theDocumentId => 1235062 Security Flaw Found In OAuth 2.0 And OpenID; ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

Security Flaw Found In OAuth 2.0 And OpenID; Third-Party Authentication At Risk

Authentication methods used by Facebook, Google, and many other popular websites could be redirected by attackers, researcher says.

A security researcher has uncovered serious security vulnerabilities in the technologies used by many websites to authenticate users via third-party websites.

blog posted late last week revealed the details of security flaws in OAuth 2.0 and OpenID, two technologies that are widely used by the Web's most popular sites to more quickly and easily verify the identity of a user. The vulnerability was discovered by Wang Jing, a PhD student in mathematics at Nanyang Technological University.

If you have ever allowed an application or website to verify your identity using your Facebook, Twitter, or Google account, then you have likely used OAuth or OpenID. OAuth is an open standard for authorization that gives client applications secure, delegated access to server resources on behalf of a resource owner.

OpenID an open standard that allows users to be authenticated by certain cooperating sites using a third party service, eliminating the need for webmasters to provide their own authentication systems and allowing users to consolidate their digital identities.

The vulnerability could allow an attacker to redirect the "token" used by OAuth 2.0 to access user information on a third-party site, making it possible to steal information such as the email address, age, or location of a user, the blog says. In OpenID, the vulnerability could enable attackers to collect user's information directly.

"Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved," the blog states.

The flaw is described as a "Covert Redirect" vulnerability, in which an application takes a parameter and redirects a user to the parameter value without sufficient validation. This differs from an Open Redirect, in which an application takes a parameter and redirects a user to the parameter value without any validation at all.

If a website is exposed to Open Redirect attack, it is often because the site's operators failed to equip their own site with proper validation, the blog explains. But a Covert Redirect is trickier, because it is essentially a flaw in the handoff of validation between one site and another.

"The Covert Redirect vulnerability related to OAuth 2.0 and OpenID is, in the author’s view, a result of the provider’s overconfidence in its clients/partners," the blog says. "The provider relies on the clients to provide a list of 'trustworthy' domains and assumes all would be safe. However, without sufficient verification of the redirected URLs, no safety could be guaranteed."

It isn't always clear who's responsible for the vulnerability: the website requesting the authentication or the third-party provider that gives the validation, the blog observes.

"The vulnerability is usually due to the existing weakness in the third-party websites," the blog says. "However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. The other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem. However, to the provider, the problem does not originate from its own website. Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is a daunting task."

And because it isn't clear who's responsible for the vulnerability, it may be a difficult problem to fix, the blog notes.

"The patch of this vulnerability is easier said than done," the blog says. "If all third-party applications strictly adhere to using a whitelist, then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable." Providers need to develop a more thorough verification procedure, the blog suggests.  

Casey Ellis, CEO and founder of Bugcrowd, notes that the new vulnerability is far from the first to be reported in the OAuth/OpenID space. One such bug was reported over a year ago, but OAuth implementations were generally not tested to look for it, he notes.

"The unchecked/open redirect problem is actually a known issue that's been around since the inception of OAuth, but now that it's getting attention, this is an immediate and pressing vulnerability that any malicious actor could easily be aware of," Ellis said in an email. "There's been some noise made about how difficult it will be to fix these problems on some big-name websites, but it's not unfixable in all cases — their customers are already in the process of patching."

 

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
100%
0%
securityaffairs,
User Rank: Ninja
5/5/2014 | 2:11:57 PM
Re: Vulnerability was already well documented.
Let me add my point of view from my blog post

 

http://securityaffairs.co/wordpress/24585/intelligence/covert-redirect-oauth-openid.html

 

We cannot compare the severity of Covert Redirect vulnerability to theHeartbleed flaw, but it could be a serious error to underestimate it. Wang sustains that one of the main problem approaching the Covert Redirect flaw is to pretend that third-party sites will fix the problem.

To be honest, this isn't the first time the flaw has been debated, Covert Redirect has surely a minor impact than Heartbleed, which could expose the most critical information.

Last year, Egor Homakov reported similar issues and the IETF outline on OAuth 2.0 warns about the risk associated with open redirects in the redirect_uri.  Also LinkedIn company raised an alert regarding registering URIs earlier this year.

I believe that we are not facing with a vulnerability in the principal web services provided by companies like Google and Facebook problem, the problem is not in the OAuth 2.0 framework, but it is the lack of token whitelisting in its implementation made by third parties.

Regards

Pierluigi
S3Jensen
50%
50%
S3Jensen,
User Rank: Apprentice
5/5/2014 | 1:43:56 PM
Vulnerability was already well documented.
I'm still not sure why this issue is making headlines? This was a known issue in the OAuth 2.0 documentation. Section 4.2.4 discusses it.

http://tools.ietf.org/html/rfc6819#section-4.2.4
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...
CVE-2021-25808
PUBLISHED: 2021-07-23
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.