“For OAuth 2.0, these attacks might jeopardize the token of the site users, which could be used to access user information,” he wrote in a blog. “In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If the token has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf.”
For OpenID, the attackers may get user’s information directly, Jing said.
“Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved,” he said.
Because the vulnerability is opened by way of third-party applications, fixing the vulnerability presents a conundrum: Who should be responsible? “If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,” he said. “However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.”
Facebook concurred, Jing said, telling him that “Short of forcing every single application on the platform to use a whitelist, which isn’t something that can be accomplished in the short term, do you have any recommendations on actions we can take here?”
Jing responded: “In my reply, I suggested, ‘For any URL, it has a particular value &h. If the URL is changed, there is no permission any more. That means the modified URL will not get any &h, Because it is illegal.”
Facebook replied: “As you mentioned, that’s how our Linkshim system works. As I said, that doesn’t seem to be a feasible solution for an OAuth endpoint where the URL needs to be provided by a third-party site to arbitrary random users.”
LinkedIn is taking a whitelist approach, and has asked its developers to register their applications’ redirect URLs with the site. “By confirming that the redirect_uri in your OAuth 2 authorization request matches a URL you’ve provided to us in advance, we are better able to protect you from people who may try to abuse your API key,” it wrote in a blog.
Other tech giants responded in varying ways, Jing said: “Google said that it is aware of the problem and are tracking it at the moment. Microsoft answered after they did an investigation and concluded that the vulnerability exists in the domain of a third-party, different from the one reported by me (login.live.com). They recommended me to report the issue to the third-party instead,” Jing said. “Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation as soon as possible. Taobao closed my report without providing a reason. Yahoo did not reply.”
“They have little incentive to fix the problem,” Jing wrote. “One concern is the cost and the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem.”
PayPal is however not affected, it said in an online statement. “We have carefully investigated this situation and can tell you that this vulnerability has no impact on PayPal and your PayPal accounts remain secure,” James Barrese, the CTO of PayPal said. The payments company has “engineered additional security measures” against the OAuth2.0/OpenID vulnerability, he said.