Thursday, 24 July 2014 (Одноклассники ) Online Website Covert Redirect Web Security Bugs Based on






 (Одноклассники ) Online Website Covert Redirect Web Security Bugs Based on

(1) Domain:

"Odnoklassniki, (Russian: Одноклассники -Classmates) is a social network service for classmates and old friends. It is popular in Russia and former Soviet Republicsz. The site was developed by Albert Popkov on March 4, 2006. The website currently claims that it has more than 200 million registered users and 45 million daily unique visitors. Users have to be at least seven years old to make an account. Odnoklassniki also currently has an Alexa Internet traffic ranking of 69 worldwide and 7 for Russia. Revenues in the first quarter of 2008 for Odnoklassniki amounted to $3.3 million. The site has been online for at least eight years. Compared with internet averages,'s users tend to be under the age of 35, and they tend to be men earning less than $30,000 who have postgraduate educations and browse from home. The site is particularly popular among users in Kyrgyzstan (where it is ranked #4) and Armenia (#5)." (Wikipedia)

(2) Vulnerability Description: web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0. (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

The vulnerability occurs at "" page with "&" parameter, i.e.

(2.1) When a user is redirected from to another site, will check whether the redirected URL belongs to domains's whitelist, e.g.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from directly.

One of the vulnerable domain is,

(2.2) Use one of  webpages for the following tests. The webpage address is "". Can suppose that this webpage is malicious.

Vulnerable URL:


POC video:

Blog Detail:

(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

More Details:

No comments:

Post a Comment