Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nasty Security Flaw In OAuth, OpenID

Soulskill posted about 6 months ago | from the another-day-another-flaw dept.

Security 18

jones_supa writes: "A notable security vulnerability has been discovered which impacts both OAuth and OpenID, which are software packages that provide a secure delegated access to websites. Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the 'Covert Redirect' flaw can masquerade as a login popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter. For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication. If a user chooses to authorize the login, personal data will be released to the attacker instead of to the legitimate website. Wang did already warn a handful of tech giants about the vulnerability, but they mostly dodged the issue. In all honesty, it is not trivial to fix, and any effective remedies would negatively impact the user experience. Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google, and be aware of this redirection attack."

Sorry! There are no comments related to the filter you selected.

Truly, we need mroe vegetables (0)

For a Free Internet (1594621) | about 6 months ago | (#46903095)

This will make the Internet more healthy. Currenlty the interehuinsm , is fuopkwle,fm vby fargas abdugybjhmasd, rtgebh j pussy juices of7(*HJa uyjhnm tailgate.

OT: Slashdot Beta on the rise again (-1, Troll)

Anonymous Coward | about 6 months ago | (#46903171)

Warning: I'm getting bounced more frequently to the Beta site once again; Dice may be having another go at trying to roll it out. Be warned.

I wonder what percentage of Slashdot visitors are immediately switching back to Slashdot Classic by using the link at the bottom of the page ?

If you don't like Slashdot Beta, then don't live with it. Use the link at the bottom of the page to go back to Slashdot Classic and send a _huge_ message to Dice at the same time when they come to look at their website logs.

If you like this idea, feel free to repost this message in other stories and help send a message to Dice they cannot ignore.

Re:OT: Slashdot Beta on the rise again (0, Insightful)

Anonymous Coward | about 6 months ago | (#46903249)

Some people just can't take a hint.

[Beta is unusable, unnecessary, and unwanted]

Re:OT: Slashdot Beta on the rise again (1)

psyclone (187154) | about 6 months ago | (#46903975)

As a logged in user, I still get Classic view, but on a narrow but tall vertical monitor, Beta comments are completely unreadable for me. Thus, when beta hits, I will be a summary-only reader. (And might finally get around to creating an account on reddit.)

Re:OT: Slashdot Beta on the rise again (0)

Anonymous Coward | about 6 months ago | (#46904763)

Yeah its sucks. Whats with this whitespace crap?

Not an inherent problem. (5, Informative)

kiite (1700846) | about 6 months ago | (#46903191)

Ehh...

First of all, this isn't new. Hell, it's in the RFC [ietf.org] . In fact, the RFC specifically details and recommends protecting against it in [ietf.org] several [ietf.org] places [ietf.org] .

This is an implementation problem, not really anything to do with OAuth 2.0 or OpenID-Connect. Authorization servers are supposed to match the redirect_uri against valid values that are registered by the client. This is inconvenient for redirecting users back to the right page, so some popular providers decided to match based on prefix or domain, instead. And some websites on the internet have open redirects (hard to believe, i know). If the client website's security is _really_ lousy^H^H^H^H^H lax, its OAuth2 callback module might also not validate the response URI when it gets the access code, and may even not strip the access code from the URI parameters when redirecting.

The service providers are supposed [ietf.org] to require clients to register a full redirection callback. The clients can keep track of whatever page people are on with the state parameter. But those same clients, with that same terrible security, will probably get that wrong, too.

So, it's entirely a known problem, and what it boils down to is this: You can recommend best practices, but you can't fix stupid. That's why Google and Facebook are shrugging it off.

That said, if they performed some meager sanitization, it could go a long way to improve the situation.

Re:Not an inherent problem. (2)

yakatz (1176317) | about 6 months ago | (#46903317)

Agreed. Not sure why this is news, or honestly, why it is worthy of being published at all. This is part of the design and if people choose to login even after - the as the example says - Google or Facebook OAuth prompt says You are sending the following information to this site: (as those login methods do [postimg.org] ), that is their own problem.

Re:Not an inherent problem. (1)

phantomfive (622387) | about 6 months ago | (#46903471)

Agreed. Not sure why this is news, or honestly, why it is worthy of being published at all.

If you hadn't noticed after the heartbleed bug, the media reporting on flaws these days has no clue what is going on.

But they are looking for a story. Because it catches eyeballs. The iPhone SSL bug proved that bugs can provide hysteria, so expect to see more hysteria.

Re:Not an inherent problem. (1)

fisted (2295862) | about 6 months ago | (#46909571)

good related read [hueniverse.com]

I thought everyone knew this (4, Insightful)

GoodNewsJimDotCom (2244874) | about 6 months ago | (#46903225)

The instant I saw a Facebook login on a non Facebook website, I assumed it was a phisher.

This phishing attack has been around as long as this flawed protocol has been around.

Move along, nothing to see here, everyone knew this.

Re:I thought everyone knew this (4, Insightful)

GoodNewsJimDotCom (2244874) | about 6 months ago | (#46903285)

Heh, I see what they're saying now. This new phishing attack fools the person who "verifies" it is a Facebook.com URL. I guess it is somewhat worse. Your average Facebook user doesn't even know to check that so regular phishing attempts should work too. I guess someone of Slashdot style tech knowledge might have always checked to make sure the URL was Facebook. So I guess the warning is good for some of us. Personally I don't log in to Facebook from rogue sites.

Oh snap, I just realized where this would get people real hard. Paypal. You click a link to buy with Paypal, but they send you to a PaypalURL to login, but keep your data... Yah, that one could bite. I guess it really is a good heads up. I'll no longer use anyone's paypal links unless I highly trust the site. Thankfully I at least have the 2nd factor security authentication, but not everyone has that.

Re:I thought everyone knew this (4, Informative)

phantomfive (622387) | about 6 months ago | (#46903491)

Oh snap, I just realized where this would get people real hard. Paypal. You click a link to buy with Paypal, but they send you to a PaypalURL to login, but keep your data... Yah, that one could bite. I guess it really is a good heads up. I'll no longer use anyone's paypal links unless I highly trust the site. Thankfully I at least have the 2nd factor security authentication, but not everyone has that.

I solve that problem by not linking my Paypal to a bank account. If someone hacks my paypal account, they can......use their own credit card to pay someone.

Not linking Paypal to a bank account solves a lot of other problems too, where Paypal is known to be the rogue actor.

Re:I thought everyone knew this (1)

xelah (176252) | about 6 months ago | (#46903777)

Mmm...I can't help thinking there's a hole in that somewhere. Couldn't they use the account to accept a bunch of payments for sales they don't intend to fulfil, transfer the money to themselves and then leave you with the chargebacks? Quite possibly PayPal will come after you if your account is negative.

Re:I thought everyone knew this (2)

phantomfive (622387) | about 6 months ago | (#46904341)

If that happens I will have the great pleasure of telling Paypal to please, take all the money in my account, and close it.

Re:I thought everyone knew this (0)

Anonymous Coward | about 6 months ago | (#46903509)

People still use Paypal?

Re:I thought everyone knew this (0)

Anonymous Coward | about 6 months ago | (#46903997)

What else is there?

I've been seeing this a LOT on Facebook (2)

DadLeopard (1290796) | about 6 months ago | (#46905709)

I've been seeing this a LOT on Facebook. I myself am not stupid enough to log in to a site I am already logged into, but this has bitten a whole lot of my less savvy "friends"! Seems to be a regular Phishing feature where there is slightly risque picture and when you click to see full size they want you to prove you are over 13 by logging in ! Hah! Not happening!

If you want people to care... (0)

Anonymous Coward | about 6 months ago | (#46909483)

...you must come up with a better description of the problem.
I read all the sites linked to from the summary and the article and I am not even convinced there is a problem.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?