Student who exposed Covert Redirect deflects findings away from ID protocols

What started out as hunting bug bounties eventually turned into Internet scare

The Ph.d student who publicized the Covert Redirect Vulnerability clarified his findings over the weekend during an email exchange with ZDNet, downplaying the contention that two identity protocols are flawed.

Wang Jing said via email that he agrees the vulnerability he uncovered is centered on open redirects and not in OAuth or OpenID. Website and application developers have used open redirects long before the two identity protocols were developed.

With open redirects implemented in some websites and applications, the authors of both OAuth and OpenID realized the security implications and added mitigations for open redirection. Both specs specifically outline matching and validating the recipient of a redirect as the secure, and recommended, configuration.

Open redirects can allow a web browser to send credentials back to a URL that does not match the URL that originally requested the credentials, essentially hand-delivering personal data to a hacker.

“Almost all major companies do not check their third-party applications or partners properly, such as Amazon, Microsoft, Google, eBay, etc. This gives room to Covert Redirect,” Jing said via email.

When asked if it was correct to say the Covert Redirect vulnerability is found in redirects as implemented by companies (i.e. Facebook) and not in the protocols (i.e. written by standards groups such as the IETF and OpenID Foundation), Jing replied “yep.”

Last week, Jing reported a vulnerability he called Covert Redirect and said it was related to OAuth and OpenID.

The news touched off a number of stories claiming OAuth and OpenID, two protocols for federated single sign-on, were at fault and that Covert Redirect could be the next Heartbleed . Neither proved to be true . But it didn't help that Jing had named his discovery, created a website and even a logo complete with an explanation of its design.

But what Jing found were errors in some OAuth implementations. Regardless, Jing's report sent companies such as Google and PayPal into their war rooms to analyze the issue. Both were on Jing’s list of affected sites.

“Frankly, at the beginning, I was just attracted by the bug bounty programs,” said Jing. “So I started to do some testing on the big companies such as Google, Facebook, Yahoo. I found that they have Open Redirect vulnerabilities and a large number of [partner] companies list them on the whitelist. This makes the companies using a whitelist vulnerable to Covert Redirect. I used the name "Covert Redirect" for easy reference.”

Jing said that further exploration showed that the redirect vulnerabilities as implemented in websites also affected OAuth and OpenID when they were used on those sites.

In general, OAuth and OpenID let a user with a credential from one domain (i.e Yahoo) use that credential to sign on to another domain (i.e. Twitter).