This morning, a major vulnerability in the OAuth workflow was made public following its discovery by a Ph.D student at the Nanyang Technological University in Singapore. In summary, websites and services using OAuth and OpenID are subject to what is called a “covert redirect” issue, where a user unknowingly hands account and data access to a third party.
This is a potentially serious issue, and could result in the leak of sensitive information. It is important to note that this is not a problem that originates with the platforms that are being used for the token provision — in other words, it’s not a Google or Facebook problem, but rather a problem with the lack of token whitelisting in OAuth and OpenID, and potentially impacts all providers.
In more detail, what is happening here is that visitors to websites are being presented with a pop-up window from a provider (Microsoft, Facebook, Google, and many others) that asks them to authorize a set of permissions (such as the ability to read email content, contacts lists, or data stored in documents) for a third party service. The “covert redirect” component of the vulnerability refers to a similarity to how some phishing attacks work: when the user grants OAuth access on the provider pop-up, the actual OAuth token that is generated is not granted to the service that the user thinks they are using, but rather to a third party service that is potentially malicious.
CloudLock’s specific recommendation for Google Apps customers is to:
- Use a third party application monitoring solution (such as Apps Firewall) to review all third party applications in use in their environment
- Ban and revoke any apps which are unrecognized, especially those with document, contact, email, or domain access
- Enable automatic revocation of banned apps to minimize risk of third party extraction of data from services exploiting the covert redirect vulnerability
- If you encounter a suspicious app, let us know – we will monitor and continue to update our trust index and provide notifications to our customer community as appropriate.
If you want to test your environment for third party apps now, please contact CloudLock to discuss options today.