Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

OAuth, OpenID Flaw: 7 Facts

Authentication-protocol implementation security flaws are not as serious as Heartbleed, but Facebook and other sites must be fixed, say security experts.

it's creating a backdoor attack on the Facebook client as well. That's why we take this so seriously."

4. Beware social engineering angle
Another way open redirectors can be abused is to send users to malicious sites. If that happened, though, Symantec's Narang said the site would have to trick the user into allowing their third-party credentials -- for example, from Facebook or Google -- to be used to log into the site. "So it involves social engineering -- that part needs to be clear," he pointed out.

While it will be up to affected sites and developers to put related fixes in place, users themselves should also beware of such attacks. "Users have to do their part too, and be cautious and skeptical," Narang said. "If you're not requesting to authenticate with ESPN's application, then you definitely shouldn't do it."

5. Developers: know your state
One way to mitigate related vulnerabilities is to restrict the URLs to which the redirector will redirect. "It's always best, if you can, to do exact URI redirect matching," Bradley advised. "The problem is, in the advice you give developers, if you give them an inch, they'll take a mile."

Many web applications that rely on third-party authentication use what's called an implicit flow. That involves giving a browser client an access token after the user gives that client access. Bradley says the approach is perfectly acceptable in some scenarios, such as for JavaScript in the browser.

Otherwise, however, he recommends that developers use the more complex "code flow" approach, which involves additional API calls to further verify the authenticity of the client, and which becomes essential for ensuring security when clients maintain any type of server-side state. It also adds the ability to refresh the token and provide offline access.

Many developers, however, have used implicit flows when they should be using code flows, and many sites have allowed them to do so. (Bradley recently published OAuth guidance for developers about how to employ the right flow techniques.)

In contrast, some organizations, such as telecommunications company Deutsche Telekom, allow only code flow and discard all implicit flow requests. As a result, Bradley said, the open redirector security flaws didn't affect them at all.

6. After coordinated disclosure, some sites fixed
Wang said he notified all businesses that he's listed as having vulnerable implementations of OAuth 2 or OpenID prior to making his public announcement earlier this month. "I found this vulnerability at the beginning of February and I have reported it to related companies," he said.

Google responded that it's aware of the problem and are tracking it at the moment, Wang said. Likewise, his reports were also acknowledged by Facebook, Microsoft -- which said the flaw he identified was due to a third party -- Chinese microblogging site Weibo, and LinkedIn.

Wang said Yahoo failed to respond in any way to his vulnerability warning, while Chinese online shopping site Taobao "closed my report without providing a reason." Finally, Wang said that he didn't notify other affected sites, including Russian sites VK and Mail.Ru, because he couldn't locate contact information for their security teams.

7. Fixing insecure implementations will take time
Some affected sites have already put related fixes in place. On March 13, for example -- evidently after receiving Wang's vulnerability report -- LinkedIn told developers they would have one month to register their OAuth 2 redirect URLs. "If you do not take the steps noted above by April 11, 2014, requests to authorize new members or refresh tokens will fail. We will display an error message and not redirect the member to your application," LinkedIn said.

But not every site appears willing to practice that type of tough love. Some are opting for more phased transitions. "Facebook making any type of change, because they have such a large client/developer base, if they turned on maximum security, all the people who wrote clients [that assume] weak security, they're going to break," Bradley said.

In other words, don't expect related OAuth 2 and OpenID fixes to appear overnight.

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/9/2014 | 11:44:50 PM
It is an issue requiring attention
The simple fact is that implementations for these federation standards can be improved upon. Sure identity provides can claim all they want regarding the 'option' being there to close the open redirects to third party sites, but in the end these are only 'options'. Take a step in the right direction please and close the hole please http://goo.gl/27CTdd  http://goo.gl/eOqXy5 . Public updates on what you are doing about it would be a welcome step.
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-23
WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in.
PUBLISHED: 2019-07-23
VCFTools vcfools prior to version 0.1.15 is affected by: Heap Use-After-Free. The impact is: Denial of Service or possibly unspecified impact (eg. code execution or information disclosure). The component is: The header::add_FILTER_descriptor method in header.cpp. The attack vector is: The victim mus...
PUBLISHED: 2019-07-23
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regre...
PUBLISHED: 2019-07-23
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
PUBLISHED: 2019-07-23
MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/...