分類:Privilege Escalation

Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs

yahoo_1

 

Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs

 

Though Yahoo lists open redirect vulnerability on its bug bounty program. However, it seems Yahoo do not take this vulnerability seriously at all.

 

Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “It is working as designed". However, these vulnerabilities were patched later.

 

Several other security researcher complained about getting similar treatment, too.
http://seclists.org/fulldisclosure/2014/Jan/51
http://seclists.org/fulldisclosure/2014/Feb/119

 

All Open Redirect Vulnerabilities are intended behavior? If so, why patch them later?

yahoo_wont_fix_meitu_1

 


From report of CNET, Yahoo’s users were attacked by redirection vulnerabilities. “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. "
http://www.cnet.com/news/yahoo-users-exposed-to-malware-attack/

 

Moreover, since Yahoo is well-known worldwide. these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Alibaba, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security bug problems have not been patched. Other similar web and computer flaws will be published in the near future.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

Disclosed by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

Both Yahoo and Yahoo Japan online web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

 

(1) Yahoo.com Open Redirect

 

Domain:
yahoo.com

 

“Yahoo Inc. (styled as Yahoo!) is an American multinational technology company headquartered in Sunnyvale, California. It is globally known for its Web portal, search engine Yahoo Search, and related services, including Yahoo Directory, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Groups, Yahoo Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most popular sites in the United States. According to news sources, roughly 700 million people visit Yahoo websites every month. Yahoo itself claims it attracts more than half a billion consumers every month in more than 30 languages. Yahoo was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 1, 1995. Marissa Mayer, a former Google executive, serves as CEO and President of the company." (Wikipedia)

 

Vulnerable URLs:

 

 

(2) Yahoo.co.jp Open Redirect

 

Domain:
yahoo.co.jp

 

“Yahoo! JAPAN Corporation (ヤフージャパン株式会社 Yafū Japan Kabushiki-gaisha?) is a Japanese internet company formed as a joint venture between the American internet company Yahoo! and the Japanese internet company SoftBank. It is headquartered at Midtown Tower in the Tokyo Midtown complex in Akasaka, Minato, Tokyo. Yahoo! Japan was listed on JASDAQ in November 1997. In January 2000, it became the first stock in Japanese history to trade for more than ¥100 million per share. The company was listed on the Tokyo Stock Exchange in October 2003 and became part of the Nikkei 225 stock market index in 2005. Yahoo! Japan acquired the naming rights for the Fukuoka Dome in 2005, renaming the dome as the “Fukuoka Yahoo! Japan Dome". The “Yahoo Dome" is the home field for the Fukuoka SoftBank Hawks, a professional baseball team majority owned by SoftBank." (Wikipedia)

Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. Suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

 

 

More Articles:
http://seclists.org/fulldisclosure/2014/Dec/88
http://marc.info/?l=full-disclosure&m=141897158416178&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01467.html
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html
https://hackertopic.wordpress.com/2015/01/15/yahoo-yahoo-japan-vulnerable-to-spams/
https://plus.google.com/110001022997295385049/posts/4GTENtJY9XE
https://twitter.com/justqdjing/status/546910373169741825
https://www.facebook.com/pcwebsecurities/posts/701648936647693
http://homehut.lofter.com/post/1d226c81_6e6884f
https://tetraph.wordpress.com/2014/12/28/yahoo-open-redirect/
http://itinfotech.tumblr.com/post/118511508076/securitypost-yahooyahoo-japan-may-be
https://computerpitch.wordpress.com/2015/01/27/yahoo-vulnerable-to-spams/
http://testingcode.lofter.com/post/1cd26eb9_73096b9
http://lifegrey.tumblr.com/post/120767572004/yahoo-url-redirection-bug
http://blog.163.com/greensun_2006/blog/static/1112211220155565419870/
http://aibiyi.blogspot.com/2015/06/yahoo-open-redirect.html
https://www.facebook.com/tetraph/posts/1659455054274454
http://www.inzeed.com/kaleidoscope/computer-web-security/yahoo-to-spams/
http://www.tetraph.com/blog/spamming/yahoo-url-redirection/

 

 

 

 

 

廣告

OAuth and OpenID Users Threatened by New Security Flaw, Covert Redirect

heartbleed_bug_hackers

 

A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed “Covert Redirect" by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.

 

Both standards are employed across the Internet to let users log into websites using their credentials from other sites, such as by logging into a Web forum using a Facebook or Twitter username and password instead of creating a new account just for that forum.

 

Attackers could exploit the flaw to disguise and launch phishing attempts from legitimate websites, said the flaw’s finder, Mathematics Ph.D. student Wang Jing of the Nanyang Technological University in Singapore.

 

Wang believes it’s unlikely that this flaw will be patched any time soon. He says neither the authentication companies (those with which users have an account, such as Google, Microsoft, Facebook, Twitter or LinkedIn, among others) nor the client companies (sites or apps whose users log in via an account from an authentication company) are taking responsibility for fixing the issue.

 

“The vulnerability is usually due to the existing weakness in the third-party websites," Wang writes on his own blog. “However, they have little incentive to fix the problem."

 

The biggest danger of Covert Redirect is that it could be used to conduct phishing attacks, in which cybercriminals seize login credentials, by using email messages containing links to malicious websites disguised as something their targets might want to visit.

 

Normal phishing attempts can be easy to spot, because the malicious page’s URL will usually be off by a couple of letters from that of the real site. The difference with Covert Redirect is that an attacker could use the real website instead by corrupting the site with a malicious login popup dialogue box.

 

For example, say you regularly visit a given forum (the client company), to which you log in using your credentials from Facebook (the authentication company). Facebook uses OAuth 2.0 to authenticate logins, so an attacker could put a corrupted Facebook login popup box on this forum.

 

If you sign in using that popup box, your Facebook data will be released to the attacker, not to the forum. This means the attacker could possibly gain access to your Facebook account, which he or she could use to spread more socially engineered attacks to your Facebook friends.

 

Covert Redirect could also be used in redirection attacks, which is when a link takes you to a different page than the one expected.

 

Wang told CNET authentication companies should create whitelists — pre-approved lists that block any not on it — of the client companies that are allowed to use OAuth and OpenID to redirect to them. But he said he had contacted a number of these authentication companies, who all shifted blame elsewhere.

 

Wang told CNET Facebook had told him it “understood the risks associated with OAuth 2.0″ but that fixing the flaw would be “something that can’t be accomplished in the short term." Google and LinkedIn allegedly told Wang they were looking into the issue, while Microsoft said the issue did not exist on its own sites.

 

Covert Redirect appears to exist in the implementations of the OpenID and OAuth standards used on client websites and apps. But because these two standards are open-source and were developed by a group of volunteers, there’s no company or dedicated team that could devote itself to fixing the issue.

 

 

Where does that leave things?

“Given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service," Chris Wysopal, chief technology officer of Boston-area security firm Veracode and a member of the legendary 1990s hackerspace the L0pht, told CNET.

 

“It’s not easy to fix, and any effective remedies would negatively impact the user experience," Jeremiah Grossman, founder of Santa Clara, Calif.-based WhiteHat Security, told CNET. “Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws."

 

Users should be extra-wary of login popups on Web pages. If you wish to log into a given website, it might be better to use an account specific to that website instead of logging in with Facebook, Twitter, or another authentication company, which would require the use of OAuth and/or OpenID to do.

 

If you think someone has gained access to one of your online accounts, notify the service and change that account’s password immediately.

 

 

 

 

 

Related Articles:

http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

http://whitehatview.tumblr.com/post/120695795041

http://russiapost.blogspot.ru/2015/05/openid-oauth-20.html

http://www.diebiyi.com/articles/security/covert-redirect/covert_redirect/

https://itswift.wordpress.com/2014/05/06/microsoft-google-facebook-attacked/

http://tetraph.blog.163.com/blog/static/2346030512015420103814617/

http://itsecurity.lofter.com/post/1cfbf9e7_72e2dbe

http://ithut.tumblr.com/post/119493304233/securitypost-une-faille-dans-lintegration

http://japanbroad.blogspot.jp/2015/05/oauthopenid-facebook.html

http://webtech.lofter.com/post/1cd3e0d3_6f0f291

https://webtechwire.wordpress.com/2014/05/11/covert-redirect-attack-worldwide/

http://whitehatview.tumblr.com/post/119489968576/securitypost-sicherheitslucke-in-oauth-2-0-und

http://www.inzeed.com/kaleidoscope/computer-security/facebook-google-attack/