Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected

Just a short notice rather than a real article, full story later (I need to check the facts): Several sources are posting about a recently discovered hard-to-fix bug in the extremely popular open-source authentication libraries/services OAuth and OpenID, used by lots of AAA-level sites, from PayPal to Facebook.

Articles:
cnet – Serious security flaw in OAuth, OpenID discovered
lifehacker – Security Flaw Found in OAuth and OpenID, Here’s What It Means for You
(german) zdnet – Schwere Sicherheitslücke in OAuth und OpenID entdeckt

Huge info-page by Wang Jing, the guy who has discovered the bug:
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

YouTube channel (of Wang Jing), showing reproduceable examples (on Facebook, LinkedIn and Google):
https://www.youtube.com/user/tetraph

Info video:

https://www.youtube.com/watch?v=HUE8VbbwUms

Reproduceable examples (taken from the above YouTube channel)

https://www.youtube.com/watch?v=iif6eq2cvso

https://www.youtube.com/watch?v=Y2-2Scp0pbs

https://www.youtube.com/watch?v=GyNGBuHNoJ0

This article was written quite a while ago (5 years), please keep this in mind when using the information written here. Links, code and commands might be outdated or broken.

Random articles

2 Comments

slbmeh

May 9, 2014 6:43 am

I wouldn’t quite consider it a security issue or a bug. The standards OAuth puts in place performs a request based on a signature prepared by the application generating the URL. Any access being granted is to the application initially signing the request.

It is indeed a phishing risk, and potentially a design flaw in the spec of the oauth standard. But it’s a simple fix. Add the redirect url to the hmac signature and if the request uri doesn’t match the redirect parameter then bail with a message notifying the user that the signature could not be verified.

Reply
- Chris
  
  May 9, 2014 11:47 am
  
  Thanks, good info in here! Btw I’ve written this before reading into the topic. Most good sources also say it’s not a bug, it’s simply bad implementation of the according companies / developers.
  
  Reply

PHP Opcache Explained by Julien Pauli (video from PHP UK Conference 2014)

Frontend Ops Conf 2014 – Sarah Goff-Dupont: Git, Continuous Integration and Making It Pretty (31min video)

Angelina Fabbro talks about “CSS4” in this excellent conference video

PHP 5.7 gets refactored core, is 10%-30% faster than PHP 5.5! Wow!

GAMESCOM 2014: Awesome Next-Gen ingame graphics

Google I/O 2014 – HTTPS Everywhere (video)

GitHub buys Easel.io, a code-free full website creator worth a look

You made a mess with Git ? Here’s a flowchart guideline on how to fix

How to install sqlite driver for PHP in Ubuntu & Debian

Joshua Davis – my hero of Flash – in two excellent interviews (audio, video)

Get Github’s code colors in PHPStorm (2014 style)

SensioLabs, creator of Symfony and Silex PHP frameworks, gets $7 million capital

How to hack time (KUNG FURY promo campaign)

Increase your PageSpeed score (10min video with Matt Gaunt)

How to install the mcrypt php extension (to use Laravel 4)

A super-simple introduction into PHP namespaces (7min video)

How to install sqlite driver for PHP in Ubuntu & Debian

What’s new in PHPStorm 10 (Official promo video)

A quick guideline on how to fix the Hearthbleed bug (and update OpenSSL) on Ubuntu

[Link] Interesting: Designing a Nuclear Waste Warning Symbol That Will Still Make Sense in 10,000 Years

Somebody is writing a compiler for PHP, compiles down to machine code, outperforms HHVM

How to show the available version of a package (before doing apt-get install)

How to get a single table out of a massive MySQL .sql database backup file (mysql dump splitter)

Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected

Random articles

2 Comments

Leave A Comment Cancel reply