Critical Holes in OAuth, OpenID Could Leak Information, Redirect Users

Critical Holes in OAuth, OpenID Could Leak Information, Redirect Users

A serious vulnerability in both the OAuth and OpenID protocols could lead to complications for those who use the services to login to websites like Facebook, Google, LinkedIn, Yahoo, Microsoft, PayPal among many others.

UPDATE — A serious vulnerability in the OAuth and OpenID protocols could lead to complications for those who use the services to log in to websites like Facebook, Google, LinkedIn, Yahoo, and Microsoft among many others.

OpenID and OAuth are commonly used authorization protocols. The protocols are separate but complementary — OAuth issues access tokens to clients by a server, similarly OpenID acts as a decentralized method to allows users to use the same digital identity across the internet. They are perhaps best known as the easiest way for users to log-in to sites using passwords from providers like Google or Twitter without having to worry about the main site’s credentials from being used.

The vulnerability, discovered by Wang Jing, a PhD student in mathematics at the Nanyang Technological University in Singapore, could allow attackers to steal personal data from users and redirect them to questionable sites.

As Jing points out in a blog entry today, for OAuth 2.0, the attacks could primarily jeopardize the token of site users. If a user were to authorize the login the attackers could then use that to access that user’s personal data. When i comes to OpenID, the attacker could get a user’s information directly, as it’s immediately transferred from the provider upon request.

At the crux of the problem is what Jing has dubbed a “covert redirect” vulnerability. An attacker could exploit the affected protocols and via a pop-up message through Facebook for example and trick users into giving up their information on otherwise legitimate websites.

On Facebook that information could include a users’ email address, age, location, work history, etc.

According to Jing, who described the vulnerability today on his blog, it’s loosely modeled on an open redirect vulnerability, which according to OWASP is when an application takes a parameter and redirects users to the parameter value without any validation.

In Jing’s version of the attack, more or less the same thing is done, but with improper validation – this is because the vulnerable site considers the app associated with it trustworthy. After exploiting OAuth/OpenID, the attacker generates a phishing attack, abuses an actual site to pull the attack off and then the victim’s information is sent to the attacker instead of the site’s domain.

Jing claims he’s contacted a handful of companies who use both OAuth and OpenID to discuss the problem but since it’s largely confined to third-party infrastructure, there’s only so much that can be done.

Facebook wrote Jing saying they understand the risks associated with OAuth 2.0 but that mandating each app that uses the site to follow a whitelist “isn’t something that can be accomplished in the short term.”

That concept, having third-party apps obey a whitelist would help – as Jing points out “then there would be no room for attacks” – but is not a feasible or speedy fix.

“In the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable,” Jing wrote.

Elsewhere, Jing claims that Google told him they were “aware of the problem and are tracking it at the moment” and that LinkedIn actually indirectly acknowledged the problem back in March, asking that OAuth 2.0 users register their application’s redirect URLs with the social network by April to “enhance security” and better comply with the protocol’s specifications. While LinkedIn cannot whitelist the app, by utilizing a callback URL, it makes it so after authentication the user will always be redirected to the real site and not the one of an attacker.

At the end of a video published today the researcher notes that a slew of other sites, some US-based, like Microsoft Live, Github and some global, like VK, Weibo, Mail.Ru, are also vulnerable to the hole.



List of affected sites via Wang Jing,

PayPal however, was quick to tell its users Friday this particular vulnerability shouldn’t be on their radar.

“We have carefully investigated this situation and can tell you that this vulnerability has no impact on PayPal and your PayPal accounts remain secure,” James Barrese, the CTO of PayPal said Friday, adding that the company has “engineered additional security measures” against the OAuth2.0/OpenID vulnerability.

Jing claims that Microsoft meanwhile conducted an investigation and confirmed that the vulnerability exists but that it’s present on a third-party site, different than the one that Jing reported (

As the researcher notes simply patching the vulnerability is easier said than done.

“They have little incentive to fix the problem,” Jing wrote regarding the companies today, “One concern is the cost and the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem.”

In reality it appears the best short-term fix would be to stop using OpenID/OAuth entirely until a fix is found.

Chris Wysopal, the CTO of Veracode weighed in on the issue Friday, agreed with Wang’s findings and warned of future attacks.

“This looks to be a very real issue,” Wysopal said, “OAuth 2.0 looks vulnerable to phishing and redirect attacks.”

“Given the trust users put in Facebook and other major OAuth providers I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service,” Wysopal said.

The issue is a potentially serious one, especially on the heels of the Heartbleed OpenSSL vulnerability. Critics posit that OpenSSL is used on more than half of the SSL-protected Web servers worldwide and many of those users are still scrambling to patch vulnerable applications and change their passwords in the wake of revelations regarding last month’s flaw.

Suggested articles