Be careful if you’re signing in to Web services or apps that let you log in using an ID from Facebook, Twitter, or Google. A flaw in widely-used open-source systems known as OAuth 2.0 and OpenID could enable an attacker to covertly redirect you to a malicious site and get access to your data and private information.
Chinese doctoral student Jing Wang publicized the “covert redirect” vulnerability Friday morning. The vulnerability has been known for some time, but fresh attention could make attacks more common—and might also intensify pressure for a fix.
The vulnerability stems from a flaw in OAuth 2.0 and OpenID technology that lets you use your login from Facebook, Google, or Amazon (among others) to access other sites and services. Because of the flaw, an attacker can trick a user into thinking he or she is signing in via Facebook or Google and then redirect them to a malicious website. From there, depending on the level of access granted, it can expose your personal information, your contacts, your friends list, or in the case of Google Apps, stored data.
“This is often the result of a website’s overconfidence in its partners,” Wang wrote.
Not The Next Heartbleed
“It’s not the next Heartbleed, it’s not the end of the world, but at the same time, it’s something that should be paid attention to,” said Kevin O’Brien, director of product marketing for CloudLock. “What’s new about it is the socialization,” he added, referring to Wang’s public campaign to draw attention to the flaw. Once a vulnerability is widely exposed, attacks frequently follow.
Wang discovered the flaw in February, he said via email. “I am not sure whether someone has used the vulnerability or not.”
Social login services appeal to developers for several reasons. Amazon, for instance, describes its “Login with Amazon” service to developers as an opportunity to “securely connect with millions of Amazon customers and personalize their experience.” Social logins easy to integrate with Web services or Android and iOS apps, in turn making it simple for customers to sign into their accounts using their Amazon credentials.
The idea here, of course, is that if you trust Amazon, you can trust third parties that use its login system. That lets developers focus on what they do best, quickly, without having to build their own authorization system. Instead, they leave the security to the open source-developed secure OAuth 2.0 protocol.
Yet Another Shortcut Turns Into A Security Flaw
Which isn’t an unreasonable thing to do. It just turns out that the problem here isn’t merely the vulnerability in OAuth itself; it’s also how companies like Facebook, Google and Amazon have implemented it.
Facebook, for instance, recommends developers use a whitelist that would effectively close the OAuth loophole by limiting redirections to safe and secure URLs. But Facebook doesn’t require a whitelist, and as a result, many developers don’t use one.
When Wang reported the problem to Facebook, the company said it understood the risks with OAuth 2.0. “However, short of forcing every single application on the platform to use a whitelist, [fixing the vulnerability] isn’t something that can be accomplished in the short term,” he wrote.
Wang also reported the vulnerability to Google, LinkedIn, Microsoft, Yahoo, PayPal, Weibo, Taobao, GitHub, and QQ, he said via email. Here are some of their responses:
Google said “[they] are aware of the problem and are tracking it at the moment.”
LinkedIn [has] “have published a blog post on how [they] intend to address [the problem].” (Blog address: https://developer.linkedin.com/blog/register-your-oauth-2-redirect-urls)
Microsoft answered after they did an investigation and concluded that the vulnerability exists in the domain of a third-party, different from the one reported by me (login.live.com). They recommended me to report the issue to the third-party instead.
Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation.
Taobao just closed my report without giving any reason.
Yahoo and Paypal did not reply me months after my report.
I did not contact VK.com, Mail.Ru and so on because I do not know their email address related to security.
Until there’s a fix, be careful when a site or application asks you to connect via Facebook, Twitter, Google, or other sites that use OAuth 2.0. Pay attention, O’Brien said. If you’re looking at a site and get a sudden request for your social-login information when you’re not expecting one, “that’s the time to step back,” he said.