'Covert Redirect' vulnerability impacts OAuth 2.0, OpenID
A flaw in OAuth 2.0 and OpenID could result in theft of account credentials, or more.
A vulnerability discovered in OAuth 2.0 and OpenID – dubbed “Covert Redirect,” a play on Open Redirect – could enable attackers to, at the very least, steal credentials from users of some of the most visited websites, including Facebook and Google.
The Covert Redirect vulnerability, discovered and blogged on by Wang Jing, a PhD student in mathematics from Nanyang Technological University, comes right on the heels of the disclosure of the now infamous Heartbleed bug.
The general consensus, so far, is that Covert Redirect is not as bad, but still a threat. Understanding what makes it dangerous requires a basic understanding of Open Redirect, and how it can be exploited.
“If you have any website that shows in its URL the address a user is going to be redirected to, it opens the door for an attacker to place their own URL there and mislead the user into thinking they are at a trusted site,” Ori Eisen, chairman and chief innovation officer with 41st Parameter, told SCMagazine.com on Friday.
Covert Redirect plays off the Open Redirect concept, Jeremy Gillula, a staff technologist with the Electronic Frontier Foundation, told SCMagazine.com on Friday, before breaking down the threat in simplified terms.
“A user clicks a link, which takes them to a website of a third-party [that is] vulnerable to Open Redirect, which uses OAuth or OpenID to log users in,” Gillula said. “The user's attempt to log in brings them to [Facebook, for example,] where their OpenID account or OAuth credentials are actually stored.”
After the user logs into the legitimate Facebook page, they are redirected back to the third-party website, Gillula said, adding that, as part of the redirect, Facebook would send along a “token,” which is essentially a secret number that the third-party will send to Facebook when accessing the account for regular operations, such as posting a message to the user's wall.
“When the user comes back to the third-party website, they hit the Open Redirect vulnerability, and then they get tossed, along with their token, to the malicious website, which grabs the token and does all sorts of malicious stuff with it in their account,” Gillula said.
Both Gillula and Eisen said that, in most cases, attackers using Covert Redirect are only likely to steal credentials; however, that account access is all an attacker needs to create some havoc, particularly when these are big name accounts, such as Facebook, Google, Microsoft and LinkedIn.
Although Wang, in the blog post, said that Covert Redirect would not be possible if third-party applications adhere to a whitelist, Wang explained that it is not practical for groups to do this, and added that it is also tough to determine who is responsible for fixing the vulnerability.
One fix suggested by Gillula involved using a small script to actually try and visit the URL to which users are being redirected.
“If that URL then attempts to immediately redirect the script again, then the script could prevent the first redirect in the first place,” Gillula said. “While this has the added benefit of guaranteeing no Covert Redirects, it would probably slow down the user's experience a tiny bit – and additional measures would probably be necessary to make sure attackers can't use this script to perform a denial-of-service attack.”
In a statement emailed to SCMagazine.com on Friday, a Microsoft spokesperson said that the company is looking into vulnerabilities in OpenID and will take necessary actions to protect customers. To avoid this problem on Facebook, a spokesperson referred SCMagazine.com to documentation that advises developers to specify a whitelist of OAuth redirect URLs.