Application Security
5/8/2014
01:33 PM
50%
50%

OAuth, OpenID Flaw: 7 Facts

Authentication-protocol implementation security flaws are not as serious as Heartbleed, but Facebook and other sites must be fixed, say security experts.

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

The recently disclosed security flaws in some implementations of the widely used OAuth and OpenID website authentication mechanisms are serious. But they're not nearly as bad as the recently discovered Heartbleed vulnerability in OpenSSL, and they pose much less of an immediate and direct threat to people's personal information.

That's the message from numerous security researchers who have been investigating the details of security flaws in OAuth 2.0 and OpenID. Mathematics Ph.D. student Wang Jing issued a covert redirect vulnerability warning earlier this month.

"The vulnerability could lead to open redirect attacks to both clients and providers of OAuth 2.0 or OpenID," Wang said. "Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc."

[Deceptive downloads and ransomware is increasing at an alarming rate. Read Microsoft: Deception Dominates Windows Attacks.]

After Wang published his warning, some media outlets began conflating the severity of the federated identity implementation flaws he highlighted to Heartbleed. But many information security experts disagree. "This is not as big a deal as Heartbleed. It's totally different -- comparing apples to oranges," says Satnam Narang, security response manager at Symantec.

Without a doubt, however, multiple open-redirect-related problems do need to be fixed. Here are seven related facts:

1. At risk: open redirects
To be clear, the flaw highlighted by Wang -- which isn't new -- doesn't exist in OAuth 2 or OpenID, but rather in how some businesses have implemented those and other standards. The primary problem pertains to the use of open redirects, which redirect HTTP requests. "There have been open redirectors for as long as there's been HTML," said John Bradley, senior technical architect with Ping Identity, "so it's not a new problem." Bradley has contributed to SAML, OpenID Connect, Information Card (IMI), and XRI, among other identity standards and is also helping develop the next version of OpenID.

Furthermore, related protections are already available. "All those protocols have known about this problem since their inception, and have various mitigations," he explained by phone.

2. Developers, sites, don't follow security recommendations
Many sites and developers don't follow the security mitigations recommended by the standards. Facebook, for example, allows developers to use whitelisting to restrict the range of sites to which incoming open-redirect requests can be redirected, which would block related exploits. But Facebook made it an optional feature. "They did that, as near as I can tell, because developers are lazy," Bradley said.

Likewise, to make it easier to authenticate users, some developers append access tokens to their HTTP requests before they get sent to open redirects. This, however, makes it easy for an attacker to employ JavaScript to strip the tokens out and log on to the site as the user.

3. ESPN abuse highlights attack seriousness
Wang demonstrated that precise flaw in a YouTube clip, showing how an open redirector located on the ESPN website -- which allowed users to authenticate using Facebook Connect -- could be abused. Notably, the open redirector redirected to any site specified in a URL parameter, and also passed the query string parameters to the receiving site.

"Probably the biggest security problem in what happened to ESPN was that someone who got the access tokens and replayed them at ESPN could have gotten into those accounts at ESPN," Bradley said. But because the redirector was also passing the query string, an attacker could strip it out and reuse the token. "The same token can be replayed at ESPN or the Facebook client, which lets the user get into the site as that user," he explained. "So it's not just leaking people's information,

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
am.sinha
50%
50%
am.sinha,
User Rank: Apprentice
5/9/2014 | 11:44:50 PM
It is an issue requiring attention
The simple fact is that implementations for these federation standards can be improved upon. Sure identity provides can claim all they want regarding the 'option' being there to close the open redirects to third party sites, but in the end these are only 'options'. Take a step in the right direction please and close the hole please http://goo.gl/27CTdd  http://goo.gl/eOqXy5 . Public updates on what you are doing about it would be a welcome step.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-2157
Published: 2015-03-27
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.