Monday, 1 September 2014

GitHub Website Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

GitHub Website Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

(1) Domain:

"GitHub is a web-based Git repository hosting service, which offers all of the distributed revision control and source code management (SCM) functionality of Git as well as adding its own features. Unlike Git, which is strictly a command-line tool, GitHub provides a web-based graphical interface and desktop as well as mobile integration. It also provides access control and several collaboration features such as wikis, task management, and bug tracking and feature requests for every project. GitHub offers both plans for private repositories and free accounts, which are usually used to host open-source software projects. As of 2015, GitHub reports having over 9 million users and over 21.1 million repositories, making it the largest code hoster in the world." (Wikipedia)

(2) Vulnerability Description:
GitHub web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0. (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

(2.1) Vulnerability Detail:
GitHub's OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter "&redirct_uri" in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to GitHub.

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (not all apps),

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

The vulnerabilities occurs at page "oauth/authorize?" with parameter "&redirect_uri", e.g.

Before acceptance of third-party application:
When a logged-in GitHub user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter "&redirect_uri".

If a user has not logged onto GitHub and clicks the URL ([1]) above, the same situation will happen upon login.

After acceptance of third-party application:
A logged-in GitHub user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

(2.1.1) GitHub would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the "&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks. 

Hence, a user could be redirected from GitHub to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from GitHub directly. The number of GitHub's OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

More seriously, some third-party websites may allow all URLs (even not belong to themselves) for "&redirect_uri" parameter.

Before acceptance of the third-party application, GitHub's OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

Once the user accepts the application, the attackers could completely bypass GitHub's authentication system and attack more easily.

It might be of GitHub's interest to patch up against such attacks. 

(2.2) Use one of my webpages for the following tests. The webpage is "". Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

Below is an example of a vulnerable third-party domain:

Vulnerable URL from GitHub that is related to


(2.3) The following URLs have the same vulnerabilities.

POC Video:

Blog Detail:

(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Related Articles:

No comments:

Post a Comment