Kaleidoscope - InZeed

- Science, Technology, Article, Music, Poem, Essay, etc ...

Month – May 2014

兩款互聯網登錄系統曝出重大漏洞 短期內或無法修復 (Covert Redirect)

  繼OpenSSL漏洞後,開源安全軟件再曝安全漏洞。新加坡南洋理工大學研究人員,物理和數學科學學院博士生王晶 (Wang Jing) 發現,OAuth 2.0, OpenID 授權接口的網站存隱蔽重定向漏洞、英文名為“Covert Redirect”。   攻擊者創建壹個使用真實站點地址的彈出式登錄窗口——而不是使用壹個假的域名——以引誘上網者輸入他們的個人信息。   黑客可利用該漏洞給釣魚網站“變裝”,用知名大型網站鏈接引誘用護登錄釣魚網站,壹旦用護訪問釣魚網站並成功登六授權,黑客即可讀取其在網站上存儲的私密信息。   騰訊,阿裏巴巴,QQ、新浪微博、淘寶網,支付寶,網易,PayPal, eBay, Amazon, Facebook、Google, LinkedIn, Yahoo, VK.com, Microsoft,  Mail.ru, Github, WordPress 等國內外大量知名網站受影響。   鑒於OAuth和OpenID被廣泛用於各大公司——如微軟、Facebook、Google、以及 LinkedIn——Wang表示他已經向這些公司已經了匯報。Wang聲稱,微軟已經給出了答復,調查並證實該問題出在第三方系統,而不是該公司的自 有 站點。Facebook也表示,“短期內仍無法完成完成這兩個問題的修復工作,只得迫使每個應用程序平臺采用白名單”。至於Google,預計該公司 會追 蹤OpenID的問題;而LinkedIn則聲稱它將很快在博客中說明這壹問題。   OAuth 是壹個被廣泛應用的開放登六協議,允許用護讓第三方應用訪問該用護在某壹網站上存儲的私密的信息(如照片,視頻,聯系人列表),而無需將用護名和密碼提供給第三方應用。這次曝出的漏洞,可將Oauth2.0的使用方(第三方網站)的回跳域名劫持到惡意網站去,黑客利用XSS漏洞攻擊就能隨意操作被授權的帳號,讀取用護的隱私信息。像騰訊、新浪微博等社交網站壹般對登六回調地址沒有任何限制,極易遭黑客利用。         相關資料, http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/ https://hackertopic.wordpress.com/2014/05/26/covert-redirect-attacks http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/ http://network.pconline.com.cn/471/4713896.html http://computerobsess.blogspot.com/2015/05/covert-redirect.html http://ittechnology.lofter.com/post/1cfbf60d_6f09f58 http://diebiyi.com/articles/security/covert-redirect/oauth-2-0-openid-covert-redirect/ https://zh.wikipedia.org/wiki/covert-redirect http://media.sohu.com/20140504/n399096249.shtml/ http://it.people.com.cn/n/2014/0504/c1009-24969253.html http://www.inzeed.com/kaleidoscope/covert-redirect/oauth-2-0-and-openid-covert-redirect/ http://www.baike.com/wiki/covert-redirect-bug […]

Microsoft Live Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

  Microsoft Live Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect) (1) Domain: live.com     (2) Vulnerability Description: Live web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.  The vulnerabilities can be attacked without user login. Tests were performed on Microsoft […]

OAuth and OpenID Users Threatened by New Security Flaw, Covert Redirect

  A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed “Covert Redirect” by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.   Both standards are employed across the Internet to […]

NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com

  NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com     (1) Domain: 163.com     “NetEase, Inc. (simplified Chinese: 网易; traditional Chinese: 網易; pinyin: Wǎng Yì) is a Chinese Internet company that operates 163.com, a popular web portal ranked 27 by Alexa as of April 2014. 163.com is one of the […]

Facebook OAuth 2.0 Covert Redirect Vulnerability based on Ask.com (Information Leakage and URL Redirect)

    Facebook OAuth 2.0 Service Covert Redirect Web Security Bugs Based on Ask.com (Information Leakage & Open Redirect) (1) Domain: facebook.com   “Facebook had over 1.44 billion monthly active users as of March 2015. Because of the large volume of data users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. […]

Kaleidoscope - InZeed © 2015 Frontier Theme