Application Security
5/8/2014
01:33 PM
Connect Directly
RSS
E-Mail
50%
50%

OAuth, OpenID Flaw: 7 Facts

Authentication-protocol implementation security flaws are not as serious as Heartbleed, but Facebook and other sites must be fixed, say security experts.

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

The recently disclosed security flaws in some implementations of the widely used OAuth and OpenID website authentication mechanisms are serious. But they're not nearly as bad as the recently discovered Heartbleed vulnerability in OpenSSL, and they pose much less of an immediate and direct threat to people's personal information.

That's the message from numerous security researchers who have been investigating the details of security flaws in OAuth 2.0 and OpenID. Mathematics Ph.D. student Wang Jing issued a covert redirect vulnerability warning earlier this month.

"The vulnerability could lead to open redirect attacks to both clients and providers of OAuth 2.0 or OpenID," Wang said. "Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc."

[Deceptive downloads and ransomware is increasing at an alarming rate. Read Microsoft: Deception Dominates Windows Attacks.]

After Wang published his warning, some media outlets began conflating the severity of the federated identity implementation flaws he highlighted to Heartbleed. But many information security experts disagree. "This is not as big a deal as Heartbleed. It's totally different -- comparing apples to oranges," says Satnam Narang, security response manager at Symantec.

Without a doubt, however, multiple open-redirect-related problems do need to be fixed. Here are seven related facts:

1. At risk: open redirects
To be clear, the flaw highlighted by Wang -- which isn't new -- doesn't exist in OAuth 2 or OpenID, but rather in how some businesses have implemented those and other standards. The primary problem pertains to the use of open redirects, which redirect HTTP requests. "There have been open redirectors for as long as there's been HTML," said John Bradley, senior technical architect with Ping Identity, "so it's not a new problem." Bradley has contributed to SAML, OpenID Connect, Information Card (IMI), and XRI, among other identity standards and is also helping develop the next version of OpenID.

Furthermore, related protections are already available. "All those protocols have known about this problem since their inception, and have various mitigations," he explained by phone.

2. Developers, sites, don't follow security recommendations
Many sites and developers don't follow the security mitigations recommended by the standards. Facebook, for example, allows developers to use whitelisting to restrict the range of sites to which incoming open-redirect requests can be redirected, which would block related exploits. But Facebook made it an optional feature. "They did that, as near as I can tell, because developers are lazy," Bradley said.

Likewise, to make it easier to authenticate users, some developers append access tokens to their HTTP requests before they get sent to open redirects. This, however, makes it easy for an attacker to employ JavaScript to strip the tokens out and log on to the site as the user.

3. ESPN abuse highlights attack seriousness
Wang demonstrated that precise flaw in a YouTube clip, showing how an open redirector located on the ESPN website -- which allowed users to authenticate using Facebook Connect -- could be abused. Notably, the open redirector redirected to any site specified in a URL parameter, and also passed the query string parameters to the receiving site.

"Probably the biggest security problem in what happened to ESPN was that someone who got the access tokens and replayed them at ESPN could have gotten into those accounts at ESPN," Bradley said. But because the redirector was also passing the query string, an attacker could strip it out and reuse the token. "The same token can be replayed at ESPN or the Facebook client, which lets the user get into the site as that user," he explained. "So it's not just leaking people's information,

Next Page

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
am.sinha
50%
50%
am.sinha,
User Rank: Apprentice
5/9/2014 | 11:44:50 PM
It is an issue requiring attention
The simple fact is that implementations for these federation standards can be improved upon. Sure identity provides can claim all they want regarding the 'option' being there to close the open redirects to third party sites, but in the end these are only 'options'. Take a step in the right direction please and close the hole please http://goo.gl/27CTdd  http://goo.gl/eOqXy5 . Public updates on what you are doing about it would be a welcome step.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

CVE-2014-3543
Published: 2014-07-29
mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity referenc...

CVE-2014-3544
Published: 2014-07-29
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.

CVE-2014-3545
Published: 2014-07-29
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.