Kaleidoscope - InZeed

- Science, Technology, Article, Music, Poem, Essay, etc ...

URL Redirection

Rakuten Online Website Open Redirect (URL Redirection) Cyber Security Vulnerabilities

  Rakuten Online Website Open Redirect (URL Redirection) Cyber Security Vulnerabilities   Domain: rakuten.com “Rakuten, Inc. (楽天株式会社 Rakuten Kabushiki-gaisha?) is a Japanese electronic commerce and Internet company based in Tokyo, Japan. Its B2B2C e-commerce platform Rakuten Ichiba is the largest e-commerce site in Japan and among the world’s largest by sales. Hiroshi Mikitani founded the […]

phpwind v8.7 Unvalidated Redirects and Forwards Web Security Vulnerabilities

  phpwind v8.7 Unvalidated Redirects and Forwards Web Security Vulnerabilities   Exploit Title: phpwind v8.7 goto.php? &url Parameter Open Redirect Security Vulnerabilities Product: phpwind Vendor: phpwind Vulnerable Versions: v8.7 Tested Version: v8.7 Advisory Publication: May 25, 2015 Latest Update: May 25, 2015 Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601] CVE Reference: * […]

Google DoubleClick Website System Could be Used by Spammers

  Google DoubleClick.net (Advertising) System URL Redirection Vulnerabilities Could Be Used by Spammers   Although Google does not include Open Redirect vulnerabilities in its bug bounty program, its preventive measures against Open Redirect attacks have been quite thorough and effective to date.   However, Google might have overlooked the security of its DoubleClick.net ​advertising system. After some […]

Paypal Online Website OAuth 2.0 Covert Redirect (OpenIDconnect) Web Security Bugs (Information Leakage & Open Redirect)

  Paypal Online Website OAuth 2.0 Covert Redirect (OpenIDconnect) Web Security Bugs (Information Leakage & Open Redirect) (1) Domain: paypal.com   “PayPal is an American worldwide online payments system. Online money transfers serve as electronic alternatives to traditional paper methods like checks and money orders. PayPal is one of the world’s largest internet payment companies.The […]

兩款互聯網登錄系統曝出重大漏洞 短期內或無法修復 (Covert Redirect)

  繼OpenSSL漏洞後,開源安全軟件再曝安全漏洞。新加坡南洋理工大學研究人員,物理和數學科學學院博士生王晶 (Wang Jing) 發現,OAuth 2.0, OpenID 授權接口的網站存隱蔽重定向漏洞、英文名為“Covert Redirect”。   攻擊者創建壹個使用真實站點地址的彈出式登錄窗口——而不是使用壹個假的域名——以引誘上網者輸入他們的個人信息。   黑客可利用該漏洞給釣魚網站“變裝”,用知名大型網站鏈接引誘用護登錄釣魚網站,壹旦用護訪問釣魚網站並成功登六授權,黑客即可讀取其在網站上存儲的私密信息。   騰訊,阿裏巴巴,QQ、新浪微博、淘寶網,支付寶,網易,PayPal, eBay, Amazon, Facebook、Google, LinkedIn, Yahoo, VK.com, Microsoft,  Mail.ru, Github, WordPress 等國內外大量知名網站受影響。   鑒於OAuth和OpenID被廣泛用於各大公司——如微軟、Facebook、Google、以及 LinkedIn——Wang表示他已經向這些公司已經了匯報。Wang聲稱,微軟已經給出了答復,調查並證實該問題出在第三方系統,而不是該公司的自 有 站點。Facebook也表示,“短期內仍無法完成完成這兩個問題的修復工作,只得迫使每個應用程序平臺采用白名單”。至於Google,預計該公司 會追 蹤OpenID的問題;而LinkedIn則聲稱它將很快在博客中說明這壹問題。   OAuth 是壹個被廣泛應用的開放登六協議,允許用護讓第三方應用訪問該用護在某壹網站上存儲的私密的信息(如照片,視頻,聯系人列表),而無需將用護名和密碼提供給第三方應用。這次曝出的漏洞,可將Oauth2.0的使用方(第三方網站)的回跳域名劫持到惡意網站去,黑客利用XSS漏洞攻擊就能隨意操作被授權的帳號,讀取用護的隱私信息。像騰訊、新浪微博等社交網站壹般對登六回調地址沒有任何限制,極易遭黑客利用。         相關資料, http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/ https://hackertopic.wordpress.com/2014/05/26/covert-redirect-attacks http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/ http://network.pconline.com.cn/471/4713896.html http://computerobsess.blogspot.com/2015/05/covert-redirect.html http://ittechnology.lofter.com/post/1cfbf60d_6f09f58 http://diebiyi.com/articles/security/covert-redirect/oauth-2-0-openid-covert-redirect/ https://zh.wikipedia.org/wiki/covert-redirect http://media.sohu.com/20140504/n399096249.shtml/ http://it.people.com.cn/n/2014/0504/c1009-24969253.html http://www.inzeed.com/kaleidoscope/covert-redirect/oauth-2-0-and-openid-covert-redirect/ http://www.baike.com/wiki/covert-redirect-bug […]

Facebook OAuth 2.0 Covert Redirect Vulnerability based on Ask.com (Information Leakage and URL Redirect)

    Facebook OAuth 2.0 Service Covert Redirect Web Security Bugs Based on Ask.com (Information Leakage & Open Redirect) (1) Domain: facebook.com   “Facebook had over 1.44 billion monthly active users as of March 2015. Because of the large volume of data users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. […]

Kaleidoscope - InZeed © 2015 Frontier Theme