Paypal Online Website OAuth 2.0 Covert Redirect (OpenIDconnect) Web Security Bugs (Information Leakage & Open Redirect)
(1) Domain:
paypal.com
"PayPal is an American worldwide online payments system. Online money transfers serve as electronic alternatives to traditional paper methods like checks and money orders. PayPal is one of the world's largest internet payment companies.The company operates as an acquirer, performing payment processing for online vendors, auction sites and other commercial users, for which it charges a fee. Established in 1998, PayPal (NASDAQ: PYPL) had its IPO in 2002, and became a wholly owned subsidiary of eBay later that year. In 2014, PayPal moved $228 billion in 26 currencies across more than 190 nations, generating a total revenue of $7.9 billion (44% of eBay’s total profits). The same year, eBay announced plans to spin-off PayPal into an independent company the following year." (Wikipedia)
(2) Vulnerability Description:
Paypal web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.
The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.
(2.1) Vulnerability Detail:
PayPal's OAuth
2.0 system is susceptible to Attacks. More specifically, the
authentication of parameter "&redirct_uri" in OAuth 2.0 system is
insufficient. It can be misused to design Open Redirect Attacks to
PayPal.
At the same
time, it can be used to collect sensitive information of both
third-party app and users by using the following parameters,
"&response_type"=code,token...
"&scope"=email,user_birthday,user_likes...
It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.
The vulnerability occurs at page "/openidconnect/v1/authorize?" with parameter "&redirect_uri", e.g.
Before acceptance of third-party application:
When a
logged-in PayPal user clicks the URL ([1]) above, he/she will be asked
for consent as in whether to allow a third-party website to receive
his/her information. If the user clicks OK, he/she will be then
redirected to the URL assigned to the parameter "&redirect_uri".
If a user has not logged onto PayPal and clicks the URL ([1]) above, the same situation will happen upon login.
After acceptance of third-party application:
A logged-in
PayPal user would no longer be asked for consent and could be redirected
to a webpage controlled by the attacker when he/she clicks the URL
([1]).
For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.
(2.1.1) PayPal
would normally allow all the URLs that belong to the domain of an
authorized third-party website. However, these URLs could be prone to
manipulation. For example, the "&redirect_uri" parameter in the URLs
is supposed to be set by the third-party websites, but an attacker
could change its value to make Attacks.
Hence, a user
could be redirected from PayPal to a vulnerable URL in that domain first
and later be redirected from this vulnerable site to a malicious site
unwillingly. This is as if the user is redirected from PayPal directly.
The number of PayPal's OAuth 2.0 client websites is so huge that such
Attacks could be commonplace.
Before
acceptance of the third-party application, PayPal's OAuth 2.0 system
makes the redirects appear more trustworthy and could potentially
increase the likelihood of successful Open Redirect Attacks of
third-party website.
Once the user
accepts the application, the attackers could completely bypass PayPal's
authentication system and attack more easily.
It might be of PayPal's interest to patch up against such attacks.
(2.2) Used one of webpages for the following tests. The webpage is "http://essayjeanslike.lofter.com/". Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.
Below is an example of a vulnerable third-party domain:
Vulnerable URL in this domain:
Vulnerable URL from PayPal that is related to constantcontact.com:
POC:
POC Video:
https://www.youtube.com/watch?v=TVtLA1YzIBs
Blog Detail:
http://tetraph.blogspot.com/2014/05/paypal-oauth-20-openidconnect-covert.html
(3) What is Covert Redirect?
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and
redirects a user to the parameter value without sufficient validation.
This often makes use of Open Redirect and XSS (Cross-site Scripting)
vulnerabilities in third-party applications.
Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all
OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect
can work together with CSRF (Cross-site Request Forgery) as well.
Discover and Reporter:
Wang
Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University
(NTU), Singapore. (@justqdjing)
Related Articles:
http://tetraph.com/security/covert-redirect/paypal-oauth-2-0-openidconnect-covert-redirect-vulnerability/
http://ithut.tumblr.com/post/119493112323/securitypost-sicherheitslucke-in-oauth-2-0-und
https://twitter.com/tetraphibious/status/559164333721001984
http://www.inzeed.com/kaleidoscope/covert-redirect/paypal-oauth-2-0-openidconnect-covert-redirect-vulnerability/
http://computerobsess.blogspot.sg/2014/05/paypal-bug.html
https://hackertopic.wordpress.com/2014/05/01/paypal-covert-redirect/
http://ittechnology.lofter.com/post/1cfbf60d_72e61e0
http://securityrelated.blogspot.com/2014/05/paypal-bug.html
http://blog.163.com/tetraph/blog/static/23460305120144612635422
https://webtechwire.wordpress.com/2014/05/02/paypal-covert-redirect/