Application Security
5/8/2014
01:33 PM
Connect Directly
RSS
E-Mail
50%
50%

OAuth, OpenID Flaw: 7 Facts

Authentication-protocol implementation security flaws are not as serious as Heartbleed, but Facebook and other sites must be fixed, say security experts.

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

The recently disclosed security flaws in some implementations of the widely used OAuth and OpenID website authentication mechanisms are serious. But they're not nearly as bad as the recently discovered Heartbleed vulnerability in OpenSSL, and they pose much less of an immediate and direct threat to people's personal information.

That's the message from numerous security researchers who have been investigating the details of security flaws in OAuth 2.0 and OpenID. Mathematics Ph.D. student Wang Jing issued a covert redirect vulnerability warning earlier this month.

"The vulnerability could lead to open redirect attacks to both clients and providers of OAuth 2.0 or OpenID," Wang said. "Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc."

[Deceptive downloads and ransomware is increasing at an alarming rate. Read Microsoft: Deception Dominates Windows Attacks.]

After Wang published his warning, some media outlets began conflating the severity of the federated identity implementation flaws he highlighted to Heartbleed. But many information security experts disagree. "This is not as big a deal as Heartbleed. It's totally different -- comparing apples to oranges," says Satnam Narang, security response manager at Symantec.

Without a doubt, however, multiple open-redirect-related problems do need to be fixed. Here are seven related facts:

1. At risk: open redirects
To be clear, the flaw highlighted by Wang -- which isn't new -- doesn't exist in OAuth 2 or OpenID, but rather in how some businesses have implemented those and other standards. The primary problem pertains to the use of open redirects, which redirect HTTP requests. "There have been open redirectors for as long as there's been HTML," said John Bradley, senior technical architect with Ping Identity, "so it's not a new problem." Bradley has contributed to SAML, OpenID Connect, Information Card (IMI), and XRI, among other identity standards and is also helping develop the next version of OpenID.

Furthermore, related protections are already available. "All those protocols have known about this problem since their inception, and have various mitigations," he explained by phone.

2. Developers, sites, don't follow security recommendations
Many sites and developers don't follow the security mitigations recommended by the standards. Facebook, for example, allows developers to use whitelisting to restrict the range of sites to which incoming open-redirect requests can be redirected, which would block related exploits. But Facebook made it an optional feature. "They did that, as near as I can tell, because developers are lazy," Bradley said.

Likewise, to make it easier to authenticate users, some developers append access tokens to their HTTP requests before they get sent to open redirects. This, however, makes it easy for an attacker to employ JavaScript to strip the tokens out and log on to the site as the user.

3. ESPN abuse highlights attack seriousness
Wang demonstrated that precise flaw in a YouTube clip, showing how an open redirector located on the ESPN website -- which allowed users to authenticate using Facebook Connect -- could be abused. Notably, the open redirector redirected to any site specified in a URL parameter, and also passed the query string parameters to the receiving site.

"Probably the biggest security problem in what happened to ESPN was that someone who got the access tokens and replayed them at ESPN could have gotten into those accounts at ESPN," Bradley said. But because the redirector was also passing the query string, an attacker could strip it out and reuse the token. "The same token can be replayed at ESPN or the Facebook client, which lets the user get into the site as that user," he explained. "So it's not just leaking people's information,

Next Page

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
am.sinha
50%
50%
am.sinha,
User Rank: Apprentice
5/9/2014 | 11:44:50 PM
It is an issue requiring attention
The simple fact is that implementations for these federation standards can be improved upon. Sure identity provides can claim all they want regarding the 'option' being there to close the open redirects to third party sites, but in the end these are only 'options'. Take a step in the right direction please and close the hole please http://goo.gl/27CTdd  http://goo.gl/eOqXy5 . Public updates on what you are doing about it would be a welcome step.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.