OAuth Covert Redirect vulnerability
Just after the OpenSSL Heartbleed vulnerability, yet another major protocol is endangering the web: OAuth. Yesterday many resources announced that OAuth contains a vulnerabilty that allows attackers to abuse the OAuth authentication to redirect victims to the attackers website. Most importantly, it is the task of OAuth implementors (like Yireo) to fix this.
OAuth allows for a handshaking between you, a site (like our Yireo site) and some remote service like Facebook. You can grant your site to do things on Facebook on your behalf. During this handshaking, secure information is exchanged but also a redirect URL is set, allowing you to redirect from Facebook to the original site.
The problem is that when the redirect request arrives back at the original site, the redirect is supposed to redirect the visitor from the original site to the original site. But if an attacker finds a way to replace the original redirect URL with his own, the visitor is redirected not to the original site but the attackers site instead, which for instance contains phishing attempts or browser exploits.
Our extensions and this vulnerability
We only have two extensions that use OAuth as a way to integrate functionality of third parties (like Facebook) - both being Joomla! extensions: TweetScheduler (integrating Facebook, Twitter and LinkedIn) and PayPal Access (integrating PayPal). TweetScheduler actually contains the vulnerability in theory, but because its URLs are only accessible through the Joomla! backend, there is no thread here and nothing to fix.
Our PayPal Access extension for Joomla! (allowing you to implement a social login on your frontend using PayPal credentials) is vulnerable though. We have now released version 2.1 to fix this vulnerability. If you are using PayPal Access on your site, we recommend to upgrade. We will notify all users soon.
Another place on our site where this vulnerability might effect is the social login of third party LoginRadius. We have already contacted them to see whether their site is effected by Covert Redirect, but we assume they have already fixed this. The LoginRadius mechanism also requires a plugin on the Joomla! side. We have checked this plugin as well and it is not vulnerable.
Just to let you know.
UPDATE 06 May 2014
By many the vulnerability is not seen as a vulnerability in OAuth anymore but as a feature. However, if sites that implement OAuth the redirect feature without checking things properly, a vulnerability could be the result. I personally consider this the same thing.
I've had contact with LoginRadius to doublecheck whether their service was safe. It was. Kudos for the quick response.
Written by Jisse Reitsma op 3 May 2014