Yahoo and Yahoo Japan May be Vulnerable to Spams

vulnerability_scan_436x270

Yahoo and Yahoo Japan May be Vulnerable to Spams

Student security researcher Jing Wang from School of Physical and Mathematical Science at Nanyang Technological University, Singapore, has found new security vulnerabilities related to Yahoo.

After reporting several Open Redirect vulnerabilities to Yahoo. Yahoo’s responses were “It is working as designed”. It seems that Yahoo do not take the vulnerabilities seriously at all.

Based on Wang’s report on Full Disclosure “Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “this intended behavior”. However, these vulnerabilities were patched later.”

The vulnerability of Yahoo occurs at “ard.yahoo.com” page. While the vulnerability of Yahoo Japan happens at sensitive page “http://order.store.yahoo.co.jp”.

Proof of concept on YouTube were also released to illustrate exploits. 

(1)Yahoo Open Redirect

(2)Yahoo Japan Open Redirect

In fact, Yahoo’s users were attacked based on redirection this year. Base on CNET on January 4, 2014, “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. ” 

Wang wrote that the attack could work without a user being logged in. And his tests were using Firefox (33.0) in Ubuntu (14.04) and IE (10.0.9200.16521) in Windows 8.

Redirect can ensure a good user experience. However, if it is not properly provided. Attackers can use this to trick users. This is common in Phishing attacks and Spams.

On 21 December, 2014. Yahoo.com’s Alexa ranking is 4. While Yahoo.co.jp’s Alexa ranking is 17. Both of them are very popular around the world. From Wikipedia, “Yahoo during July 2013 surpassed Google on the number of United States visitors to its Web sites for the first time since May 2011, set at 196 million United States visitors, having increased by 21 percent in a year.” 

Open redirect is listed in OWASP top 10. The general consensus of it is “avoiding such flaws is extremely important, as they are a favorite target of phishers trying to gain the user’s trust.”

Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs

3d illustration of laptop computer with binary code stream

 

Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs

 

Though Yahoo lists open redirect vulnerability on its bug bounty program. However, it seems Yahoo do not take this vulnerability seriously at all.

 

Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “It is working as designed”. However, these vulnerabilities were patched later.

 

Several other security researcher complained about getting similar treatment, too.
http://seclists.org/fulldisclosure/2014/Jan/51
http://seclists.org/fulldisclosure/2014/Feb/119

 

All Open Redirect Vulnerabilities are intended behavior? If so, why patch them later?

yahoo_wont_fix_meitu_1

 


From report of CNET, Yahoo’s users were attacked by redirection vulnerabilities. “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. ”
http://www.cnet.com/news/yahoo-users-exposed-to-malware-attack/

 

Moreover, since Yahoo is well-known worldwide. these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Alibaba, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security bug problems have not been patched. Other similar web and computer flaws will be published in the near future.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

Disclosed by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

Both Yahoo and Yahoo Japan online web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

 

(1) Yahoo.com Open Redirect

 

Domain:
yahoo.com

 

“Yahoo Inc. (styled as Yahoo!) is an American multinational technology company headquartered in Sunnyvale, California. It is globally known for its Web portal, search engine Yahoo Search, and related services, including Yahoo Directory, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Groups, Yahoo Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most popular sites in the United States. According to news sources, roughly 700 million people visit Yahoo websites every month. Yahoo itself claims it attracts more than half a billion consumers every month in more than 30 languages. Yahoo was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 1, 1995. Marissa Mayer, a former Google executive, serves as CEO and President of the company.” (Wikipedia)

 

Vulnerable URLs:

 

 

(2) Yahoo.co.jp Open Redirect

 

Domain:
yahoo.co.jp

 

“Yahoo! JAPAN Corporation (ヤフージャパン株式会社 Yafū Japan Kabushiki-gaisha?) is a Japanese internet company formed as a joint venture between the American internet company Yahoo! and the Japanese internet company SoftBank. It is headquartered at Midtown Tower in the Tokyo Midtown complex in Akasaka, Minato, Tokyo. Yahoo! Japan was listed on JASDAQ in November 1997. In January 2000, it became the first stock in Japanese history to trade for more than ¥100 million per share. The company was listed on the Tokyo Stock Exchange in October 2003 and became part of the Nikkei 225 stock market index in 2005. Yahoo! Japan acquired the naming rights for the Fukuoka Dome in 2005, renaming the dome as the “Fukuoka Yahoo! Japan Dome”. The “Yahoo Dome” is the home field for the Fukuoka SoftBank Hawks, a professional baseball team majority owned by SoftBank.” (Wikipedia)

Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. Suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

 

 

More Articles:
http://seclists.org/fulldisclosure/2014/Dec/88
http://marc.info/?l=full-disclosure&m=141897158416178&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01467.html
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html
https://hackertopic.wordpress.com/2015/01/15/yahoo-yahoo-japan-vulnerable-to-spams/
https://plus.google.com/110001022997295385049/posts/4GTENtJY9XE
https://twitter.com/justqdjing/status/546910373169741825
https://www.facebook.com/pcwebsecurities/posts/701648936647693
http://homehut.lofter.com/post/1d226c81_6e6884f
https://tetraph.wordpress.com/2014/12/28/yahoo-open-redirect/
http://itinfotech.tumblr.com/post/118511508076/securitypost-yahooyahoo-japan-may-be
https://computerpitch.wordpress.com/2015/01/27/yahoo-vulnerable-to-spams/
http://testingcode.lofter.com/post/1cd26eb9_73096b9
http://lifegrey.tumblr.com/post/120767572004/yahoo-url-redirection-bug
http://blog.163.com/greensun_2006/blog/static/1112211220155565419870/
http://aibiyi.blogspot.com/2015/06/yahoo-open-redirect.html
https://www.facebook.com/tetraph/posts/1659455054274454
http://www.inzeed.com/kaleidoscope/computer-web-security/yahoo-to-spams/
http://www.tetraph.com/blog/spamming/yahoo-url-redirection/

 

 

 

 

 

Yahoo Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

Yahoo Deal To Buy Tumblr

 

Yahoo Online Service OpenID Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
yahoo.com

 

 

“Yahoo Inc. (styled as Yahoo!) is an American multinational technology company headquartered in Sunnyvale, California. It is globally known for its Web portal, search engine Yahoo Search, and related services, including Yahoo Directory, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Groups, Yahoo Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most popular sites in the United States. According to news sources, roughly 700 million people visit Yahoo websites every month. Yahoo itself claims it attracts “more than half a billion consumers every month in more than 30 languages.” Yahoo was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 1, 1995. Marissa Mayer, a former Google executive, serves as CEO and President of the company.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Yahoo web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 


(2.1) Vulnerability Detail:

Yahoo’s OpenID system is susceptible to Attacks. More specifically, the authentication of parameter “&openid.return_to” in OpenID system is insufficient. It can be misused to design Open Redirect Attacks to Yahoo.

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerability was reported to Yahoo. Yahoo do not reply the report for months.

 

 

The vulnerabilities occurs at page “/openid/op/auth?” with parameter “&openid.return_to”, e.g.
https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Ftree.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=J3IvS0xNnpIPn34CEn0hiEWBXYqhaV941hmD.Yx2_vv8JZk2gWSEWoOjpjKYvkNSvP3mUGcz1J1UoIIvaNWTjwMhrKyizwARZNZwooVUVGEvA9sau2DcXoMbLRuhkJ_HOS.O_w–&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry [1]

 

 

Before acceptance of third-party application:

 

When a logged-in Yahoo user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&openid.return_to”.

 

If a user has not logged onto Yahoo and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

 

A logged-in Yahoo user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) Yahoo would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&openid.return_to” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Yahoo to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Yahoo directly. The number of Yahoo’s OpenID client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Yahoo’s OpenID system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Yahoo’s authentication system and attack more easily.

 

It might be of Yahoo’s interest to patch up against such attacks.

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://qianqiuxue.tumblr.com/“. Can suppose it is malicious.

 

Below is an example of a vulnerable third-party domain:
rhogroupee.com

 

 

Vulnerable URL in this domain:
http://www.rhogroupee.com/join/context/GENERAL/redirect/http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ftree.html

 

Vulnerable URL from Yahoo that is related to rhogroupee.com:
https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fuser-social-network-login%252FauthProvider%252F11%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.rhogroupee.com&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=J3IvS0xNnpIPn34CEn0hiEWBXYqhaV941hmD.Yx2_vv8JZk2gWSEWoOjpjKYvkNSvP3mUGcz1J1UoIIvaNWTjwMhrKyizwARZNZwooVUVGEvA9sau2DcXoMbLRuhkJ_HOS.O_w–&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry

 

POC:
https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp%3Fredirect%3Dhttp%253A%252F%252Fwww.rhogroupee.com%252Fjoin%252Fcontext%252FGENERAL%252Fredirect%252Fhttp%25253A%25252F%25252Fwww.tetraph.com%25252Fessayjeans%25252Fpoems%25252Ftree.html&openid.realm=http%3A%2F%2Fwww.rhogroupee.com%2FopenIdRp&openid.aOpenIDc_handle=J3IvS0xNnpIPn34CEn0hiEWBXYqhaV941hmD.Yx2_vv8JZk2gWSEWoOjpjKYvkNSvP3mUGcz1J1UoIIvaNWTjwMhrKyizwARZNZwooVUVGEvA9sau2DcXoMbLRuhkJ_HOS.O_w–&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ext1.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=nickname%2Cemail%2CemailVerified%2Cdob%2Cgender%2Ccountry&openid.ns.ext3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext3.mode=fetch_request&openid.ext3.type.Username=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&openid.ext3.type.Email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext3.type.Birth+date=http%3A%2F%2Fschema.openid.net%2FbirthDate&openid.ext3.type.Gender=http%3A%2F%2Fschema.openid.net%2Fperson%2Fgender&openid.ext3.type.Country=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.ext3.required=Username%2CEmail%2CBirth+date%2CGender%2CCountry

 

 

 

(2.3) The following URLs have the same vulnerabilities.

https://open.login.yahooapis.jp/openid/op/auth?openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.aOpenIDc_handle=NzyCQVND6Ye3gpqIwY2OfibN1TEgEdBdWuFF5f7u0i7vypb6Wc24wHAU9yq38HAVL0ZLMpiYwFsXLRYkDwkrXarvXvAdUgQJG.spVXE0E3pKSlcC.fGzVxuv4Rlz97CrHA–&openid.ui.lang=&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ui.mode=popup&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.realm=http%3A%2F%2Fblogos.com%2F&openid.return_to=http%3A%2F%2Fblogos.com%2Fauth%2Fopenid%2Fyahoo_jp%2Fauthorized%2F

https://login.yahoo.com/config/login?.intl=us&.src=openid&.partner=&.pd=c%3DmZmAFpe.2e7WuWzcHD2ZPYQ-%26ockey%3Dwww.rhogroupee.com%2Fsite%26op%3D1&occrumb=whzgUu25n/7&.done=https%3A%2F%2Fopen.login.yahoo.com%2Fopenid%2Fop%2Fstart%3Fz%3DxInDXI3UxbcCGVeYz0i4ughRSKZSWISpvv91_Uz_XJAiweKdA17AACUzm8IeiLbOCmUn1FcbHfhAcL5Kt66Aa9WnFGbYStqsZkoniGY5xN_EblGXfoCIwAqNMnw1ee_ycMa0xhBAHzQ22FwkhSFPRWP34tKQ_2aagPZ7pgHQyBrNb0xg8pyYTJMtsab5RY1dGP.u4EV7Ayq6Sno.XKNpJaFNyIgttiRS0rdNS7pE1U5kCxFUAPuSjC8QLmP1lTJy5Tsjk2tLkQCKftBzt7G7n0bJaLjDcOv4uEe1X1vkcOgp4lxufA0Qvt9aJnGDhcDj4MEVIfuPeuN.fhfeBgsktxsuof64h0.xrmz1Aw8qTQ57gJibGRJ291Vv_2RF79uaWXDay.DN.5A8Q9_agN6iWDRIKjb8sLKYYR42N2Fk1Nq8hbrP92rsEM0mYHlKIsDXdNlrrK8tM_Jy1E64PDIz8rllNXqlCQ.idF4p4Yi3TzIeeTdYm7gbBleqIsbcEuigfg6n_i6iGmpY%26.scrumb%3D0

 

 

POC Video:
https://www.youtube.com/watch?v=1FZ6yfsp09U

 


Blog Detail:
http://tetraph.blogspot.com/2014/05/yahoos-openid-covert-redirect.html




(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.



 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/








Related Articles:
http://tetraph.com/security/covert-redirect/yahoos-openid-covert-redirect-vulnerablity/
https://twitter.com/tetraphibious/status/559167044256407555
http://securityrelated.blogspot.com/2014/06/yahoo-website-bug.html
http://tetraph.blog.163.com/blog/static/234603051201444023436/
http://webtech.lofter.com/post/1cd3e0d3_706aef5
http://whitehatview.tumblr.com/post/119490381041/securitypost#notes
https://inzeed.wordpress.com/2014/05/26/yahoo-openid-hack/
http://computerobsess.blogspot.com/2014/06/yahoo-website-bug.html
http://www.inzeed.com/kaleidoscope/covert-redirect/yahoos-openid-covert-redirect-vulnerablity/
https://webtechwire.wordpress.com/2014/05/26/yahoo-openid-hack/

 

Facebook, Google Users Threatened by New Security Flaw, Covert Redirect

images18

 

A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed “Covert Redirect” by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.

 

Both standards are employed across the Internet to let users log into websites using their credentials from other sites, such as by logging into a Web forum using a Facebook or Twitter username and password instead of creating a new account just for that forum.

 

Attackers could exploit the flaw to disguise and launch phishing attempts from legitimate websites, said the flaw’s finder, Mathematics Ph.D. student Wang Jing of the Nanyang Technological University in Singapore.

 

Wang believes it’s unlikely that this flaw will be patched any time soon. He says neither the authentication companies (those with which users have an account, such as Google, Microsoft, Facebook, Twitter or LinkedIn, among others) nor the client companies (sites or apps whose users log in via an account from an authentication company) are taking responsibility for fixing the issue.

 

“The vulnerability is usually due to the existing weakness in the third-party websites,” Wang writes on his own blog. “However, they have little incentive to fix the problem.”

 

The biggest danger of Covert Redirect is that it could be used to conduct phishing attacks, in which cybercriminals seize login credentials, by using email messages containing links to malicious websites disguised as something their targets might want to visit.

 

Normal phishing attempts can be easy to spot, because the malicious page’s URL will usually be off by a couple of letters from that of the real site. The difference with Covert Redirect is that an attacker could use the real website instead by corrupting the site with a malicious login popup dialogue box.

 

For example, say you regularly visit a given forum (the client company), to which you log in using your credentials from Facebook (the authentication company). Facebook uses OAuth 2.0 to authenticate logins, so an attacker could put a corrupted Facebook login popup box on this forum.

 

If you sign in using that popup box, your Facebook data will be released to the attacker, not to the forum. This means the attacker could possibly gain access to your Facebook account, which he or she could use to spread more socially engineered attacks to your Facebook friends.

 

Covert Redirect could also be used in redirection attacks, which is when a link takes you to a different page than the one expected.

 

Wang told CNET authentication companies should create whitelists — pre-approved lists that block any not on it — of the client companies that are allowed to use OAuth and OpenID to redirect to them. But he said he had contacted a number of these authentication companies, who all shifted blame elsewhere.

 

Wang told CNET Facebook had told him it “understood the risks associated with OAuth 2.0” but that fixing the flaw would be “something that can’t be accomplished in the short term.” Google and LinkedIn allegedly told Wang they were looking into the issue, while Microsoft said the issue did not exist on its own sites.

 

Covert Redirect appears to exist in the implementations of the OpenID and OAuth standards used on client websites and apps. But because these two standards are open-source and were developed by a group of volunteers, there’s no company or dedicated team that could devote itself to fixing the issue.

 

 

Where does that leave things?

“Given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service,” Chris Wysopal, chief technology officer of Boston-area security firm Veracode and a member of the legendary 1990s hackerspace the L0pht, told CNET.

 

“It’s not easy to fix, and any effective remedies would negatively impact the user experience,” Jeremiah Grossman, founder of Santa Clara, Calif.-based WhiteHat Security, told CNET. “Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”

 

Users should be extra-wary of login popups on Web pages. If you wish to log into a given website, it might be better to use an account specific to that website instead of logging in with Facebook, Twitter, or another authentication company, which would require the use of OAuth and/or OpenID to do.

 

If you think someone has gained access to one of your online accounts, notify the service and change that account’s password immediately.

 

 

 

 

 

Related Articles:

http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

http://whitehatview.tumblr.com/post/120695795041

http://russiapost.blogspot.ru/2015/05/openid-oauth-20.html

http://www.diebiyi.com/articles/security/covert-redirect/covert_redirect/

https://itswift.wordpress.com/2014/05/06/microsoft-google-facebook-attacked/

http://tetraph.blog.163.com/blog/static/2346030512015420103814617/

http://itsecurity.lofter.com/post/1cfbf9e7_72e2dbe

http://ithut.tumblr.com/post/119493304233/securitypost-une-faille-dans-lintegration

http://japanbroad.blogspot.jp/2015/05/oauthopenid-facebook.html

http://webtech.lofter.com/post/1cd3e0d3_6f0f291

https://webtechwire.wordpress.com/2014/05/11/covert-redirect-attack-worldwide/

http://whitehatview.tumblr.com/post/119489968576/securitypost-sicherheitslucke-in-oauth-2-0-und

http://www.inzeed.com/kaleidoscope/computer-security/facebook-google-attack/