OAuth & OpenID Security Vulnerability - 03MAY14
What It Is
A serious security flaw has been discovered in the popular open-source authorization and authentication services, OAuth 2.0 and OpenID. The vulnerability allows an attacker to use a covert redirect technique within the login system that could compromise sensitive user data or redirect the user to unsafe sites. Because of the way the authentication and authorization is implemented, it must be fixed by individual affected vendors providing the service. There is, therefore, no single blanket fix or update.
OAuth allows a user to grant access to their login credentials and private data on one site (the Provider) in order to access another site (the Requester). OpenID uses a single user identity to sign into many sites. This Single Sign-On capability, while providing ease-of-use, also poses a significant security issue if a vulnerability is found.
Why You Care
Many popular websites including Google, Facebook, Microsoft, LinkedIn, and PayPal use OAuth 2.0 or OpenID modules to perform Single Sign-On credentialling. LinkedIn and PayPal claims to have mitigated this vulnerability from their sites by using “White Listing” techniques in the 3rd party apps they authorize. Stolen user data can include email addresses, birth dates, contact lists, credit, payment methods, and banking data, and login credentials.
The covert redirect exploit allows an attacker to insert themselves in the credential process and pose as the legitimate Requester. The vulnerability masquerades as a legitimate login pop-up requesting access. This classic man-in-the-middle attack technique inserts itself between the user and a legitimate site – posing as that site. If the user accepts the attacker’s request via pop-up, just as happens with legitimate requests, the attacker gains access to user credentials and sensitive data or can redirect users to unsafe sites – opening up the user to further compromise.
Vendors providing authorization and authentication services (Providers) lack both agreement and incentive on fixing the security flaw, further complicating the issue. Requestor companies believe the flaw is the responsibility of the Providers while Providers do not believe the flaw is their issue. This disagreement mostly comes down to the cost of fixing the flaw.
Users are cautioned to not accept any pop-up window redirects on popular sites such as Google, Facebook, Yahoo, and PayPal unless they are selecting to utilize one site’s credentials (like Facebook) to login to another site (such as Instagram) at the moment the pop-up appears. In other words, if you did not initiate the credential request personally at the moment, do not agree to it.
What You Can Do About It
Users need to be aware of this security issue at both home and work as it provides a vector for stealing not just credentials and user data, but money (especially on websites such as PayPal). Users who wish to avoid any potential loss of data should exercise extreme caution when choosing whether or not to click pop-up requests for login authorization. If the user is not performing the act of specifically using credentials from one site to login to another, the pop-up should be exited without clicking accept. Closing the tab immediately should prevent most redirection attacks.
As always, if you require assistance – contact your Maverick security concierge.