Covert Redirect & OpenID / OAuth

Recently; and on the back of heartbleed another web security vulnerability was "discovered" or so it was reported. Most prominent headline from last week was from CNET.

Serious security flaw in OAuth, OpenID discovered CNET

A more measured response to this serious security flaw has been documented by symantec here.

However this flaw caught my attention, I was interested to determine this serios security flaw (I have been reviewing both OAuth and OpenID for an upcoming project), and so I was naturally interested in this serious flaw. While it does appear to be a flaw; it seems the flaw is only with the implementation and not with the OAuth or OpenID standards. A service provider is vulnerable if they are using open re-directs without whitelisting. i.e. if an open re-directs to a site / services but this site or service is not whitelisted by the open re-direct provided then this is an issue.

In fact this is just a vulerability with open re-directs in general. Its like saying anyone can pass through but I am not going to check who you are. In other words if you passthrough an airport and passport control dont bother checking who you are etc. etc.

OAuth Specification actually outlines the following

Lack of a redirection URI registration requirement can enable an attacker to use the authorization endpoint as an open redirector as described in Section 10.15.

What this does highlight is the "jumping on the band wagon" approach to news articles. It just illustrates when the facts are not investigated you get all this hype and scare mongering. So, whats the lesson from this:

  • dont believe everything you read
  • dont jump on the band wagon
  • investiagte the issue before scare mongering
  • whitelist your application and open re-directs