/google-web-service-bug.html