Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected

Just a short notice rather than a real article, full story later (I need to check the facts): Several sources are posting about a recently discovered hard-to-fix bug in the extremely popular open-source authentication libraries/services OAuth and OpenID, used by lots of AAA-level sites, from PayPal to Facebook.

Articles:
cnet – Serious security flaw in OAuth, OpenID discovered
lifehacker – Security Flaw Found in OAuth and OpenID, Here’s What It Means for You
(german) zdnet – Schwere Sicherheitslücke in OAuth und OpenID entdeckt

Huge info-page by Wang Jing, the guy who has discovered the bug:
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

YouTube channel (of Wang Jing), showing reproduceable examples (on Facebook, LinkedIn and Google):
https://www.youtube.com/user/tetraph

Info video:

https://www.youtube.com/watch?v=HUE8VbbwUms

Reproduceable examples (taken from the above YouTube channel)

https://www.youtube.com/watch?v=iif6eq2cvso

https://www.youtube.com/watch?v=Y2-2Scp0pbs

https://www.youtube.com/watch?v=GyNGBuHNoJ0

This article was written quite a while ago (6 years), please keep this in mind when using the information written here. Links, code and commands might be outdated or broken.

Random articles

2 Comments

slbmeh

May 9, 2014 6:43 am

I wouldn’t quite consider it a security issue or a bug. The standards OAuth puts in place performs a request based on a signature prepared by the application generating the URL. Any access being granted is to the application initially signing the request.

It is indeed a phishing risk, and potentially a design flaw in the spec of the oauth standard. But it’s a simple fix. Add the redirect url to the hmac signature and if the request uri doesn’t match the redirect parameter then bail with a message notifying the user that the signature could not be verified.

Reply
- Chris
  
  May 9, 2014 11:47 am
  
  Thanks, good info in here! Btw I’ve written this before reading into the topic. Most good sources also say it’s not a bug, it’s simply bad implementation of the according companies / developers.
  
  Reply

Composer problems ? Try full reset !

Profiling PHP Applications by Bastian Hofmann (video from PHP UK Conference 2014)

Soundcloud’s “VP of Engineering” about using SSDs

PHP Opcache Explained by Julien Pauli (video from PHP UK Conference 2014)

A preinstalled Vagrant box with PHP HipHop / HHVM and Ubuntu 13.10 (Saucy Salamander)

How to fix the ugly font rendering in Google Chrome

Get Github’s syntax highlighting colors in PHPStorm

Angelina Fabbro talks about “CSS4” in this excellent conference video

How to install/setup latest version of PHPMyAdmin on Ubuntu 12.04 LTS (Precise Pangolin)

Meet the developers behind Ableton (14min video)

Adobe offers Photoshop for $9.99 per month (limited deal)

Going node.js at Netflix (Slides by Micah R of Netflix)

How to install/setup a basic LAMP stack (Linux, Apache, MySQL, PHP) on Ubuntu 14.04 LTS

[Link] Making a website vertically responsive

Increase your PageSpeed score (10min video with Matt Gaunt)

First view: Ubuntu 14.04 LTS brings PHP 5.5 and Apache 2.4

SensioLabs, creator of Symfony and Silex PHP frameworks, gets $7 million capital

All new features of WordPress 3.9 in this 2 minute video

DigitalOcean VPS coupon codes for december 2013 and early 2014

How to fix the ugly font rendering in Google Chrome

How to use the PHP 5.5 password hashing functions

How to install/setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1/7.2 (and how to fix the GPG key error)

Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

Jonathan Snook – CSS is a Mess – How to organize CSS in big projects (54min video talk)

8 awesome pure CSS spinner / loader

Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected

Random articles

2 Comments

Leave A Comment Cancel reply