Attention! Your "account" may be easily hacked recently-information security, privacy and security-IT information
IT information news on April 1, today, clouds issued a reminder of vulnerability reporting platform, due to the OAuth authentication protocol vulnerability, most netizens online accounts are likely to be easily hacked by hackers. Cloud vulnerability platform, said because the OAuth authentication protocol lead to security risk, business mistakes can lead to hackers use this loophole to log on to the any user account (OAuth login user). In other words, prior to the related companies did not prevent, your website, mobile APP account even Internet celebrities account had been hacked into.
Below is from cloud reminding of the vulnerability reporting platform:
Questions from two days before noon, a vulnerability warning message from Sina, impression that seems to be the first enterprise to issue this warning, the message reads as follows:
Fewer words make the greater impact!
Took a look at an OAuth authentication protocol causes security risks, enterprises misused, could lead to hackers using the vulnerability they log on to the any user account (OAuth login user), so such emergency warning is issued, some big-name Internet companies and sure enough ... ... No seriously!
My account is: OAuth authentication? Take out your phones, grab a few APP log, will see their support of micro-blogging, micro-letters, account login, this is support for OAuth authentication, can be affected by this problem. Because no password entered by the user, and also remove the duplicate account, so is widely used by Internet applications.
For example know
Hotel reviews
The authorization process
Vulnerability principle is very simple, your OAuth authentication, enterprises that provide certification services (such as weibo) feedback some of the authentication information, such as user ID, picture, name, time, and other data authentication token. But using the OAuth APP or Web site does not validate the user ID and the accesstoken legal relationship, full trust to return data. Hackers from intercepting the return request, the user ID to any other user can successfully log on, this ID can go such as Sina micro-blog to look for some celebrities, big v, the precise nature of hijack log.
Wu Yunjun has now began to receive the relevant vulnerability report:
Know the client logs on any user account (hijacking an Internet celebrity accounts)
How do I login Sohu others not authorized accounts
I am unauthorized log in each app account
...
Very extensive influence on this question, so here to help Sina with OAuth and other service providers to the industry again and alarm to the certification process be sure to verify the consistency of the UID and the accesstoken, otherwise the user system is subject to unpredictable chaos, impact on the sensitive information in the user account.
PS: we were able to find some existing problems of Web site or APP, but please notify the enterprise to fix vulnerabilities in a timely manner.
注意!你的各种“账号”最近可能被轻松黑掉 - 信息安全,隐私安全 - IT资讯
IT资讯讯 4月1日消息,今天,乌云漏洞报告平台发文提醒,由于受到OAuth认证协议漏洞影响,大多数网友的网络账户很可能被黑客轻松黑掉。乌云漏洞平台介绍称,因为OAuth认证协议导致的安全风险,因企业的错误使用,可导致黑客利用这个漏洞登录该任意用户的账号(OAuth登录的用户)。也就是说,在相关企业没有做出防范之前,你的各种网站、手机APP账号,甚至还包括网络名人的账户,都可能遭到黑客窥探。
下面是来自乌云漏洞报告平台的提醒:
问题来自前两天的中午,新浪发来一封漏洞预警邮件,印象中这好像是第一次企业发出如此紧急的预警,邮件原文如下:
字数越少影响越大!
看了下是因为OAuth认证协议导致的安全风险,因企业的错误使用,可导致黑客利用这个漏洞登录该任意用户的账号(OAuth登录的用户),所以如此紧急的预警发出后,一些大牌互联网企业果然……没当回事儿!
我的账号是OAuth认证的么?拿出你的手机,随便找几个APP进行登录,会看到其支持微博、微信等账户的直接登录,这个就是支持OAuth认证,可能会受到这个问题影响。因为它无需用户输入账号密码,而且又免去了重复的账号注册,所以被互联网应用广泛采用。
比如知乎
点评
授权过程
漏洞原理很简单,你进行OAuth认证时,提供认证服务的企业(如新浪微博)会反馈一些认证信息,比如用户ID、头像、名称、有效时间以及其他认证token的数据。但使用OAuth的APP或网站并没有验证用户ID与accesstoken的合法关系,完全信任返回数据。这时黑客拦截返回请求,将用户ID改为其他任意用户即可成功登录,这个ID就可以去比如新浪微博找些名人、大V的进行精准性的劫持登录。
目前乌云君已经陆续接到了相关的漏洞报告:
知乎客户端登录任意用户账号(劫持某互联网名人账户)
我是如何未授权登录他人搜狐账户的
我是如何未授权登录他人乐视app账号的
...
该问题影响面会非常广泛,所以在这里也帮新浪以及其他OAuth服务提供商一起给行业再次进行预警,认证过程中一定要检验uid与accesstoken的一致性,否则用户体系将发生难以预料的混乱,对用户账号内敏感信息造成影响。
PS:大家可以进行主动发现一些存在问题的网站或APP,但请及时通知企业修复漏洞。