TeleGraph All Photo (Picture) Pages Have Been Vulnerable to XSS Cyber Attacks

Website Description:
http://www.telegraph.co.uk

 

“The Daily Telegraph is a British daily morning English-language broadsheet newspaper, published in London by Telegraph Media Group and distributed throughout the United Kingdom and internationally. The newspaper was founded by Arthur B. Sleigh in June 1855 as The Daily Telegraph and Courier, and since 2004 has been owned by David and Frederick Barclay. It had a daily circulation of 523,048 in March 2014, down from 552,065 in early 2013. In comparison, The Times had an average daily circulation of 400,060, down to 394,448. The Daily Telegraph has a sister paper, The Sunday Telegraph, that was started in 1961, which had circulation of 418,670 as of March 2014. The two printed papers currently are run separately with different editorial staff, but there is cross-usage of stories. News articles published in either, plus online Telegraph articles, may also be published on the Telegraph Media Group’s http://www.telegraph.co.uk website, all under The Telegraph title." (From Wikipedia)

 

 

 

(1) Vulnerability Description:

Telegraph has a Web security bug problem. It is vulnerable to XSS attacks. In fact, all its photo pages are vulnerable to XSS (Cross-Site Scripting) vulnerabilities. Telegraph’s picture pages use “&frame" as its parameter. All its web pages use “&frame" are vulnerable to the bugs. Those vulnerabilities have been patched now.

 

 

Examples of Vulnerable Links:

http://www.telegraph.co.uk/culture/culturepicturegalleries/10663967/The-worlds-most-spectacular-theatres.html?frame=2836095

http://www.telegraph.co.uk/property/investmentinproperty/10609314/For-sale-top-20-properties-ripe-for-investment.html?frame=2808162

http://www.telegraph.co.uk/foodanddrink/foodanddrinkpicturegalleries/9737226/Elephant-dung-coffee-Black-Ivory-beans-passed-through-the-animals-guts.html?frame=2424280

http://www.telegraph.co.uk/education/9487434/Graduate-jobs-Best-languages-to-study.html?frame=2314790

http://www.telegraph.co.uk/motoring/picturegalleries/10782171/The-20-best-cars-to-own-in-2014.html?frame=2890278

 

 

POC Code:

http://www.telegraph.co.uk/culture/culturepicturegalleries/10663967/The-worlds-most-spectacular-theatres.html?frame=2836095″><img src=x onerror=prompt(‘justqdjing’)>

http://www.telegraph.co.uk/property/investmentinproperty/10609314/For-sale-top-20-properties-ripe-for-investment.html?frame=2808162″><img src=x onerror=prompt(‘justqdjing’)>

http://www.telegraph.co.uk/foodanddrink/foodanddrinkpicturegalleries/9737226/Elephant-dung-coffee-Black-Ivory-beans-passed-through-the-animals-guts.html?frame=2424280″><img src=x onerror=prompt(‘justqdjing’)>

http://www.telegraph.co.uk/education/9487434/Graduate-jobs-Best-languages-to-study.html?frame=2314790″><img src=x onerror=prompt(‘justqdjing’)>

http://www.telegraph.co.uk/motoring/picturegalleries/10782171/The-20-best-cars-to-own-in-2014.html?frame=2890278″><img src=x onerror=prompt(‘justqdjing’)>

The vulnerability can be attacked without user login. Tests were performed on Firefox (37.02) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7. The bugs found by using CSXDS.

 

 

 

telegraph_frame_xss2

telegraph_frame_xss3

telegraph_frame_xss4









(2) XSS Description:

The description of XSS is: “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it." (OWSAP)

 

Poc Video:
https://www.youtube.com/watch?v=SqjlabJ1OzA&feature=youtu.be

 

Blog Details:
http://www.tetraph.com/security/website-test/telegraph-xss/
http://securityrelated.blogspot.com/2015/10/telegraph-xss-0day.html
https://vulnerabilitypost.wordpress.com/2015/10/30/telegraph-bug/

 

 

 

(3) Vulnerability Disclosure:

Those vulnerabilities are patched now.

 

 

 

Discoved and Disclosured By:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

 

 

 

References:
http://lists.openwall.net/full-disclosure/2015/11/03/7
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2642
http://russiapost.blogspot.com/2015/11/telegraph-xss.html
https://itinfotechnology.wordpress.com/2015/11/01/telegraph-xss/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02682.html
https://cxsecurity.com/issue/WLB-2015110023
http://marc.info/?l=full-disclosure&m=144651821527165&w=4
http://germancast.blogspot.com/2015/11/telegraph-xss.html
http://itsecurity.lofter.com/post/1cfbf9e7_8d3ea9e
http://whitehatview.tumblr.com/post/132723700196/telegraph-xss
https://itswift.wordpress.com/2015/11/02/telegraph-xss/
http://seclists.org/fulldisclosure/2015/Nov/4

 

Daily Mail Registration Page Unvalidated Redirects and Forwards & XSS Web Security Problem

Daily mail Registration Page Unvalidated Redirects and Forwards & XSS Web Security Problem

 

Website Description:
“The Daily Mail is a British daily middle-market tabloid newspaper owned by the Daily Mail and General Trust. First published in 1896 by Lord Northcliffe, it is the United Kingdom’s second biggest-selling daily newspaper after The Sun. Its sister paper The Mail on Sunday was launched in 1982. Scottish and Irish editions of the daily paper were launched in 1947 and 2006 respectively. The Daily Mail was Britain’s first daily newspaper aimed at the newly-literate “lower-middle class market resulting from mass education, combining a low retail price with plenty of competitions, prizes and promotional gimmicks", and was the first British paper to sell a million copies a day. It was at the outset a newspaper for women, the first to provide features especially for them, and as of the second-half of 2013 had a 54.77% female readership, the only British newspaper whose female readers constitute more than 50% of its demographic. It had an average daily circulation of 1,708,006 copies in March 2014. Between July and December 2013 it had an average daily readership of approximately 3.951 million, of whom approximately 2.503 million were in the ABC1 demographic and 1.448 million in the C2DE demographic. Its website has more than 100 million unique visitors per month." (Wikipedia)

One of its website’s Alexa rank is 93 on January 01 2015. The website is one of the most popular websites in the United Kingdom.

The Unvalidated Redirects and Forwards problem has not been patched, while the XSS problem has been patched.

 

 

 

(1) Daily mail Registration Page Unvalidated Redirects and Forwards Web Security Problem

 

(1.1) Vulnerability Description:
Daily online websites have a cyber security problem. Hacker can exploit it by Open Redirect (Unvalidated Redirects and Forwards) attacks. During the tests, all Daily mail websites (Daily Mail, Mail on Sunday & Metro media group) use the same mechanism. These websites include dailymail.co.uk, thisismoney.co.uk, and mailonsunday.co.uk.

 

 

dailymail_1

thisismoney_1

 

 

 

Google Dork:
“Part of the Daily Mail, The Mail on Sunday & Metro Media Group"

 

 

The vulnerability occurs at “&targetUrl" parameter in “logout.html?" page, i.e.
http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fgoogle.com

 

 

 

(1.2.1) Use the following tests to illustrate the scenario painted above.

The redirected webpage address is “http://diebiyi.com/articles“. Can suppose that this webpage is malicious.

 

 

 

(1.2.2) The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

These bugs were found by using URFDS (Unvalidated Redirects and Forwards Detection System).

 

 

 

(1.2) Description of Open Redirect:
Here is the description of Open Redirect: “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance." (From CWE)

 

 

 

(1.3) Vulnerability Disclosure:
These vulnerabilities have not been patched.

 

 

 

 

(2) Daily Mail Website XSS Cyber Security Zero-Day Vulnerability

(2.1) Vulnerability description:
DailyMail has a security problem. Criminals can exploit it by XSS attacks.

The vulnerability occurs at “reportAbuseInComment.html?" page with “&commentId" parameter, i.e.
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=877038

 

 

POC Code:
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId="><img src=x onerror=prompt(‘justqdjing’)>

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (34.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7.

dailymail_uk_xss




(2.2) What is XSS?
“Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner." (Wikipedia)

 

 

 

(2.3) Vulnerability Disclosure:
This vulnerability has been patched.

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

 

 

Google Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

go

 

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

— Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

 

 

 

(1) WebSite:
google.com

 

“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results.

 

The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy." (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Google web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability exists at “Logout?" page with “&continue" parameter, i.e.


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

(2.1) When a user is redirected from Google to another site, Google will check whether the redirected URL belongs to domains in Google’s whitelist (The whitelist usually contains websites belong to Google), e.g.
docs.google.com
googleads.g.doubleclick.net

 

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Google directly.

 

One of the vulnerable domain is,
googleads.g.doubleclick.net (Google’s Ad System)

 

 

 

(2.2) Use one webpage for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. We can suppose that this webpage is malicious.

Blog Detail:
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html

 

 

 

 

 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

 

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

More Details:
http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html
http://seclists.org/fulldisclosure/2014/Nov/29
http://cxsecurity.com/issue/WLB-2014110106
http://tetraph.blog.163.com/blog/static/23460305120141145350181/
https://infoswift.wordpress.com/2014/05/25/google-web-security/
http://tetraph.tumblr.com/post/119490394042/securitypost#notes
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html
http://webtech.lofter.com/post/1cd3e0d3_706af10
https://twitter.com/tetraphibious/status/559165319575371776
http://tetraph.com/security/covert-redirect/google-based-on-googleads-g-doubleclick-net/
http://www.inzeed.com/kaleidoscope/computer-security/google-covert-g-doubleclick-net/
https://hackertopic.wordpress.com/2014/05/25/google-web-security/

Attachments area
Preview YouTube video Google Covert Redirect Vulnerability Base Googleads.g.doubleclick.net – Bypass Open Redirect Filters

Google Covert Redirect Vulnerability Base Googleads.g.doubleclick.net – Bypass Open Redirect Filters

Netease OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

Screenshot from 2015-06-28 13:46:06

 

Netease OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
163.com

 

 

“NetEase, Inc. (simplified Chinese: 网易; traditional Chinese: 網易; pinyin: Wǎng Yì) is a Chinese Internet company that operates 163.com, a popular web portal ranked 27 by Alexa as of April 2014. 163.com is one of the largest Chinese Internet content providers, and as such frequently appears in the top 10 domains used in spam." (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Netease web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 

 

(2.1) Vulnerability Detail:

163’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri" in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to 163.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type"=sensitive_info,token…

“&scope"=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

Before acceptance of third-party application:

When a logged-in 163 user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri".

 

If a user has not logged onto 163 and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

A logged-in 163 user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) 163 would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from 163 to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from 163 directly. The number of 163’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

More seriously, some third-party websites may allow all URLs (even not belong to themselves) for “&redirect_uri" parameter.

 

Before acceptance of the third-party application, 163’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass 163’s authentication system and attack more easily.

 

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://mathpost.tumblr.com/“. We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
yhd.com

 

POC Video:
https://www.youtube.com/watch?v=0KF65swbl8A

 


Blog Detail:
http://tetraph.blogspot.com/2014/05/163s-oauth-20-covert-redirect-system.html







(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/









Related Articles:
http://tetraph.com/security/covert-redirect/163s-oauth-2-0-covert-redirect
https://twitter.com/buttercarrot/status/558906604641198081
https://itinfotechnology.wordpress.com/2014/06/02/netease-system-bug/
http://germancast.blogspot.com/2014/06/netease-hacking.html
http://essaybeans.lofter.com/post/1cc77d20_706b68a
http://diebiyi.com/articles/security/covert-redirect/163s-oauth-2-0-covert-redirect
http://lifegrey.tumblr.com/post/120698901934/whitehatview-internet-users-threatened
http://securityrelated.blogspot.com/2014/07/netease-web-service-bug.html
http://www.inzeed.com/kaleidoscope/covert-redirect/163s-oauth-2-0-covert-redirect
http://tetraph.blog.163.com/blog/static/23460305120144715554901/
https://inzeed.wordpress.com/2014/06/08/netease-163-bug/

 



=============










网易 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
163.com


" 网易 (NASDAQ: NTES)是中国领先的互联网技术公司,利用最先进的互联网技术,加强人与人之间信息的交流和共享,实现“网聚人的力量”。创始人兼CEO是丁磊。 在开 发互联网应用、服务及其它技术方面,网易始终保持业界的领先地位,并在中国互联网行业内率先推出了包括中文全文检索、全中文大容量免费邮件系统、无限容量 免费网络相册、免费电子贺卡站、网上虚拟社区、网上拍卖平台、24小时客户服务中心在内的业内领先产品或服务,还通过自主研发推出了一款率先取得白金地位 的国产网络游戏。网易公司推出了门户网站、在线游戏、电子邮箱、在线教育、电子商务、在线音乐、网易bobo等多种服务。" (百度百科)







(2) 漏洞描述:

网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。



这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。





(2.1) 漏洞细节:

163 的 OAuth 2.0 系统可能遭到攻击。更确切地说, 163 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 163 的 URL跳转 攻击。

 

 

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type"=sensitive_info,token,code…

“&scope"=get_user_info,email…

 

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

 

漏洞地点 “oauth2/authorize.do?",参数"&redirect_uri", e.g.
http://reg.163.com/open/oauth2/authorize.do?client_id=3898477018&redirect_uri=http%3A%2F%2Fweibo.yihaodian.com%2Fweibo%2FunionLoginAction.action%3Fstate%3Dtophttps%3A%2F%2Ftetraph.com&response_type=code&state=06c7f1548bedaf6a8e19cec28d9435c8 [1]

 

 

 

同意三方 App 前:

当一个已经登录的 163 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri" 的 URL。

 

 

如果没有登录的 163 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

 

 

同意三方 App 后:

已经登录的 163 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

 

如果 163 用户没有登录,攻击依然可以在要求他登录的163的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 

 

 

 

(2.1.1) 163 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri" 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

 

因此,163 用户意识不到他会被先从 163 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 163 直接跳转到有害网页是一样的。

 

 

因为 163 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

 

更严重的是,有的 App 允许参数”&redirect_uri" 设置为任意 URL (不仅是属于这个 App domain 的 URL)。这样就可已从163 直接跳转,但是这种情况下,返回的 URL 里不包含敏感信息。

 

 

在同意三方 App 之前,163 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

 

同意三方 App 后, 攻击者可以完全绕过 163 的 URL跳转 验证系统。

 

 

 

 

(2.2) 用了一个页面进行了测试, 页面是 “http://lifegreen.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code(两次跳转才有敏感信息,&redirect_uri 直接跳转没有)。

 

 

下面是一个有漏洞的三方 domain:
yhd.com

 

 

163 与 yhd.com 有关的有漏洞的 URL:
http://reg.163.com/open/oauth2/authorize.do?client_id=3898477018&redirect_uri=https%3A%2F%2Fpassport.yhd.com%2Fnetease%2Fcallback.do&response_type=code&state=1dca59aafb0ccfd17accfe22436eb813

 

 

POC:
http://reg.163.com/open/oauth2/authorize.do?client_id=3898477018&redirect_uri=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E6%258B%25BE%25E7%25A7%258B.html

 

 

 

POC 视频:
https://www.youtube.com/watch?v=0KF65swbl8A

 


博客细节:
http://tetraph.blogspot.com/2014/05/163s-oauth-20-covert-redirect-system.html

 

 




(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。

 

 

 

漏洞发布:
王晶 (Wang Jing)
新加坡南洋理工大学物理与数学学院数学系 (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

 

相关文章:
http://tetraph.com/security/covert-redirect/163s-oauth-2-0-covert-redirect
https://twitter.com/buttercarrot/status/558906604641198081
https://itinfotechnology.wordpress.com/2014/06/02/netease-system-bug/
http://germancast.blogspot.com/2014/06/netease-hacking.html
http://essaybeans.lofter.com/post/1cc77d20_706b68a
http://diebiyi.com/articles/security/covert-redirect/163s-oauth-2-0-covert-redirect
http://lifegrey.tumblr.com/post/120698901934/whitehatview-internet-users-threatened
http://securityrelated.blogspot.com/2014/07/netease-web-service-bug.html
http://www.inzeed.com/kaleidoscope/covert-redirect/163s-oauth-2-0-covert-redirect
http://tetraph.blog.163.com/blog/static/23460305120144715554901/
https://inzeed.wordpress.com/2014/06/08/netease-163-bug/



Tencent QQ OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

qq-messenger-53

 

Tencent QQ OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 

 

 

(1) Domain:
qq.com

 

 

“Tencent QQ, popularly known as QQ, is an instant messaging software service developed by Chinese company Tencent Holdings Limited. QQ also offers a variety of services, including online social games, music, shopping, microblogging, movies, platform of games and group and voice chat. As of January 2015, there are 829 million active QQ accounts, with a peak of 176.4 million simultaneous online QQ users." (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Tencent QQ web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 

 

(2.1) Vulnerability Detail:

QQ’s SSO system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri" in SSO system is insufficient. It can be misused to design Open Redirect Attacks to QQ.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type"=sensitive_info,token…

“&scope"=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

 

The vulnerabilities occurs at page “/oauth/show?" with parameter “&redirect_uri", e.g.
http://openapi.qzone.qq.com/oauth/show?which=ConfirmPage&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share [1]

 

 

Before acceptance of third-party application:

 

When a logged-in QQ user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri".

 

If a user has not logged onto QQ and clicks the URL ([1]) above, the same situation will happen upon login.

 

 

After acceptance of third-party application:

 

A logged-in QQ user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) QQ would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from QQ to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from QQ directly. The number of QQ’s SSO client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, QQ’s SSO system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass QQ’s authentication system and attack more easily.

 

Used one of webpages for the following tests. The webpage is “https://dailymem.wordpress.com/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
cjcp.com.cn

 

Vulnerable URL in this domain:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=qq&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 

Vulnerable URL from QQ that is related to cjcp.com.cn:
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share

 

POC:
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dqq%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A2%25258E%2525E5%2525A4%25258F.html&response_type=code&scope=get_user_info%2Cadd_share [2]

 

 

 

 

(2.2) Another method for attackers.

Attackers enter the following URL in browser,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=qq&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 

Then, attackers can get URL below,
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share [3]

 

If users click URL [3], the same thing will happen as URL [2].

 

 

 

(2.3) The following URLs have the same vulnerabilities.
http://openapi.qzone.qq.com/oauth/qzoneoauth_authorize?oauth_consumer_key=209717&oauth_token=14921471022138330625&oauth_callback=http://user.nipic.com/api/login/qq/callback.asp

https://graph.qq.com/oauth2.0/authorize?client_id=100246654&redirect_uri=http://youxi.baidu.com/tp/QQAuth.jsp&response_type=code

https://open.t.qq.com/cgi-bin/oauth2/authorize?client_id=801132217&response_type=code&redirect_uri=http://passport.tianya.cn/login/txwb.do

 

 

POC Video:
https://www.youtube.com/watch?v=-lxaX9xvUfE

 

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/tencent-qq-oauth-20-covert-redirect.html

 

 



 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

 

Related Articles:
http://tetraph.com/security/covert-redirect/tencent-qq-oauth-2-0-covert-redirect
https://twitter.com/yangziyou/status/615125849306632193
https://biyiniao.wordpress.com/2014/08/28/qq-bugs/
http://diebiyi.com/articles/security/covert-redirect/tencent-qq-oauth-2-0-covert-redirect
http://frenchairing.blogspot.com/2014/08/tencent-qq-exploit.html
http://tetraph.blog.163.com/blog/static/23460305120144631154854/
http://guyuzui.lofter.com/post/1ccdcda4_6f0b982
http://mathpost.tumblr.com/post/119490927560/itinfotech-id-oauth
http://www.inzeed.com/kaleidoscope/covert-redirect/tencent-qq-oauth-2-0
https://computertechhut.wordpress.com/2014/08/28/tencent-qq-bug/
http://computerobsess.blogspot.com/2014/05/tencent-qq-bug.html

 

 

 

 

===========

 

 

 


腾讯 QQ 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
qq.com

 

 

" 腾讯QQ(简称“QQ”)是腾讯公司开发的一款基于Internet的即时通信(IM)软件。腾讯QQ支持在线聊天、视频通话、点对点断点续传文件、共享 文件、网络硬盘、自定义面板、QQ邮箱等多种功能,并可与多种通讯终端相连。2015年,QQ继续为用户创造良好的通讯体验!其标志是一只戴着红色围巾的 小企鹅。目前QQ已经覆盖Microsoft Windows、OS X、Android、iOS、Windows Phone等多种主流平台" (百度百科)

 

 

 

 

 

(2) 漏洞描述:

腾讯 QQ 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

 

 

 

 

(2.1) 漏洞细节:

QQ 的 SSO 系统可能遭到攻击。更确切地说, QQ 对 SSO 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 QQ 的 URL跳转 攻击。

 

 

 

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type"=sensitive_info,token…

“&scope"=get_user_info%2Cadd_share…

 

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

 

漏洞地点 “/oauth/show?",参数"&redirect_uri", e.g.
http://openapi.qzone.qq.com/oauth/show?which=ConfirmPage&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share [1]

 

 

 

同意三方 App 前:

当一个已经登录的 QQ 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri" 的 URL。

 

 

如果没有登录的 QQ 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

 

 

同意三方 App 后:

已经登录的 QQ 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

 

如果 QQ 用户没有登录,攻击依然可以在要求他登录的QQ的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 

 

 

 

 

 

(2.1.1) QQ 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri" 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

 

因此,QQ 用户意识不到他会被先从 QQ 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 QQ 直接跳转到有害网页是一样的。

 

 

因为 QQ 的 SSO 客户很多,这样的攻击可以很常见。

 

 

在同意三方 App 之前,QQ 的 SSO 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

 

同意三方 App 后, 攻击者可以完全绕过 QQ 的 URL跳转 验证系统。

 

 

用了一个页面进行了测试, 页面是 “http://whitehatpostlike.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

 

下面是一个有漏洞的三方 domain:
cjcp.com.cn

 

 

这个 domain 有漏洞的 URL:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=qq&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 

 

QQ 与 cjcp.com.cn 有关的有漏洞的 URL:
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share

 

 

POC:
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dqq%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A2%25258E%2525E5%2525A4%25258F.html&response_type=code&scope=get_user_info%2Cadd_share [2]

 

 

 

 

(2.2) 攻击的另一个方法.


攻击者在浏览器输入 URL,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=qq&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 


然后,攻击者可以得到 URL,
http://openapi.qzone.qq.com/oauth/show?which=Login&display=pc&client_id=100261282&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dqq&response_type=code&scope=get_user_info%2Cadd_share [3]

 

如果用户点击 URL [3], 发生的事情和 URL [2] 一样.

 

 

 

 

(2.3)下面的 URLs 有同样的漏洞.
http://openapi.qzone.qq.com/oauth/qzoneoauth_authorize?oauth_consumer_key=209717&oauth_token=14921471022138330625&oauth_callback=http://user.nipic.com/api/login/qq/callback.asp

 

https://graph.qq.com/oauth2.0/authorize?client_id=100246654&redirect_uri=http://youxi.baidu.com/tp/QQAuth.jsp&response_type=code

 

 

https://open.t.qq.com/cgi-bin/oauth2/authorize?client_id=801132217&response_type=code&redirect_uri=http://passport.tianya.cn/login/txwb.do

 

 

 

POC 视频:
https://www.youtube.com/watch?v=-lxaX9xvUfE

 

 

博客细节:
http://tetraph.blogspot.com/2014/05/tencent-qq-oauth-20-covert-redirect.html

 

 

 

 

 

 

 

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向也可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。

 

 

漏洞发布:
王晶 (Wang Jing)
新加坡南洋理工大学物理与数学学院数学系 @justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

相关文章:
http://tetraph.com/security/covert-redirect/tencent-qq-oauth-2-0-covert-redirect
https://twitter.com/yangziyou/status/615125849306632193
https://biyiniao.wordpress.com/2014/08/28/qq-bugs/
http://diebiyi.com/articles/security/covert-redirect/tencent-qq-oauth-2-0-covert-redirect
http://frenchairing.blogspot.com/2014/08/tencent-qq-exploit.html
http://tetraph.blog.163.com/blog/static/23460305120144631154854/
http://guyuzui.lofter.com/post/1ccdcda4_6f0b982
http://mathpost.tumblr.com/post/119490927560/itinfotech-id-oauth
http://www.inzeed.com/kaleidoscope/covert-redirect/tencent-qq-oauth-2-0
https://computertechhut.wordpress.com/2014/08/28/tencent-qq-bug/
http://computerobsess.blogspot.com/2014/05/tencent-qq-bug.html

 

 

 

 

 

 



 

 

 

 

 

Sohu OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

Screenshot from 2015-06-28 21:09:09

 

Sohu OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:

sohu.com

 

“Sohu, Inc. (Chinese: 搜狐; pinyin: Sōuhú; literally: “Search-fox") is a Chinese Internet company headquartered in the Sohu Internet Plaza in Haidian District, Beijing. This company and its subsidiaries offer advertising, a search engine, on-line multiplayer gaming and other services. For the fiscal year ended December 31, 2007, Sohu Inc.’s revenues increased 41% to $188.9M. Net income increased 31% to $35M. Sohu was ranked as the world’s 3rd and 12th fastest growing company by Fortune in 2009 and 2010 respectively. As of August 2011, Sohu is the 44th overall in Alexa’s internet rankings." (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Sohu web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 

 

(2.1) Vulnerability Detail:

Sohu’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri" in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Sohu.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type"=sensitive_info,token…

“&scope"=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

 

Before acceptance of third-party application:

When a logged-in Sohu user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri".

 

If a user has not logged onto Sohu and clicks the URL ([1]) above, the same situation will happen upon login.

 

 

After acceptance of third-party application:

A logged-in Sohu user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

(2.1.1) Sohu would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Sohu to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Sohu directly. The number of Sohu’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Sohu’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Sohu’s authentication system and attack more easily.

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://essayjeanslike.lofter.com/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

 

POC Video:
https://www.youtube.com/watch?v=T1XW31s92qA




Blog Detail:
http://tetraph.blogspot.com/2014/05/sohus-oauth-20-covert-redirect.html







(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.

 

 

 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/








Related Articles:
http://tetraph.com/security/covert-redirect/sohus-oauth-2-0-covert-redirect
https://inzeed.wordpress.com/2014/07/28/sohu-exploit/
https://twitter.com/buttercarrot/status/558906629056249856
http://diebiyi.com/articles/security/covert-redirect/sohus-oauth-bug
http://russiapost.blogspot.com/2014/07/sohu-hacking.html
http://shellmantis.tumblr.com/post/119492886806/securitypost
http://xingzhehong.lofter.com/post/1cfd0db2_706af13
https://itinfotechnology.wordpress.com/2014/07/07/sohu-attack/
http://www.inzeed.com/kaleidoscope/covert-redirect/sohus-oauth-2-0
http://tetraph.blog.163.com/blog/static/23460305120144714756937/
http://securityrelated.blogspot.com/2014/08/sohu-service-attack.html

 

 

 

===========

 

 

搜狐 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
sohu.com



" 搜狐(NASDAQ:SOHU),是一家互联网中文门户网站。1995年,搜狐创始人张朝阳从美国麻省理工学院毕业回到中国,利用风险投资创建了爱特信信 息技术有限公司,1998年正式推出搜狐网。2000年,搜狐在美国纳斯达克证券市场上市。搜狐开发的产品有搜狗拼音输入法、搜狗五笔输入法、搜狗音乐 盒、搜狗浏览器、搜狐彩电、独立的搜索引擎搜狗和网游门户畅游。搜狐是2008年北京奥林匹克运动会唯一的互联网赞助商,也是奥林匹克运动会历史上第一个 互联网内容的赞助商。" (百度百科)







(2) 漏洞描述:

搜狐 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。




 


(2.1) 漏洞细节:

Sohu 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Sohu 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Sohu 的 URL跳转 攻击。

 

 

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type"=sensitive_info,token,code…

“&scope"=email,name…

 

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

 

漏洞地点 “/oauth2/authorize?",参数"&redirect_uri", e.g.

https://api.t.sohu.com/oauth2/authorize?client_id=TP4vefRdCFUEFhrNpMnQ&scope=basic&response_type=code&redirect_uri=http%3A%2F%2Fnews.cn%2Fsitecb%2Fsohu.do&state=http://my.xuan.news.cn/main.do__20 [1]

 

 

 

同意三方 App 前:

当一个已经登录的 Sohu 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri" 的 URL。

 

 

如果没有登录的 Sohu 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

 

 

同意三方 App 后:

已经登录的 Sohu 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

 

如果 Sohu 用户没有登录,攻击依然可以在要求他登录的Sohu的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 

 

 

 

(2.1.1) Sohu 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri" 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

 

因此,Sohu 用户意识不到他会被先从 Sohu 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Sohu 直接跳转到有害网页是一样的。

 

 

因为 Sohu 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

 

在同意三方 App 之前,Sohu 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

 

同意三方 App 后, 攻击者可以完全绕过 Sohu 的 URL跳转 验证系统。

 

 

用了一个页面进行了测试, 页面是 “http://essayjeanslike.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

 

Sohu 与 news.cn 有关的有漏洞的 URL:
https://api.t.sohu.com/oauth2/authorize?client_id=TP4vefRdCFUEFhrNpMnQ&scope=basic&response_type=code&redirect_uri=http%3A%2F%2Flogin.home.news.cn%2Fcb%2Fsohu.do&state=http://my.xuan.news.cn/main.do__20

 

 

POC (我们可以在news.cn domain 内随便修改"redirect_uri"的值):
https://api.t.sohu.com/oauth2/authorize?client_id=TP4vefRdCFUEFhrNpMnQ&scope=basic&response_type=code&redirect_uri=http%3A%2F%2Flogin.home.news.cn%2Fcb%2Fsohu.do&state=http://my.xuan.news.cn/main.do__20

 

 

POC 视频:
https://www.youtube.com/watch?v=T1XW31s92qA




博客细节:
http://tetraph.blogspot.com/2014/05/sohus-oauth-20-covert-redirect.html

 





(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向也可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。

 

 

漏洞发布:
王晶 (Wang Jing)
新加坡南洋理工大学物理与数学学院数学系 (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

相关文章:
http://tetraph.com/security/covert-redirect/sohus-oauth-2-0-covert-redirect
https://inzeed.wordpress.com/2014/07/28/sohu-exploit/
https://twitter.com/buttercarrot/status/558906629056249856
http://diebiyi.com/articles/security/covert-redirect/sohus-oauth-bug
http://russiapost.blogspot.com/2014/07/sohu-hacking.html
http://shellmantis.tumblr.com/post/119492886806/securitypost
http://xingzhehong.lofter.com/post/1cfd0db2_706af13
https://itinfotechnology.wordpress.com/2014/07/07/sohu-attack/
http://www.inzeed.com/kaleidoscope/covert-redirect/sohus-oauth-2-0
http://tetraph.blog.163.com/blog/static/23460305120144714756937/
http://securityrelated.blogspot.com/2014/08/sohu-service-attack.html

 

 

 



 

 

 

 



Godaddy Web Service Covert Redirect Security Bugs Based on Google.com

StudyShare_GoDaddy2

 

Godaddy Online Website Covert Redirect Web Security Bugs Based on Google.com

 

(1) Domain:
godaddy.com

 

 

“GoDaddy is a publicly traded Internet domain registrar and web hosting company. As of 2014, GoDaddy was said to have had more than 59 million domain names under management, making it the world’s largest ICANN-accredited registrar. It serves more than 12 million customers and employs more than 4,000 people. The company is known for its celebrity spokespeople, Super Bowl ads and as being an online provider for small businesses. In addition to a postseason college football bowl game, it sponsors NASCAR. It has been involved in several controversies related to security and privacy. In addition to domain registration and hosting, GoDaddy also sells e-business related software and services." (Wikipedia)

 

 

 

 

 

(2) Vulnerability Description:
Godaddy web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

The vulnerability occurs at “redirect.aspx?" page with “&target" parameter, i.e.
http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.google.com

 

 

 

(2.1) When a user is redirected from Godaddy to another site, Godaddy will check whether the redirected URL belongs to domains Godaddy’s whitelist, e.g.
google.com
apple.com

 

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Godaddy to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Godaddy directly.

 

One of the vulnerable domain is,
google.com

 

 

 

(2.2) Use one of webpages for the following tests. The webpage address is “http://diebiyi.com/articles/“. Can suppose that this page is malicious.

 

Vulnerable URL:
http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.godaddy.com

 

POC:
http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fservice%3Dwise%26continue%3Dhttp%253A%252F%252Fgoogleads.g.doubleclick.net%252Faclk%253Fsa%253DL%2526ai%253DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%2526num%253D0%2526sig%253DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%2526client%253Dca-pub-0466582109566532%2526adurl%253Dhttp%253A%252F%252Fwww.tetraph.com%252Fcontact.html

 

 

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/godaddy-covert-redirect-vulnerability.html



 

 

 

(3) What is Covert Redirect?
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.

 

 

 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/








Related Articles:
https://twitter.com/tetraphibious/status/559167679353720834
http://tetraph.com/security/covert-redirect/godaddy-covert-redirect-vulnerability-based-on-google/
http://tetraph.blog.163.com/blog/static/234603051201444111919171/
http://whitehatpost.lofter.com/post/1cc773c8_706b6bf
http://japanbroad.blogspot.jp/2015/06/godaddy-bug.html
http://securitypost.tumblr.com/post/119439859067/itinfotech-id-oauth
https://infoswift.wordpress.com/2014/07/02/godaddy-hack/
http://germancast.blogspot.de/2014/06/godaddy-exploit.html
http://www.inzeed.com/kaleidoscope/covert-redirect/godaddy-covert-redirect-vulnerability-based-on-google/
https://mathfas.wordpress.com/2014/07/07/godaddy-hacking/