Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected
Just a short notice rather than a real article, full story later (I need to check the facts): Several sources are posting about a recently discovered hard-to-fix bug in the extremely popular open-source authentication libraries/services OAuth and OpenID, used by lots of AAA-level sites, from PayPal to Facebook.
Articles:
cnet – Serious security flaw in OAuth, OpenID discovered
lifehacker – Security Flaw Found in OAuth and OpenID, Here’s What It Means for You
(german) zdnet – Schwere Sicherheitslücke in OAuth und OpenID entdeckt
Huge info-page by Wang Jing, the guy who has discovered the bug:
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
YouTube channel (of Wang Jing), showing reproduceable examples (on Facebook, LinkedIn and Google):
https://www.youtube.com/user/tetraph
Info video:
https://www.youtube.com/watch?v=HUE8VbbwUms
Reproduceable examples (taken from the above YouTube channel)
https://www.youtube.com/watch?v=iif6eq2cvso
https://www.youtube.com/watch?v=Y2-2Scp0pbs
https://www.youtube.com/watch?v=GyNGBuHNoJ0
Random articles
![[Link] Retinafy your Site / Device by Nijiko Yonskai](https://www.dev-metal.com/wp-content/uploads/2013/08/css3-chrome-font-100x100.jpg)
[Link] Retinafy your Site / Device by Nijiko Yonskai
An introduction into Atomic Design, a super-clean way to style web applications
Extremely simple deployment with PHPloy
Electronic Arts / Origin offers Battlefield 3 for free (limited promo action) !
Ignore .idea folder from git in PHPStorm
O’Reilly’s Learning JavaScript Design Patterns by Addy Osmani for free
This is an experimental advertisement
Angelina Fabbro talks about “CSS4” in this excellent conference video
How to center a div vertically and horizontally (modern methods, without fixed size!)
I wouldn’t quite consider it a security issue or a bug. The standards OAuth puts in place performs a request based on a signature prepared by the application generating the URL. Any access being granted is to the application initially signing the request.
It is indeed a phishing risk, and potentially a design flaw in the spec of the oauth standard. But it’s a simple fix. Add the redirect url to the hmac signature and if the request uri doesn’t match the redirect parameter then bail with a message notifying the user that the signature could not be verified.
Thanks, good info in here! Btw I’ve written this before reading into the topic. Most good sources also say it’s not a bug, it’s simply bad implementation of the according companies / developers.