Covert Redirect

eBay Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

ebay-logo

eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

(1) WebSite:
ebay.com



“eBay Inc. (stylized as ebay, formerly eBay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries.

 

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now” shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services.” (Wikipedia)

 



(2) Vulnerability Description:

eBay web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability occurs at “ebay.com/rover” page with “&mpre” parameter, i.e.

http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://www.google.com

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.


 

 

 

(2.1) When a user is redirected from eBay to another site, eBay will check whether the redirected URL belongs to domains in eBay’s whitelist, e.g.
google.com

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from eBay to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from eBay directly.

 

One of the vulnerable domain is,
http://googleads.g.doubleclick.net (Google’s Ad system)

 

 

 

(2.2) Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. We can suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

Poc Video:
https://www.youtube.com/watch?v=a4H-u17Y9ks

 

Blog Detail:
http://securityrelated.blogspot.com/2014/11/ebay-covert-redirect-vulnerability.html



 

 



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

Anonymous-hackers

 

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

— Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com omnivoracious.com carlustblog.com Open Redirect Web Security Vulnerabilities

“Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

All kindlepost.com, omnivoracious.com, carlustblog.com are websites belonging to Amazon.

“The Kindle Post keeps Kindle customers up-to-date on the latest Kindle news and information and passes along fun reading recommendations, author interviews, and more.”

“Omnivoracious is a blog run by the books editors at Amazon.com. We aim to share our passion for the written word through news, reviews, interviews, and more. This is our space to talk books and publishing frankly and we welcome participation through comments. Please visit often or add us to your favorite RSS reader to keep up on the latest information.”

“Car Lust is, very simply, where interesting cars meet irrational emotion. It’s a deeply personal exploration of the hidden gems of the automotive world; a twisted look into a car nut’s mind; and a quirky look at the broader automotive universe – a broader universe that lies beneath the new, the flashy, and the trendy represented in the car magazines.”

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Vulnerabilities Description:

Amazon has a computer bug security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks. This allows hackers to do phishing attacks to Amazon users.

 

When a user is redirected from amazon to another site, amazon will check a variable named “token”. Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon.

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Use a website for the following tests. The website is “http://www.diebiyi.com/articles“. Suppose this website is malicious,

 

 


(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on kindlepost.com

(1.1) Kindle Daily Post Open Redirect Security Vulnerability

Vulnerable Links:

Poc:

 

 

(1.2) Amazon Covert Redirect Based on kindlepost.com

Vulnerable URL of Amazon:

POC:

 

 

kindlepost_com

 

 

 

(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on omnivoracious.com

(2.1) Omnivoracious Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(2.2) Amazon Covert Redirect Based on omnivoracious.com

Vulnerable URL:

POC:

 

 

omnivoracious_com

 

 

 

(3) Car Lust Open Redirect & Amazon Covert Redirect Based on carlustblog.com

(3.1) Car Lust Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(3.2) Amazon Covert Redirect Based on carlustblog.com

Vulnerable URL:

POC:

 

 

carlustblog_com

 

 

 

Vulnerabilities Disclosure:

The vulnerabilities were reported to Amazon in 2014. Amazon has patch the vulnerabilities.

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/23
http://lists.openwall.net/full-disclosure/2015/01/12/2
http://www.tetraph.com/blog/computer-security/amazon-covert-redirect/
https://progressive-comp.com/?l=full-disclosure&m=142104346821481&w=1
http://computerobsess.blogspot.com/2015/06/amazon-covert-redirect_17.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1429
http://tetraph.blog.163.com/blog/static/23460305120155176411897/
http://diebiyi.com/articles/security/amazon-covert-redirect/
https://itswift.wordpress.com/2015/01/17/amazon-covert-redirect/
http://marc.info/?l=full-disclosure&m=142104346821481&w=4
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirec
http://www.inzeed.com/kaleidoscope/computer-web-security/amazon-covert-redirect/

Attachments area
Preview YouTube video Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & Open Redirect Security

Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & Open Redirect Security

Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs

pentest


Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs




Domain:
http://www.facebook.com



“Facebook is an online social networking service headquartered in Menlo Park, California. Its website was launched on February 4, 2004, by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The founders had initially limited the website’s membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006, anyone who is at least 13 years old is allowed to become a registered user of the website, though the age requirement may be higher depending on applicable local laws. Its name comes from a colloquialism for the directory given to it by American universities students.” (Wikipedia)



“Facebook had over 1.44 billion monthly active users as of March 2015.Because of the large volume of data users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. held its initial public offering in February 2012 and began selling stock to the public three months later, reaching an original peak market capitalization of $104 billion. As of February 2015 Facebook reached a market capitalization of $212 Billion.” (Wikipedia)





Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 



(1) General Vulnerabilities Description:

(1.1) Two Facebook vulnerabilities are introduced in this article.

Facebook has a computer cyber security bug problem. It can be exploited by Open Redirect attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.


Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do “Covert Redirect” to other websites such as Amazon, eBay, Go-daddy, Yahoo, 163, Mail.ru etc.

 

(1.1.1)

One Facebook Open Redirect vulnerability was reported to Facebook. Facebook adopted a new mechanism to patch it. Though the reported URL redirection vulnerabilities are patched. However, all old generated URLs are still vulnerable to the attacks. Section (2) gives detail of it.

The reason may be related to Facebook’s third-party interaction system or database management system or both. Another reason may be related to Facebook’s design for different kind of browsers.

 

(1.1.2) Another new Open Redirect vulnerability related to Facebook is introduced, too. For reference, please read section (3).

The vulnerabilities can be attacked without user login. Tests were performed on IE (9.0) of Windows 8, Firefox (24.0) & Google Chromium 30.0.1599.114 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (12.10),Safari 6.1.6 of Mac OS X Lion 10.7.



(1.2) Facebook’s URL Redirection System Related to “*.php” Files

All URLs’ redirection are based on several files, such l.php, a.php, landing.php and so on.

The main redirection are based on file “l.php” (Almost all redirection links are using it right now).

For file “l.php”, one parameter “h” is used for authentication. When it mentions to file “a.php”, parameter “eid” is used for authentication. All those two files use parameter “u” for the url redirected to. In some other files such as “landing.php”, parameters such as “url”, “next” are used.

<1>For parameter “h”, two forms of authentication are used.

<a>h=HAQHyinFq

<b>h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA

<2>For parameter “eid”, one form of authentication is used.

<a>eid=AQLP8sRq6lbU0jz0lARx9A9uetB6FIF1N2-Yjj_ePj0d_ezubjstZeDo6qDsalKVJwy6uDb_hQ-9tBsA2dVoQRq0lniOu0os_gPe3gY5l8lYblhQSwBtdvgjXjNqaxLZMYoasr3vv46tFsh1fL7q4kjT2LFw52dnJWd4SE8qc0YuPWfgPeQywgM2wl0CoW-lftWkr2dX0dLcytyHjXnvhKfVS_pQBllszUzsPENxE6EuZ-53Lh188o56idnfyyk2L58pE7C94PF-za4ZVB0qbuA2EnPcSJI-7oIiIJmIhifHe0CYTzG512-Z_heN44VlyJHevhS9auAR8-lFCAIlYymnT_Qiwp92RxjNOfBypBvszQUrvB6PH3fANn1prfMBVm4RD_GFel14KVDS5USswbTOTkL3sZNhHUqqPHwBwU3JFePMMuwsfesigH85B_AxCsXUIWN7klKGSq8bPPsKSHttsa9hkkMpSfRKL7D_xwW4dU2xlmfGWil7jYRJmwfbOeF0zujk1FRBuM757tbfFMav-J-K9npbdrDrCuUVqV__Tf7CGZ89nPl-M2d09pE9enJj0OBXOaSXZX16LKaYnv1Wh4GKme7C-EOunITxyQtp1zy-48Uaz9mxO2x4bw7sBDfzDStF_Al8_0SMjWNTh-J38rBHAgT96X-dPFI43HU3x3fVymE9szrclBpvTaSfYezatgMzf77s3lQrQAMSlwSSRIzRuoFvQBmWKT0T5ZFgH5ykhYKhNMiKj577UO5g2Ojm-_-KKF4N_DBuG5R-I6EOSlhok2xUkpKVDnDcxZFTLxGmx5xc56J5kZLjJ96wnF2fH09Q19Qc2aU3xYFlEFrKjrlLpwGyOyCDx7_z7y1O4Efqew3Fa0Cb9s6Kk2jpLF5XEIaYzzXOLAffxXG6icBJVovb9RPmiZ5s9dKYYotLol68_X04O05bEvVccPEh-IQwX_VTMt3f23be2MECEqR2l1A1ZkJx4qP00GI1pZhU_CXAnjSaTNmtaINRUeSsLNEZZsPwpWJMfeeGSwuof9krC05eSWjO0jH9tua0KteMYhj8i-3dwSBp4f7nMcFwH5ltfCLhMCYNB8rxgzcAczyhLIo2UY-3FSaJXBZ0lvuZBvnj7myUnyc2lCcy-fWh93MRRaJrrinjtfr9fDSMHM9Cja5xi0eG3Vs0aClnWbeJZA79TvmYt7E53HfwGuv5-EJOqRh3cwZF-53uPHA73ikUk3xTApjQunJM4uIBhpy7iBIgn_OXXo3X03YUJtJcDuC20ocJbZ310VHliox5tYZF2oiMaOfgo9Y9KeqgsrJgwPCJeif4aB0Ne4g_oM_Tuqt2pXbdgoCawHIApF087eFKJqejp0jpEkJerXPyK-IqsD_SQfIm_2WJSkzwzATwQKs

 

 

 


(2) Vulnerability Description 1:

(2.1) A security researcher reported two Open Redirect vulnerabilities to Facebook in 2013. The following are the two links reported.

Though a new mechanism was adopted. However, all old generated redirections still work by parameter “h” and “eid”.

 

 

(2.2) A website was used for the following tests. The website is “http://www.tetraph.com/“. Suppose this website is malicious.

(2.2.1)

<1>First test

<a>file: “l.php”

<b>URL parameter: “u”

<c>authentication parameter: “h”

<d>form: “h=HAQHyinFq”.

<e>The authentication has no relation with all other parameters, such as “s”.

Examples:

URL 1:

Redirect Forbidden:

Redirect Works:

 

URL 2:

Redirect Forbidden:

Redirect Works:

 

 

(2.2.2)

<2>Second test. It is the same situation as above.

<a>file: “l.php”,

<b>url parameter “u”

<c>authentication parameter: “h”

<d>form: “h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA”.

<e>The authentication has no relation to all other parameters, such as “env”, “s”.

 

Examples:

URL 1:

Redirect Forbidden:

 

URL 2:

Redirect Forbidden:

Redirect Works:

 

 

 

(3) Facebook File “a.php” Open Redirect Security Vulnerability

 

(3.1)

<a>file: “a.php”

<b>parameter “u”

<c> authentication parameter: “eid”

<d> form: “eid=5967147530925355409.6013336879369.AQKBG5nt468YgKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT21fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYjyVjTv4km2FOEp7WP3w65aVUKP_w”.

<e>The authentication has no relation to all other parameters, such as “mac”, “_tn_”.

Examples:

Vulnerable URL:

https://www.facebook.com/a.php?u=http%3A%2F%2Ffb-nym.adnxs.com%2Ffclick%3Fclickenc%3Dhttp%253A%252F%252Fbs.serving-sys.com%252FBurstingPipe%252FadServer.bs%253Fcn%253Dtf%2526c%253D20%2526mc%253Dclick%2526pli%253D8782431%2526PluID%253D0%2526ord%253D%257BCACHEBUSTER%257D%26cp%3D%253Fdi%253DzGxX6INl-T9QvRSibN_3P5qZmZmZmfk_UL0Uomzf9z_ObFfog2X5P_WPPCuD-to_CKEeLew3cQIQkc9SAAAAAHQcDQB2BQAAKAcAAAIAAAD4iq8AanMCAAAAAQBVU0QAVVNEAGMASABq4DoFka4BAgUCAQUAAIgAkinLswAAAAA.%252Fcnd%253D%252521qQYdPgjeqqYBEPiVvgUY6uYJIAA.%252Freferrer%253Dfacebook.com%252F&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468YgKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT21fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYjyVjTv4km2FOEp7WP3w65aVUKP_w

POC:

 

(3.2) Facebook Login Page Covert Redirect Security Vulnerability

Vulnerable URL Related to Login.php Based on a.php:

https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.php%3Fu%3Dhttp%253A%252F%252Fwww.rp.edu.sg%252Fopenhouse2014%252F%253Futm_source%253Dfacebook%2526utm_medium%253Dcpc%2526utm_campaign%253Dopenhouse2014%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid%3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROStFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWHDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJtC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN_tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dHx1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwWxeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7EcZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBtj5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1695OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8sVupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSred73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs

POC:

https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.php%3Fu%3Dhttp%253A%252F%252Fwww.stackoverflow.com%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid%3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROStFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWHDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJtC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN_tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dHx1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwWxeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7EcZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBtj5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1695OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8sVupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSred73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs





Those vulnerabilities were reported to Facebook in 2014 and they have been patched.





Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Facebook has patched some of them. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” All the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. Large number of Facebook bugs were published here. FD also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.








(4) Amazon Covert Redirect Security Vulnerability Based on Facebook

Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do “Covert Redirect” to other websites such as Amazon.


Domain:
http://www.amazon.com


“American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

 

The vulnerability exists at “redirect.html?” page with “&location” parameter, e.g.

 

(4.1) When a user is redirected from Amazon to another site, Amazon will check parameters “&token”. If the redirected URL’s domain is OK, Amazon will allow the reidrection.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Amazon to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Amazon directly.

One of the vulnerable domain is,
http://www.facebook.com

 

(4.2) Use one of webpages for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. Suppose it is malicious.

Vulnerable URL:

POC:

 

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/22
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1428
http://lists.openwall.net/full-disclosure/2015/01/12/1
http://marc.info/?l=full-disclosure&m=142104333521454&w=4
http://diebiyi.com/articles/security/facebook-open-redirect/
https://www.facebook.com/essaybeans/posts/570476126427191
http://germancast.blogspot.de/2015/06/facebook-web-security-0day-bug.html
https://mathfas.wordpress.com/2015/01/11/facebook-open-redirect/
http://essaybeans.lofter.com/post/1cc77d20_7300027
http://qianqiuxue.tumblr.com/post/120750458855/itinfotech-facebook-web-security-0day-bug
https://www.facebook.com/permalink.php?story_fbid=472994806188548&id=405943696226993
https://mathfas.wordpress.com/2015/01/11/facebook-open-redirect/
http://www.tetraph.com/blog/phishing/facebook-open-redirect/
http://itinfotech.tumblr.com/post/120750347586/facebook-web-security-0day-bug
http://ittechnology.lofter.com/post/1cfbf60d_72fd108
http://russiapost.blogspot.ru/2015/06/facebook-web-security-0day-bug.html
https://twitter.com/tetraphibious/status/606676645265567744
https://plus.google.com/u/0/110001022997295385049/posts/hb6seddG561
http://whitehatpost.blog.163.com/blog/static/24223205420155501020837/
http://www.inzeed.com/kaleidoscope/computer-security/facebook-open-redirect/







Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs

3d illustration of laptop computer with binary code stream

 

Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs

 

Though Yahoo lists open redirect vulnerability on its bug bounty program. However, it seems Yahoo do not take this vulnerability seriously at all.

 

Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “It is working as designed”. However, these vulnerabilities were patched later.

 

Several other security researcher complained about getting similar treatment, too.
http://seclists.org/fulldisclosure/2014/Jan/51
http://seclists.org/fulldisclosure/2014/Feb/119

 

All Open Redirect Vulnerabilities are intended behavior? If so, why patch them later?

yahoo_wont_fix_meitu_1

 


From report of CNET, Yahoo’s users were attacked by redirection vulnerabilities. “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. ”
http://www.cnet.com/news/yahoo-users-exposed-to-malware-attack/

 

Moreover, since Yahoo is well-known worldwide. these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Alibaba, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security bug problems have not been patched. Other similar web and computer flaws will be published in the near future.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

Disclosed by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

Both Yahoo and Yahoo Japan online web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

 

(1) Yahoo.com Open Redirect

 

Domain:
yahoo.com

 

“Yahoo Inc. (styled as Yahoo!) is an American multinational technology company headquartered in Sunnyvale, California. It is globally known for its Web portal, search engine Yahoo Search, and related services, including Yahoo Directory, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Groups, Yahoo Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most popular sites in the United States. According to news sources, roughly 700 million people visit Yahoo websites every month. Yahoo itself claims it attracts more than half a billion consumers every month in more than 30 languages. Yahoo was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 1, 1995. Marissa Mayer, a former Google executive, serves as CEO and President of the company.” (Wikipedia)

 

Vulnerable URLs:

 

 

(2) Yahoo.co.jp Open Redirect

 

Domain:
yahoo.co.jp

 

“Yahoo! JAPAN Corporation (ヤフージャパン株式会社 Yafū Japan Kabushiki-gaisha?) is a Japanese internet company formed as a joint venture between the American internet company Yahoo! and the Japanese internet company SoftBank. It is headquartered at Midtown Tower in the Tokyo Midtown complex in Akasaka, Minato, Tokyo. Yahoo! Japan was listed on JASDAQ in November 1997. In January 2000, it became the first stock in Japanese history to trade for more than ¥100 million per share. The company was listed on the Tokyo Stock Exchange in October 2003 and became part of the Nikkei 225 stock market index in 2005. Yahoo! Japan acquired the naming rights for the Fukuoka Dome in 2005, renaming the dome as the “Fukuoka Yahoo! Japan Dome”. The “Yahoo Dome” is the home field for the Fukuoka SoftBank Hawks, a professional baseball team majority owned by SoftBank.” (Wikipedia)

Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. Suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

 

 

More Articles:
http://seclists.org/fulldisclosure/2014/Dec/88
http://marc.info/?l=full-disclosure&m=141897158416178&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01467.html
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html
https://hackertopic.wordpress.com/2015/01/15/yahoo-yahoo-japan-vulnerable-to-spams/
https://plus.google.com/110001022997295385049/posts/4GTENtJY9XE
https://twitter.com/justqdjing/status/546910373169741825
https://www.facebook.com/pcwebsecurities/posts/701648936647693
http://homehut.lofter.com/post/1d226c81_6e6884f
https://tetraph.wordpress.com/2014/12/28/yahoo-open-redirect/
http://itinfotech.tumblr.com/post/118511508076/securitypost-yahooyahoo-japan-may-be
https://computerpitch.wordpress.com/2015/01/27/yahoo-vulnerable-to-spams/
http://testingcode.lofter.com/post/1cd26eb9_73096b9
http://lifegrey.tumblr.com/post/120767572004/yahoo-url-redirection-bug
http://blog.163.com/greensun_2006/blog/static/1112211220155565419870/
http://aibiyi.blogspot.com/2015/06/yahoo-open-redirect.html
https://www.facebook.com/tetraph/posts/1659455054274454
http://www.inzeed.com/kaleidoscope/computer-web-security/yahoo-to-spams/
http://www.tetraph.com/blog/spamming/yahoo-url-redirection/

 

 

 

 

 

Google DoubleClicK System Bugs Could Be Used by Spammers

887

 

Google DoubleClick.net (Advertising) System URL Redirection Vulnerabilities Could Be Used by Spammers

 

Although Google does not include Open Redirect vulnerabilities in its bug bounty program, its preventive measures against Open Redirect attacks have been quite thorough and effective to date.

 

However, Google might have overlooked the security of its DoubleClick.net ​advertising system. After some test, it is found that most of the redirection URLs within DoubleClick.net are vulnerable to Open Redirect vulnerabilities. Many redirection are likely to be affected. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

These redirections can be easily used by spammers, too.

 

Some URLs belong to Googleads.g.Doubleclick.net are vulnerable to Open Redirect attacks, too. While Google prevents similar URL redirections other than Googleads.g.Doubleclick.net. Attackers can use URLs related to Google Account to make the attacks more powerful.

 

Moreover, these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Yahoo, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security security bug problems have not been patched. Other similar web and computer attacks will be published in the near future.

 

 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

(1) Background Related to Google DoubleClick.net.

(1.1) What is DoubleClick.net?

DoubleClick is a subsidiary of Google which develops and provides Internet ad serving services. Its clients include agencies, marketers (Universal McCann, AKQA etc.) and publishers who serve customers like Microsoft, General Motors, Coca-Cola, Motorola, L’Oréal, Palm, Inc., Apple Inc., Visa USA, Nike, Carlsberg among others. DoubleClick’s headquarters is in New York City, United States.

 

DoubleClick was founded in 1996 by Kevin O’Connor and Dwight Merriman. It was formerly listed as “DCLK” on the NASDAQ, and was purchased by private equity firms Hellman & Friedman and JMI Equity in July 2005. In March 2008, Google acquired DoubleClick for US$3.1 billion. Unlike many other dot-com companies, it survived the dot-com bubble and focuses on uploading ads and reporting their performance.” (Wikipedia)

 

(1.2) Reports Related to Google DoubleClick.net Used by Spammers

(1.2.1)

Google DoublClick.net has been used by spammers for long time. The following is a report in 2008.

 

“The open redirect had become popular with spammers trying to lure users into clicking their links, as they could be made to look like safe URLs within Google’s domain.”
https://www.virusbtn.com/blog/2008/06_03a.xml?comments

 

(1.2.2)

Mitechmate published a blog related to DoubleClick.net spams in 2014.

 

Ad.doubleclick.net is recognized as a perilous adware application that causes unwanted redirections when surfing on the certain webpages. Actually it is another browser hijacker that aims to distribute frauds to make money.Commonly people pick up Ad.doubleclick virus when download softwares, browse porn site or read spam email attachments. It enters into computer sneakily after using computer insecurely.Ad.doubleclick.net is not just annoying, this malware traces users’ personal information, which would be utilized for cyber criminal.”
http://blog.mitechmate.com/remove-ad-doubleclick-net-redirect-virus/

 

(1.2.3)

Malwarebytes posted a news related to DoubleClick.net malvertising in 2014.

 

 

(2) DoubleClick.net System URL Redirection Vulnerabilities Details.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

Used webpages for the following tests. The webpage address is “http://securitypost.tumblr.com/“. We can suppose that this webpage is malicious.

 

 

(2.1) Vulnerable URLs Related to Googleads.g.Doubleclick.net.

(2.1.1)

Some URLs belong to googleads.g.doubleclick.net are vulnerable to Open Redirect attacks. While Google prevents similar URL redirection other than googleads.g.doubleclick.net.

 

Vulnerable URLs:

 

POC:

 

Attackers can make use of the following URLs to make the attacks more powerful, i.e.

 

POC:

 

 

(2.1.2)

While Google prevents similar URL redirection other than googleads.g.doubleclick.net , e.g.

 

 

 

(2.2) Vulnerable URLs Related to DoubleClick.net.

Vulnerable URLs 1:

 

POC:

 

Vulnerable URLs 2:

 

POC:

 

Vulnerable URLs 3:

 

POC:

 

 

We can see that Google DoubleClick.net has Open Redirect vulnerabilities and could be misused by spammers.

 

 

 

(2.3)

 

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Google has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

 

 

(3) Google DoubleClick.net Can Adversely Affect Other Websites.

At the same time, Google DoubleClick.net can be used to do “Covert Redirect” to other websites, such as Google, eBay, The New York Times, etc.(Bypass other websites’ Open Redirect filters)

 

 

(3.1) Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

Domain:
google.com

 

“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results. Google was founded by Larry Page and Sergey Brin while they were Ph.D. students at Stanford University. Together they own about 14 percent of its shares but control 56 percent of the stockholder voting power through supervoting stock. They incorporated Google as a privately held company on September 4, 1998. An initial public offering followed on August 19, 2004. Its mission statement from the outset was “to organize the world’s information and make it universally accessible and useful,” and its unofficial slogan was “Don’t be evil”. In 2004, Google moved to its new headquarters in Mountain View, California, nicknamed the Googleplex. The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy.” (Wikipedia)

 

Vulnerable URL:

 

POC:

 

More Details:

 

 

(3.2) eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

Domain:
ebay.com

 

“eBay Inc. (stylized as ebay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now” shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services. It is not a free website, but charges users an invoice fee when sellers have sold or listed any items.” (Wikipedia)

 

Vulnerable URL:

 

POC:

 

More Details:

 

 

(3.3) The New York Times (Nytimes.com) Covert Redirect Vulnerability Based on Google Doubleclick.net

Domain:
nytimes.com

 

“The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 114 Pulitzer Prizes, more than any other news organization. The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady”, The New York Times is long regarded within the industry as a national “newspaper of record”. It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times.” (Wikipedia)

 

Vulnerable URL:

 

POC:

 

More Details:

 

These vulnerabilities were reported to Google earlier in 2014. But it seems that Google has yet taken any actions. All of the vulnerabilities are still not patched.

 

 

 

 

Related Posts:
http://seclists.org/fulldisclosure/2014/Nov/28
https://cxsecurity.com/issue/WLB-2014110106
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1192
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01307.html
http://computerobsess.blogspot.com/2014/11/google-doubleclicknetadvertising-system.html=
http://www.techenet.com/2014/12/doubleclick-do-google-pode-ser-vulneravel-a-ataques/
https://computertechhut.wordpress.com/2014/11/12/google-doubleclick-spam/
http://mathpost.tumblr.com/post/120760828940/tetraph-google-doubleclick-net-advertising
http://tetraph.com/security/open-redirect/google-doubleclick-netadvertising-system
https://www.facebook.com/essayjeans/posts/838922772865543
https://plus.google.com/u/0/+essayjeans/posts/Y12x6gXfyFX
http://mathstopic.blogspot.com/2015/06/google-doubleclick-spam.html
http://itsecurity.lofter.com/post/1cfbf9e7_72fe79f
https://twitter.com/essayjeans/status/606726247578636288
http://tetraph.tumblr.com/post/120760676767/google-doubleclick-net-advertising-system-url
https://itinfotechnology.wordpress.com/2014/11/18/google-doubleclick-spam/
https://www.facebook.com/permalink.php?story_fbid=945171075538075
http://guyuzui.lofter.com/post/1ccdcda4_7305f25
http://tetraph.blog.163.com/blog/static/23460305120155534216326/
http://www.inzeed.com/kaleidoscope/spamming/google-doubleclick-spam/

 

 

Des vulnérabilités pour les boutons types « S’identifier avec Facebook »

Quelques semaines seulement après la découverte du bug Heartbleed, les utilisateurs moyens comme vous et moi pourraient s’inquiéter d’un autre problème très répandu qui ne sera pas facile à réparer. Il s’agit du bug « Covert Redirect » récemment révélé par Wang Jing, un étudiant en doctorat de mathématiques à l’université de technologie de Nanyang à Singapour. Le problème a été détecté au sein des célèbres protocoles Internet OpenID et OAuth. Le premier est utilisé quand vous vous identifiez dans des sites qui utilisent vos profils Google, Facebook, LinkedIn, etc. Le deuxième est utilisé quand vous vous autorisez des sites, des applications ou des services avec Facebook/G+/etc., sans révéler pour autant votre mot de passe à ces sites externes. Ces deux protocoles sont utilisés ensemble et vous pourriez bien être en train de communiquer vos informations aux mauvaises personnes.

 

Facebook Hacker received reward for Remote code execution vulnerability


La menace

Nos amis de Threatpost ont une explication du problème plus technique ainsi qu’un lien vers la recherche originale, mais nous vous épargnerons les détails inutiles et allons vous décrire le possible scénario d’attaque et ces conséquences. Premièrement, dans le cas où un utilisateur visiterait un site d’hameçonnage qui utilise le bouton « S’identifier avec Facebook ». Un site peut ressembler de prêt à un service populaire ou se faire passer pour un tout nouveau service. Ensuite, une vraie fenêtre Facebook/G+/LinkedIn s’ouvrira, demandant à l’utilisateur de rentrer son nom d’utilisateur et son mot de passe afin d’autoriser le service à accéder au profil de l’utilisateur. Enfin, l’autorisation d’utiliser le profil est envoyée au mauvais site (d’hameçonnage) en utilisant une redirection incorrecte.

 

Une vraie fenêtre Facebook/G+/LinkedIn s’ouvrira, demandant à l’utilisateur de rentrer son nom d’utilisateur et son mot de passe afin d’autoriser le service à accéder au profil de l’utilisateur.

 

En fin de compte, un cybercriminel reçoit l’autorisation d’accéder au profil de la victime (jeton OAuth) avec toutes les permissions que les applications ont en général, et dans le pire des cas, avec l’habilité d’accéder aux contacts de l’utilisateur, d’envoyer des messages, etc.




Est-ce réparé ? Pas vraiment.

Cette menace ne disparaîtra pas de si tôt, car la réparation devra être aussi bien réalisée du côté du fournisseur (Facebook, LinkedIn, Google, etc.) que du côté du client (le service ou l’application externe). Le protocole OAuth est toujours en version Beta et plusieurs fournisseurs utilisent différentes mises en place qui varient selon leur habilité de contre-attaquer l’attaque mentionnée précédemment. LinkedIn est mieux positionné pour mettre en place la réparation et gère les choses de manière plus stricte en exigeant que le développeur du service externe fournisse une « liste blanche » des redirections correctes. Pour le moment, chaque application qui utilise une autorisation LinkedIn est soit sécurisée soit non fonctionnelle. Les choses sont différentes pour Facebook qui dispose malheureusement d’un très grand nombre d’applications externes et peut-être d’une version de OAuth plus ancienne. C’est pourquoi les porte-paroles de Facebook ont informé Jing que la création d’une liste blanche « n’est pas quelque chose qui pourra être mis en place à court terme ».


Il existe de nombreux autres fournisseurs qui semblent être vulnérables (regardez la photo), donc si vous vous identifiez dans certains sites en utilisant ces services, vous devez prendre des mesures.




Votre plan d’action

Pour les plus prudents, la solution infaillible serait d’abandonner l’utilisation d’OpenID et ces fameux boutons « S’identifier avec… » pendant quelques mois. Cela vous permettra peut-être également de renforcer votre confidentialité, car autoriser ces identifications sur des réseaux sociaux rend votre activité en ligne plus facile à suivre et permet à de plus en plus de sites de lire vos données démographiques de base. Pour éviter d’avoir à mémoriser différents identifiants sur tous ces sites, commencez à utiliser un gestionnaire de mots de passe efficace. La plupart des services, de nos jours, sont équipés de clients multiplateformes et de synchronisation avec le Cloud afin de garantir un accès à vos mots de passe sur tous les ordinateurs que vous possédez.

 

Néanmoins, si vous avez l’intention de continuer à utiliser l’autorisation OpenID, il n’y a pas de danger immédiat. Vous devez juste faire attention et éviter les arnaques d’hameçonnage qui commencent typiquement par un message étrange dans votre boîte de réception ou par un lien provocateur sur Facebook et autres réseaux sociaux. Si vous vous authentifiez dans un service utilisant Facebook/Google/etc., assurez-vous que vous accédez au site de ce service en tapant l’adresse manuellement ou en utilisant un marque page, et non pas le lien contenu dans vos e-mails ou votre messagerie. Vérifiez bien la barre d’adresse afin de ne pas vous rendre sur des sites louches et ne souscrivez pas de nouveaux services avec OpenID, sauf si vous êtes certain à 100% que le service est réputé et qu’il s’agit bien du bon site. De plus, nous vous conseillons d’utiliser une solution de navigation sécurisée telle que Kaspersky Internet Security – Multi-Device qui empêchera votre navigateur de visiter des endroits dangereux tels que des sites d’hameçonnage.


Il s’agit juste de mesures de précaution, que tous les utilisateurs Internet devraient prendre chaque jour, car les menaces d’hameçonnage sont très répandues et efficaces et peuvent mener à toutes sortes de pertes numériques, y compris à la perte de numéros de carte bancaire, d’identifiants de messagerie, etc. Le bug « Covert Redirect » dans OpenID et OAuth n’est qu’une raison supplémentaire de les suivre, et ce, sans exception.

 

 

 


Articles Liés:

http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/

 

 

 

 

 

Continúan los problemas: OAuth y OpenID también son vulnerables

Un nuevo fallo de seguridad amenaza Internet. En este caso se trata de Covert Redirect y ha sido descubierto por un estudiante chino en Singapur. Las empresas tienen en sus manos solucionar este problema.

 

covert_redirect_logo_tetraph

 

Cuando aún resuenan los ecos de Heartbleed y el terremoto que sacudió la red, nos acabamos de enterar que otra brecha de seguridad compromete Internet. En este caso se trata de un fallo que afecta a páginas como Google, Facebook, Microsoft, Linkedin, Yahoo, PayPal, GitHub o Mail.ru que usan estas herramientas de código abierto para autenticar a sus usuarios.

 

Este error permitiría a un atacante haga creer a un usuario que una nueva ventana que redirija a Facebook es segura cuando en realidad no lo es. Hasta aquí la técnica se parece al phishing pero lo que hace lo hace diferente es que Covert Redirect, que así se llama el nuevo exploit, usa el dominio real pero hace un bypass del servidor para conseguir la info. Lo mejor que podemos hacer cuando estemos navegando y pulsemos en un sitio que abre un pop up que nos pide logearnos en Facebook o Google es cerrar esa ventana para evitar que nos redirija a sitios sospechosos.

 

Wang Jing, estudiante de doctorado en la Universidad Técnica de Nanyang (Singapur), es quien ha descubierto la vulnerabilidad y le ha puesto nombre. El problema, según Jing, es que ni el proveedor ni la compañía quieren responsabilizarse de esta brecha ya que costaría mucho tiempo y dinero. Seguramente, ahora que se conoce el caso, las compañías se pondrán manos a la obra.

 

 

 

Artículos Relacionados:

Falha de segurança afeta logins de Facebook, Google e Microsoft

internet connection concept, 3d generated image

Um estudante de PHD de Singapura, Wang Jing, identificou a falha, chamada de “Covert Redirect”, que consegue usar domínios reais de sites para verificação de páginas de login falsas, enganando os internautas.

 

Os cibercriminosos podem criar links maliciosos para abrir janelas pop-up do Facebook pedindo que o tal aplicativo seja autorizado. Caso seja realizada esta sincronização, os dados pessoais dos usuários serão passados para os hackers.

 

Wang afirma que já entrou em contato com o Facebook, porém recebeu uma resposta de que “entende os riscos de estar associado ao OAuth 2.0″ e que corrigir a falha “é algo que não pode ser feito por enquanto”.

 

O Google afirmou que o problema está sendo rastreado, o LinkedIn publicou nota em que garante que já tomou medidas para evitar que a falha seja explorada, e a Microsoft negou que houvesse vulnerabilidade em suas páginas, apenas nas de terceiros.

 

A recomendação do descobridor da falha para os internautas é que evitem fazer o login com dados de confirmação de Facebook, Google ou qualquer outro serviço sem terem total certeza de que estão em um ambiente seguro.

 

 

Especialistas: erro é difícil de corrigir

O site CNET ouviu dois especialistas em segurança virtual sobre o assunto. Segundo Jeremiah Grossman, fundador e CEO interino da WhiteHat Security, afirma que a falha “não é fácil de corrigir”. Segundo Chris Wysopal, diretor da Veracode, a falha pode enganar muita gente.

 

“A confiança que os usuários dão ao Facebook e outros serviços que usam OAuth pode tornar mais fácil para os hackers enganarem as pessoas para que elas acabem dando suas informações pessoais a ele”, afirma Wsyopal.

 

 

 

notícias relacionadas:

하트블리드 이어 ‘오픈ID’와 ‘오쓰(OAuth)’서도 심각한 보안 결함

covert_redirect_logo_tetraph


‘하트블리드(Heartbleed)’ 버그에 이어 가입자 인증 및 보안용 오픈소스 SW인 ‘오픈ID’와‘오쓰(OAuth)’에도 심각한 결함이 발견됐다고 씨넷, 벤처비트 등 매체들이 보도했다.

 

싱 가폴난양대학교에 재학중인 ‘왕 징(Wang Jing)’ 박사는 수 많은 웹사이트와 구글, 페이스북, 링크드인, MS, 페이팔 등에서 사용하고 있는 로그인 툴인 ‘OAuth’와‘오픈ID’에 치명적인 결함이 발견됐다고 밝혔다. ‘코버트리디렉트(Covert Redirect)’라고 일컬어지는 이 결함은 감염된 도메인의 로그인 팝업을 통해 해킹이 이뤄진다.

 

가 령 인터넷 사용자들이 악의적인 피싱 사이트를 클릭하면 가입자 인증을 위해 페이스북 팝업 윈도가 뜨는데 가입자를 속이 기위해 가짜 도메인 이름을 사용하는 것이 아니라 진짜 사이트의 도메인을 활용한다고 한다. 만일 가입자가 로그인을 하면 합법적인 사이트가 아니라 피싱사이트로 e메일 주소, 생일, 연락처 등 개인 정보들이 흘러들어간다.

 

왕 은 페이스북 등 업체에 이 같은 결함을 알렸으며 페이스북은 결함이 OAuth 2.0가 연관된 것으로 인식하고 있지만 짧은 시간내 해결될 수는 없을 것이란 답을 얻은 것으로 알려졌다. 왕은 이번 결함이 구글, 링크드인, 마이크로소프트, 페이스북, 페이팔 등 다수의 오픈ID와 OAuth를 활용하는 기업들이 영향을 받을 것으로 예상했다.

 

왕 은 “제3의 애플리케이션 개발자들이 화이트리스트를 엄격하게 적용하면 해커 공격의 빌미를 제공하지 않을 것”이라고 말했다. 하지만 “실제로 많은 애플리케이션 개발자들이 여러가지 이유로 이런 조치를 취하지않고 있다는 게 OAuth 2.0과 오픈ID의 결함 문제를 심각하게 만들고 있다”고 덧붙였다.

 

 



 

Sicherheitslücke in OAuth 2.0 und OpenID gefunden

covert_redirect3

Wang Jing, Student an der Nanyang Technological University in Singapur, hat nach dem Bekanntwerden des OpenSSL-Heartbleed-Lecks, eine weitere schwere Sicherheitslücke entdeckt, diesmal in den Authentifizierungsmethoden OAuth 2.0 und OpenID. Die als “Covert Redirect” (“Heimliche Umleitung”) benannte Sicherheitslücke ermöglicht es Angreifern, dem Nutzer einen echt aussehenden Login-Screen unterzujubeln und sich so Zugriff auf die bereitgestellten Daten zu verschaffen. Das gefährliche daran: Die Sicherheitslücke besitzt – anders als bisher bekannte Fishing-Versuche – eine legitime Domainadresse, kann also über einen Blick in die URL-Zeile des Browsers nicht oder nur sehr schwer entlarvt werden. Auf OAuth 2.0 und OpenID bieten inzwischen zahlreiche Webdienste um einen direkten Login in andere Dienste und Apps zu ermöglichen, darunter auch Google, Facebook, Microsoft und Co.

 

So ist es möglich, dem Nutzer eine Mail mit einem speziell präparierten Link zukommen zu lassen, ein Klick auf diesen öffnet eben wie gesagt eine legitime Adresse samt entsprechendem Logo. Autorisiert der Nutzer dann diese Anfrage und loggt sich in den Dienst ein, so werden die Daten nicht an die vermeintliche App weitergeleitet, sondern gelangen eben in den Besitz des Angreifers. Je nachdem, welche Daten abfragt werden, bekommt dieser somit also E-Mail-Adresse, Geburtsdatum, Kontaktlisten und dergleichen. Ebenso ist es möglich, den Nutzer nach dem Login auf eine beliebige Webseite, welche unter Umständen Malware verbreitet, weiterzuleiten.



covert-redirect-11

 

covert-redirect-12


Die Lösung des Problems könnte aber – wenn es überhaupt einmal eine geben sollte – eine langwierige Sache sein. Wang Jing hat bereits etliche größere Anbieter der Loginmethoden angeschrieben und über die gefundene Sicherheitslücke aufgeklärt, hierbei gab es jedoch unterschiedliche Aussagen. Im Hause Google beobachtet man das Problem, Microsoft ist sich keiner Schuld bewusst und schiebt die Sicherheitslücke an Drittanbieter ab. Lediglich Facebook scheint hier ehrlich zu sein und gibt an, dass es sich dabei um ein grundsätzliches Problem von OAuth 2.0 und OpenID handelt – möchte man nicht eine umfangreiche Whitelist mit sämtlichen nicht-schädlichen Apps pflegen, ist die Sicherheitslücke nicht “mal eben so” zu beheben. Im Grunde dürften sich sämtliche Gegenmaßnahmen negativ auf die Nutzererfahrung auswirken, was natürlich keiner der Dienste in Kauf nehmen möchte – und so bleibt es hierbei scheinbar beim “kleineren Übel” für die Anbieter.




Direktlink zum Video:
https://www.youtube.com/watch?v=HUE8VbbwUms



So bleibt eigentlich nur die Möglichkeit, auf OAuth 2.0 oder OpenID als Login-Methode für Drittanbieter Dienste und Apps zu verzichten oder genauestens darauf zu achten, auf was man klickt. Hat man keine explizite Autorisierung angestoßen, sollte man die geöffneten Tabs umgehend schließen und darauf hoffen, dass sich nicht doch irgendwo ein falscher Link eingepfercht hat.



Quelle:
http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/