Posted by MinO | 0 comments

[Security] Σοβαρό κενό ασφαλείας εντοπίζεται στα OAuth 2.0 και OpenID

Λίγο καιρό μετά την ανακάλυψη του Heartbleed bug στο OpenSSL, ο διδακτορικός φοιτητής του Nanyang Technological University στην Σινγκαπούρη, Wang Jing, εντόπισε κενό στα OAuth 2.0 και OpenID, που είναι τα ανοικτού κώδικα εργαλεία
που χρησιμοποιούνται στο login από sites σαν τα Google, Facebook και LinkedIn, που μπορεί να εκθέσει τα δεδομένα του χρήστη σε κίνδυνο.

Το νέο κενό καλείται Covert Redirect flaw και αφήνει ανοικτή την δυνατότητα σε επιτιθέμενους να κλέψουν τα στοιχεία σύνδεσης χρησιμοποιώντας οπτικά γνωστό login prompt.

If a user chooses to authorize the login, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.

Με απλά λόγια ο χρήστης μπορεί να πέσει θύμα phishing χρησιμοποιώντας αληθινό sign in tab, και το σημαντικό πρόβλημα
είναι πως η επίλυση του δεν είναι απλή και εύκολη αφού θα πρέπει όλα τα ενδιάμεσα sites και εφαρμογές να χρησιμοποιήσουν whitelists.

Wang says he has already contacted Facebook and has reported the flaw, but was told that the company "understood the risks associated with OAuth 2.0," and that "short of forcing every single application on the platform to use a whitelist," fixing this bug was "something that can't be accomplished in the short term."

Facebook isn't the only site affected. Wang says he has reported this to Google, LinkedIn, and Microsoft, which gave him various responses on how they would handle the matter.

Google (which uses OpenID) told him that the problem was being tracked, while LinkedIn said that the company has published a blog on the matter. Microsoft, on the other hand, said an investigation had been done and that the vulnerability existed on the domain of a third party and not on its own sites.

"Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks," said Wang.

"However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable," he added.

LinkedIn engineer Shikha Sehgal wrote a blog post about the creation of a whitelist for the site more than a month before Wang published his findings.

"In order to make the LinkedIn platform even more secure, and so we can comply with the security specifications of OAuth 2, we are asking those of you who use OAuth 2 to register your application's redirect URLs with us by April 11, 2014," she said.

Sehgal did not explicitly say that the measure was in response to a flaw in OAuth 2, but the social network did confirm to CNET that the vulnerability that Wang detailed is the same one that inspired the blog post.

PayPal also has addressed the flaw.

"When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability," James Barrese, PayPal's CTO, said in a blog post on Friday. PayPal declined to add details about those measures.