Covert Redirect security vulnerability found in OAuth and OpenID

Pierluigi Paganini May 03, 2014

Covert Redirect vulnerability is the security flaw in the open standards for authorization OAuth and OpenID that is menacing IT industry.

Another security flaw in the open standards for authorization OAuth and OpenID is scaring IT industry. Just a few weeks after the disclosure of the Heartbleed vulnerability, another major flaw was discovered in the open security standard practically everywhere, principal web services including Microsoft, Google, Facebook and LinkedIn implements the popular standard to all user authentication to their platforms.

“Given the trust users put in Facebook and other major OAuth providers I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service,”  said Wsyopal.

The discovery was made by Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, the expert has noticed that the critical “Covert Redirect” vulnerability can masquerade as a login popup based on an affected site’s domain.

“The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. An Open Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT ANY validation (OWASP). If a website is exposed to Open Redirect attack, it is often because of its own negligence.” reports the student in the post.

The exploitation of the Covert Redirect flaw allows an attacker to implement an insidious technique to deceive users and steal their credentials. If the victim clicks on a malicious phishing link he will get a popup window on Facebook, asking him to authorize the app. Instead of using a fake domain name that’s similar to the one requested by the user, the Covert Redirect flaw uses the real site address for authentication.

If the victim authorizes the login, personal data used by the specific website are redirected to the attacker instead of to the legitimate web service. Sensitive information, depending on the range of data requested by the web service, including email addresses, birth dates and  contact lists are provided to the attacker.

Even if the victim doesn’t authorize the app, he will redirected to a website controlled by the attacker  which could be anyway used to serve a malware.

Wang has already reported the Covert Redirect vulnerability to Facebook, but the answer let us perplexed:

 “understood the risks associated with OAuth 2.0,” and that “short of forcing every single application on the platform to use a whitelist,” fixing this bug was “something that can’t be accomplished in the short term.” replied Facebook.

Wang also informed Google, LinkedIn and Microsoft, who provided various responses to mitigate the flaw, they basically know of the existence of the Covert Redirect flaw and will soon release detailed information on it.

“Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,” “However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.”said Wang.

To mitigate the Covert Redirect vulnerability it is suggested to the Users to carefully evaluate the possibility to authorize log in procedure to Facebook or Google simply clicking the links. The immediate closure of the tab should prevent any redirection attacks.

We cannot compare the severity of Covert Redirect vulnerability to the Heartbleed flaw, but it could be a serious error to underestimate it. Wang sustains that one of the main problem approaching the Covert Redirect flaw is to pretend that third-party sites will fix the problem.

To be honest, this isn’t the first time the flaw has been debated, Covert Redirect has surely a minor impact than Heartbleed, which could expose the most critical information.

Last year, Egor Homakov reported similar issues and the IETF outline on OAuth 2.0 warns about the risk associated with open redirects in the redirect_uri.  Also LinkedIn company raised an alert regarding registering URIs earlier this year.

I believe that we are not facing with a vulnerability in the principal web services provided by companies like Google and Facebook problem, the problem is not in the OAuth 2.0 framework, but it is the lack of token whitelisting in its implementation made by third parties.

Be careful!

Pierluigi Paganini

(Security Affairs –  Covert Redirect vulnerability, OAuth and OpenID)

you might also like

leave a comment