Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected

Just a short notice rather than a real article, full story later (I need to check the facts): Several sources are posting about a recently discovered hard-to-fix bug in the extremely popular open-source authentication libraries/services OAuth and OpenID, used by lots of AAA-level sites, from PayPal to Facebook.

Articles:
cnet – Serious security flaw in OAuth, OpenID discovered
lifehacker – Security Flaw Found in OAuth and OpenID, Here’s What It Means for You
(german) zdnet – Schwere Sicherheitslücke in OAuth und OpenID entdeckt

Huge info-page by Wang Jing, the guy who has discovered the bug:
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

YouTube channel (of Wang Jing), showing reproduceable examples (on Facebook, LinkedIn and Google):
https://www.youtube.com/user/tetraph

Info video:

https://www.youtube.com/watch?v=HUE8VbbwUms

Reproduceable examples (taken from the above YouTube channel)

https://www.youtube.com/watch?v=iif6eq2cvso

https://www.youtube.com/watch?v=Y2-2Scp0pbs

https://www.youtube.com/watch?v=GyNGBuHNoJ0

This article was written quite a while ago (5 years), please keep this in mind when using the information written here. Links, code and commands might be outdated or broken.

Random articles

2 Comments

slbmeh

May 9, 2014 6:43 am

I wouldn’t quite consider it a security issue or a bug. The standards OAuth puts in place performs a request based on a signature prepared by the application generating the URL. Any access being granted is to the application initially signing the request.

It is indeed a phishing risk, and potentially a design flaw in the spec of the oauth standard. But it’s a simple fix. Add the redirect url to the hmac signature and if the request uri doesn’t match the redirect parameter then bail with a message notifying the user that the signature could not be verified.

Reply
- Chris
  
  May 9, 2014 11:47 am
  
  Thanks, good info in here! Btw I’ve written this before reading into the topic. Most good sources also say it’s not a bug, it’s simply bad implementation of the according companies / developers.
  
  Reply

MINI2, an extremely simple barebone PHP application on top of Slim

Hochlastseiten mit PHP, MySQL und Apache am Beispiel stern.de (deutscher Artikel)

PHP 5.6.0 RC1 is available

A super-simple introduction into PHP namespaces (7min video)

Migrating Wikipedia to HHVM (@Scale Conference 2014)

A 6min video introduction into Twig, the PHP templating engine

[Link] How To Install October CMS on a VPS running Ubuntu 14.04

Crossbrowser-safe HTML5 video (IE6+) with a few lines of code and just one .mp4 video file

A preinstalled Vagrant box with PHP HipHop / HHVM and Ubuntu 12.04 (Precise Pangolin)

[RePost] Goodbye LAMP: Going Nginx, NoSQL, HHVM (41min conference talk with Arne Blankerts)

Crossbrowser-safe HTML5 video (IE6+) with a few lines of code and just one .mp4 video file

[Link] How to create, read, update and delete (CRUD) with PDO, MySQLi and MySQL the right way (prepared statements)

Going node.js at Netflix (Slides by Micah R of Netflix)

Europeans: Get ready for OFFF conference / festival in Barcelona, May 2014

How to enable mod_rewrite in Ubuntu 14.04 LTS

Compress png, jpeg, gif and svg up to 90% with Compressor.io

-30% to -90% on Steam and Origin

Experimenting with HHVM at Etsy (Link)

October CMS, built on top of Laravel, is beautiful, clever and on the way to be the new #1 CMS

Slides & talks from PHP UK Conference 2014

[Link] Redesigning SoundCloud by Evan Simoni

Redesigning Windows 8 – fantastic and clever drafts by Jay Machalani

Frontend Ops Conf 2014 – Paul Irish: Delivering The Goods In Under 1000ms (40min video)

Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected

Random articles

2 Comments

Leave A Comment Cancel reply