Sina OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

  Sina OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)   (1) Domain: sina.com     “Sina (新浪) is a Chinese online media company for Chinese communities around the world. Sina operates four major business lines: Sina… Continue Reading

Tencent QQ OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

  Tencent QQ OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)       (1) Domain: qq.com     “Tencent QQ, popularly known as QQ, is an instant messaging software service developed by Chinese company Tencent Holdings… Continue Reading

Sohu OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

  Sohu OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect) (1) Domain: sohu.com   “Sohu, Inc. (Chinese: 搜狐; pinyin: Sōuhú; literally: “Search-fox”) is a Chinese Internet company headquartered in the Sohu Internet Plaza in Haidian District, Beijing.… Continue Reading

Alibaba Taobao OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

  Alibaba Taobao OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect) (1) Domain: taobao.com     “Taobao (simplified Chinese: 淘宝网; traditional Chinese: 淘寶網; pinyin: Táobǎo Wǎng; literally: “searching for treasure website”) is a Chinese website for online… Continue Reading

两款互联网登录系统曝出重大漏洞 短期内或无法修复 (Covert Redirect)

1 安全漏洞 继OpenSSL漏洞后,开源安全软件再曝安全漏洞。新加坡南洋理工大学研究人员,数学系博士生 王晶 (Wang Jing ) 发现,Oauth 2.0, OpenID 授权接口的网站存隐蔽重定向漏洞、英文名为“Covert Redirect”。     2 入侵技术 攻击者创建一个使用真实站点地址的弹出式登录窗口——而不是使用一个假的域名——以引诱上网者输入他们的个人信息。       3 漏洞危害 黑客可利用该漏洞给钓鱼网站“变装”,用知名大型网站链接引诱用户登录钓鱼网站,一旦用户访问钓鱼网站并成功登陆授权,黑客即可读取其在网站上存储的私密信息。[1]  腾 讯,阿里巴巴,QQ、新浪微博、淘宝网,支付宝,网易,PayPal, eBay, Amazon, Facebook、Google, LinkedIn, Yahoo, VK.com, Microsoft,  Mail.ru, Github, WordPress 等国内外大量知名网站受影响。   鉴 于OAuth和OpenID被广泛用于各大公司——如微软、Facebook、Google、以及 LinkedIn——Wang表示他已经向这些公司已经了汇报。Wang声称,微软已经给出了答复,调查并证实该问题出在第三方系统,而不是该公司的自有 站点。Facebook也表示,“短期内仍无法完成完成这两个问题的修复工作,只得迫使每个应用程序平台采用白名单”。至于Google,预计该公司会追 踪OpenID的问题;而LinkedIn则声称它将很快在博客中说明这一问题。  … Continue Reading

Youku Online Website Covert Redirect Web Security Bugs Based on Baidu.com

      Youku Online Website Covert Redirect Web Security Bugs Based on Baidu.com   (1) Domain: Youku.com   “Youku Inc., formerly Youku.com Inc., doing business as Youku (simplified Chinese: 优酷; traditional Chinese: 優酷; pinyin: yōukù; literally: “excellent (and) cool”),… Continue Reading

NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com

  NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com     (1) Domain: 163.com     “NetEase, Inc. (simplified Chinese: 网易; traditional Chinese: 網易; pinyin: Wǎng Yì) is a Chinese Internet company that operates 163.com, a popular… Continue Reading