Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected

Just a short notice rather than a real article, full story later (I need to check the facts): Several sources are posting about a recently discovered hard-to-fix bug in the extremely popular open-source authentication libraries/services OAuth and OpenID, used by lots of AAA-level sites, from PayPal to Facebook.

Articles:
cnet – Serious security flaw in OAuth, OpenID discovered
lifehacker – Security Flaw Found in OAuth and OpenID, Here’s What It Means for You
(german) zdnet – Schwere Sicherheitslücke in OAuth und OpenID entdeckt

Huge info-page by Wang Jing, the guy who has discovered the bug:
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

YouTube channel (of Wang Jing), showing reproduceable examples (on Facebook, LinkedIn and Google):
https://www.youtube.com/user/tetraph

Info video:

https://www.youtube.com/watch?v=HUE8VbbwUms

Reproduceable examples (taken from the above YouTube channel)

https://www.youtube.com/watch?v=iif6eq2cvso

https://www.youtube.com/watch?v=Y2-2Scp0pbs

https://www.youtube.com/watch?v=GyNGBuHNoJ0

This article was written quite a while ago (4 years), please keep this in mind when using the information written here. Links, code and commands might be outdated or broken.

Random articles

2 Comments

slbmeh

May 9, 2014 6:43 am

I wouldn’t quite consider it a security issue or a bug. The standards OAuth puts in place performs a request based on a signature prepared by the application generating the URL. Any access being granted is to the application initially signing the request.

It is indeed a phishing risk, and potentially a design flaw in the spec of the oauth standard. But it’s a simple fix. Add the redirect url to the hmac signature and if the request uri doesn’t match the redirect parameter then bail with a message notifying the user that the signature could not be verified.

Reply
- Chris
  
  May 9, 2014 11:47 am
  
  Thanks, good info in here! Btw I’ve written this before reading into the topic. Most good sources also say it’s not a bug, it’s simply bad implementation of the according companies / developers.
  
  Reply

How Snapchat wants to earn money (by establishing vertical videos)

Is there a JSFiddle for PHP ? Yes !

Create a fast, perfect and bootable 1:1 Windows backup (full clone of HDD) for SSD migration

PHP 5.6.0 RC1 is available

A preinstalled Vagrant box with PHP HipHop / HHVM and Ubuntu 12.04 (Precise Pangolin)

Nice gifts for devs: Nerdy playing-cards decks

8 awesome pure CSS spinner / loader

PHPStorm 8 (early access version) released – for free

Increase your PageSpeed score (10min video with Matt Gaunt)

HipHop VM reaches 100% green Unit Tests in Laravel, Drupal, Slim, CodeIgniter etc.

Rare Steve Jobs AND Bill Gates video interview from 2007’s D5 conference (90min)

PHPStorm 8 has just been released

[Link] Retinafy your Site / Device by Nijiko Yonskai

How to install/setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1/7.2 (and how to fix the GPG key error)

PHP 5.6 announced, statically typed (!) “new” PHP announced by Facebook devs

Interesting stats on SONY’s hacked passwords

Adobe releases Firebug-like developer tools to edit and extract PSDs

Debug PDO with this one-line function. Yeah!

How to debug code on a remote server (or in vagrant box) with PHPStorm

ilovepreloaders – A tumblr collection of preloader animations

Symfony devs: Creator of Symfony framework is hiring (Cologne, Germany)!

MINI2, an extremely simple barebone PHP application on top of Slim

Only today: $50 coupon for DigitalOcean SSD VPS / hosting

[Link] How to set up HipHop, Nginx and Laravel in Ubuntu 12.04 LTS (in a Vagrant box)

Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected

Random articles

2 Comments

Leave A Comment Cancel reply