湛天雲海碧波影

湛天
雲海
碧波影

OAuthとOpenIDに深刻な脆弱性か--Facebookなど大手サイトに影響も

日常生活點滴的記錄:

OAuthとOpenIDに深刻な脆弱性か--Facebookなど大手サイトに影響も

こんにちは~♪いつもいつもご来訪どうもありがとうございます。本日は長いこと高校の時の幼なじみと二人で買い物してました。意味のない時間だったな・・・。 

 OpenSSLの脆弱性「Heartbleed」に続き、人気のオープンソースセキュリ ティソフトウェアでまた1つ大きな脆弱性が見つかった。今回、脆 弱性が見つかったのはログインツールの「OAuth」と「OpenID」で、これらのツールは多数のウェブサイトと、Google、Facebook、 Microsoft、LinkedInといったテクノロジ大手に使われている。


シンガポールにあるNanyang Technological University(南洋理工大学)で学ぶ博士課程の学生Wang Jing氏は、「Covert Redirect」という深刻な脆弱性によって、影響を受けるサイトのドメイン上でログイン用ポップアップ画面を偽装できることを発見した。Covert Redirectは、既知のエクスプロイトパラメータに基づいている。


たとえば、悪意あるフィッシングリンクをクリックすると、 Facebook内でポップアップウィンドウが開き、アプリを許可するよう求められる。 Covert Redirect脆弱性の場合、本物に似た偽ドメイン名を使ってユーザーをだますのではなく、本物のサイトアドレスを使って許可を求める。


ユーザーがログインの許可を選択すると、正当なウェブサイトではなく攻撃者に個人データが送られてしまう。渡される個人データは、何を要求されるかにもよるが、メールアドレス、誕生日、連絡先リスト、さらにはアカウント管理情報にも及ぶ可能性がある。


アプリを許可したかどうかにかかわらず、標的になったユーザーはその後、攻撃者が選ぶウェブサイトにリダイレクトされ、そこでさらなる攻撃を受ける可能性がある。


Wang 氏によると、すでにFacebookには連絡し、この脆弱性を報告したが、同社は「OAuth 2.0に関連するリスクは理解していた」と述べた上で、「当プラットフォーム上の各アプリケーションにホワイトリストの利用を強制することが難しい」た め、このバグを修正することは「短期間で達成できるものではない」と返答したという。


影響を受けるサイトはFacebookだけではない。Wang氏は、Google、LinkedIn、Microsoftにもこの件を報告したが、問題への対処についてさまざまな回答を受け取ったと述べている。


Google(OpenID を利用している)はWang氏に、現在この問題に取り組んでいると伝えた。LinkedInは、この件に関するブログを公開 したと述べた。一方でMicrosoftは、調査を行ったところ、脆弱性はサードパーティーのドメインに存在しており、自社サイトには存在しないと述べ た。


この記事は海外CBS Interactive発の記事を朝日インタラクティブが日本向けに編集したものです。


From:

http://sp05rdcy.jugem.jp/?eid=1934


レポーター:WANGジン (Wang Jing)、ナンヤン工科大学で数学の博士課程の学生。彼は、中国科学技術大学から数学の彼bachelar学位を得た。

http://tetraph.com/wangjing/chinese.html



関連ニュース: http://zh.wikipedia.org/zh-tw/OAuth

https://www.owasp.org/index.php/Singapore

http://www.aqniu.com/neotech/endpoint/2734.html

http://www.ustcif.com/default.php/content/2128/

http://aga.ustc.edu.cn/news/view?id=2094

http://www.cnvd.org.cn/flaw/show/CNVD-2014-02785

http://www.slideshare.net/woodentwaddle6758/facebook-google-users-threatened-by-new-security-flaw

http://www.theregister.co.uk/2014/05/05/covert_redirect_is_overt_hype_more_heartbleat_than_heartbleed/

http://www.maverickcyberdefense.com/intell-blog/entry/oauth-opnid-security-vulnerbility-03may14

http://soylentnews.org/article.pl?sid=14/05/02/2214247

http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html

http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html

http://mathtuition88.com/2014/05/05/math-news-math-student-detects-oauth-openid-security-vulnerability/

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://www.scu.edu/is/secure/blog/index.cfm?b=480&tag=5422

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://digital-era.net/critical-holes-in-oauth-openid-could-leak-information-redirect-users/

http://blogs.mcafee.com/consumer/what-is-covert-redirect

http://mathfas.wordpress.com/2014/10/11/9/

http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/

http://www.appps.jp/88572/

http://scan.netsecurity.ne.jp/article/2014/05/08/34126.html

http://blog.kaspersky.co.jp/facebook-openid-oauth-vulnerable/3558/

http://newvo.jp/408699/OAuth2.0%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%28!?%29%22CovertRedirect%22%E3%81%A8%E3%81%AF-OAuth.jp

http://sp05rdcy.jugem.jp/?eid=1934

http://www.megafm.com.br/noticia/falha-de-seguranca-afetam-logins-de-facebook

http://www.opinionesdispersas.net/2014/05/otra-brecha-seguridad.html

http://www.it.co.kr/common/mediaitPrint.php?nSeq=2628799&nBoardSeq=60

http://xakep.ru/62448/

http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/

http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/

http://www.baboo.com.br/seguranca/covert-redirect-o-novo-heartbleed/

http://www.slideshare.net/greentask/maxwells-formulation-differential-forms-on-euclidean-space

http://www.inzeed.com/articles/mathematics/Maxwells-Formulation--Differential-Forms-on-Euclidean-Space.pdf

http://www.slideshare.net/greentask/dunbars-conjecture-for-planar-graphs-40822284

http://www.inzeed.com/articles/mathematics/dunbars-conjecture-for-planar-graphs.pdf

http://www.slideshare.net/greentask/use-problem-based-and-cooperative-based-strategies-teaching-method

http://www.inzeed.com/articles/teaching/Use-Problem-Based-and-Cooperative-Based-Strategies--Teaching-Method.pdf

http://www.slideshare.net/greentask/delaunay-triangulation-from-2d-delaunay-to-3d-delaunay

http://www.inzeed.com/articles/mathematics/delaunay-triangulation-from-2d-delaunay-to-3d-delaunay.pdf

http://www.slideshare.net/greentask/ss-40847595

http://www.inzeed.com/articles/psychology/Management-Psychology-Research-Paper.pdf

http://www.inzeed.com/honour/wangjing/Outstanding-Undergraduate-Research.pdf

http://www.inzeed.com/honour/wangjing/president-of-student-reporter-union.PDF

http://www.inzeed.com/honour/wangjing/zuaas-trial-walk-winner.PDF

http://zh.wikipedia.org/zh-tw/OAuth

https://www.owasp.org/index.php/Singapore

http://www.aqniu.com/neotech/endpoint/2734.html

http://www.ustcif.com/default.php/content/2128/

http://aga.ustc.edu.cn/news/view?id=2094

http://www.cnvd.org.cn/flaw/show/CNVD-2014-02785

http://www.slideshare.net/woodentwaddle6758/facebook-google-users-threatened-by-new-security-flaw

https://zh.wikipedia.org/wiki/%E5%96%AE%E4%B8%80%E7%99%BB%E5%85%A5

https://zh.wikipedia.org/wiki/OAuth

https://zh.wikipedia.org/wiki/OpenID

https://zh.wikipedia.org/wiki/%E9%92%93%E9%B1%BC%E5%BC%8F%E6%94%BB%E5%87%BB

https://en.wikipedia.org/wiki/Single_sign-on

https://en.wikipedia.org/wiki/OpenID

https://en.wikipedia.org/wiki/OAuth

https://en.wikipedia.org/wiki/Phishing

http://www.theregister.co.uk/2014/05/05/covert_redirect_is_overt_hype_more_heartbleat_than_heartbleed/

http://www.maverickcyberdefense.com/intell-blog/entry/oauth-opnid-security-vulnerbility-03may14

http://soylentnews.org/article.pl?sid=14/05/02/2214247

http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html

http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html

http://mathtuition88.com/2014/05/05/math-news-math-student-detects-oauth-openid-security-vulnerability/

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://www.scu.edu/is/secure/blog/index.cfm?b=480&tag=5422

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://digital-era.net/critical-holes-in-oauth-openid-could-leak-information-redirect-users/

http://blogs.mcafee.com/consumer/what-is-covert-redirect

http://mathfas.wordpress.com/2014/10/11/9/

http://www.electronista.com/articles/14/05/02/google.microsoft.facebook.all.potentially.affected.by.attack.vector/

http://www.chimerarevo.com/internet/covert-redirect-non-heartbleed-perche-167189/

http://www.bankinfosecurity.com/covert-redirect-flaw-big-deal-a-6813

http://digi.163.com/14/0503/08/9RACJBK900162OUT.html

http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml

http://www.freebuf.com/vuls/33750.html

http://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/

http://network.pconline.com.cn/471/4713896.html

http://www.csdn.net/article/2014-05-04/2819588

http://it.people.com.cn/n/2014/0504/c1009-24969253.html

http://www.360doc.com/content/14/0511/09/9200790_376595021.shtml

http://www.youxia.org/oauth-openid-login-tools-bug.html

http://media.sohu.com/20140504/n399096249.shtml

http://it.rising.com.cn/info/2014-05-04/15575.html

http://www.xianguo.com/article/a254ea6b9981093b5a91bed22991d4d8

http://www.douban.com/note/348973705/

http://www.safedog.cn/news.html?id=1179

http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E

http://baike.baidu.com/link?url=S-n7eFQzl8EYDhvDMFnEnLyIlBz6Rk1k5qtNk7raMU9xMl7sIvKrjnwllp8rNPLu3cfNpuznGaSrH82DSF6wQq

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.zdnet.com/student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols-7000029419/

https://news.ycombinator.com/item?id=7685677

http://tech.firstpost.com/news-analysis/after-heartbleed-major-covert-redirect-flaw-threatens-oauth-openid-and-the-internet-222945.html?utm_source=top_stories

http://www.channelnewsasia.com/news/singapore/vigilantes-testing/1386694.html

http://forums.hardwarezone.com.sg/eat-drink-man-woman-16/vigilantes-hacked-into-m1-iphone-website-4827334.html

http://www.allsingaporestuff.com/article/white-hat-hackers-testing-security-computer-systems-singapore

http://www.todayonline.com/singapore/vigilantes-testing-security-it-systems

https://www.xssposed.org/researchers/wangjing/

https://support.bitcasa.com/hc/en-us/articles/202210658-How-To-Responsibly-Report-Security-Concerns

http://www.constantcontact.com/legal/report-vulnerability

https://www.heroku.com/policy/security-hall-of-fame

http://company.nokia.com/en/acknowledgements

http://aq.163.com/module/rank/card.html?id=1571fa56d2c0263641b5536a61de3d87

http://sec.kingsoft.com/heroes/memberDetail/329/

http://sec.sina.com.cn/User/view?code=4abfc6987d3e5582

http://sec.baidu.com/index.php?honor/list/y/2014/m/3/page/2

http://security.jd.com/index.php/Index/montop/y/2014/mo/4/

http://us.blackberry.com/business/enterprise-mobility/mobile-security/incident-response-team/collaborations.html

http://technet.microsoft.com/en-sg/security/cc308575.aspx

http://ebay.com/securitycenter/ResearchersAcknowledgement.html

https://www.airbnb.com.sg/info/security

https://lastpass.com/support_security.php

http://help.getpocket.com/customer/portal/articles/1225832-pocket-security-overview

http://www.cnvd.org.cn/flaw/show/CNVD-2014-02785

http://news.0937.net/newsshow-73936.html

http://www.yzdjbh.com/Article.aspx?Id=236865185771

http://www.zmke.com/i/5376.html

http://www.zhujicp.com/news/422.html

http://www.ynyue.com/News/xingyexinwen/3660.html

http://www.linuxidc.com/Linux/2014-05/101507.htm

http://www.wanho.net/hangye/2458.html

http://finance.takungpao.com/tech/q/2014/0504/2454551.html

http://www.chengshiw.com/tech/2014/328183.html

http://www.idcps.com/news/20140504/72515.html

http://www.safedog.cn/news.html?id=1179

http://www.myhack58.com/Article/html/3/62/2014/46433_2.htm

http://www.xianguo.com/article/a254ea6b9981093b5a91bed22991d4d8

http://yw.learnatchina.com/201405033774-view-comments-for-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VEz2AoV5MxA

http://weekly.securityfrontline.org/201405075475-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VEz2HYV5MxA

http://w3.isvoc.com/201405055707-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VE4KNIV5MxA

http://yw.learnatchina.com/201405033774-view-comments-for-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VE4K54V5MxA

http://www.gdyfs.com/news/she/20140503/050313M3262014.html

http://www.hbrc.com/rczx/shownews-5626620-14.html

http://www.douban.com/note/348973705/

http://tetraph.blog.163.com/blog/static/2346030512014471384217/

http://networksecurity.isvoc.com/201405152555-student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols.html#.VFBxpIV5MxA

http://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/

http://www.ctjin.com/chuangye/touzirenjigou/2014-05-03/22200.html

http://zhan.renren.com/yunnet?gid=3602888498049839484&checked=true

http://www.myhack58.com/Article/html/3/62/2014/46954.htm

http://www.shellsec.com/tech/55733.html

http://www.xycity.cn/news/14/n-1257514.html

http://www.cnbeta.com/articles/288503.htm

http://www.csdn.net/article/2014-05-04/2819588

http://www.shangxueba.com/jingyan/2189665.html

http://www.2cto.com/Article/201405/301778.html

http://www.pubeta.com/3033.html

http://www.2cto.com/Article/201405/301778.html

http://www.techweb.com.cn/internet/2014-05-03/2032301.shtml

http://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/

http://t.163.com/7758515660

http://www.weibo.com/tetraph

http://www.youxia.org/oauth-openid-login-tools-bug.html

http://v.youku.com/v_show/id_XNzA4ODI5MDY0.html

http://www.aiweibang.com/yuedu/tech/499816.html

http://essayjeans.blog.163.com/blog/static/2371730742014521103639930/

http://linux.cn/article-2962-1.html

http://media.sohu.com/20140504/n399096249.shtml

http://www.backlion.com/%E9%92%88%E5%AF%B9%E8%BF%91%E6%9C%9F%E5%8D%9A%E5%85%A8%E7%90%83%E7%9C%BC%E7%90%83%E7%9A%84oauth%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%86%E6%9E%90%E4%B8%8E%E9%98%B2%E8%8C%83%E5%BB%BA/

http://www.xycity.cn/news/14/n-1257514.html

http://t.163.com/7758515660

http://www.kaixin001.com/repaste/index_159835659.html

http://www.tuicool.com/articles/fuaeMf

http://blog.sina.com.cn/s/blog_9c466a590101j4k4.html

http://essayjeans.blog.163.com/blog/static/237173074201493101817921/

http://tetraph.blog.163.com/blog/static/23460305120149410334290/

http://www.kankanews.com/ICkengine/archives/138987.shtml

http://img.sootoo.com/content/492302.shtml

http://it.rising.com.cn/info/2014-05-04/15575.html

http://www.tuicool.com/articles/qEzUneY

http://www.linuxidc.com/Linux/2014-05/101182.htm

http://www.linuxeden.com/html/news/20140503/151358.html

http://code.csdn.net/news/2819588

http://tieba.baidu.com/p/3030252100

http://www.52rkl.cn/anquan/06102T102014.html

http://www.m4sk.net/post/3703b3_12d3b49

http://www.1398.org/itnews/ippmrk_1.html

http://www.360doc.com/content/14/0511/09/9200790_376595021.shtml

http://www.safedog.cn/news.html?id=1179

http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml?_114sobiaoqian

https://blog.instantssl.com/2014/05/covert-redirect-vulnerability/

http://tetraph.blogspot.sg/2014/05/wordpress-covert-redirect-vulnerability.html

http://newsmaine.net/19206-covert-redirect-vulnerability-discovered-oauth-20-and-openid

http://covertredirect.com/test/
https://vimeo.com/buzzer/videos

http://www.tudou.com/home/diebiyi

 

http://blog.sina.com.cn/inzeed

 

https://vimeo.com/buzzer/

http://www.tudou.com/home/diebiyi

http://vulnerabilitypost.wordpress.com/category/covert-redirect-vulnerability/

https://benoitis.com/tag/covert-redirect/

http://blogs.mcafee.com/consumer/what-is-covert-redirect

http://threatpost.com/critical-holes-in-oauth-openid-could-leak-information-redirect-users/105876

https://krystal.co.uk/blog/2014/05/openauth-covert-redirection-vulnerability-explained/

https://www.facebook.com/jaicomputer/posts/732480143456948

http://www.csoonline.com/article/2150742/malware-cybercrime/oauth-weakness-threatens-users-of-social-media-sites.html

http://blog.sina.com.cn/s/blog_12ff797370101ewc2.html

http://www.infosecurity-magazine.com/news/bitly-compromised-users-warned-to-reset-accounts/

http://tetraph.tumblr.com/

http://whatis.techtarget.com/definition/covert-redirect

http://www.veooz.com/news/mH9R~~L.html

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://www.pymnts.com/news/2014/security-flaw-in-open-source-log-in-tools-could-leave-social-media-users-at-risk/#.VFBdloV5MxA

http://redmondmag.com/articles/2014/05/02/oauth-and-openid-flaw-found.aspx

http://www.darkreading.com/authentication/oauth-openid-flaw-7-facts/d/d-id/1251127

http://www.hubberts-arms.org/computing/math-student-detects-oauth-openid-security-vulnerability/?PHPSESSID=79184ab9be7276a12ec9d85c3374d49a

https://www.qualys.com/research/sans-at-risk/2014/week-18/

http://www.sciencenewsdaily.org/internet-news/cluster560745642/

http://omgdgt.com/?p=34396

http://www.reddit.com/r/netsec/comments/24knlj/serious_security_flaw_in_oauth_openid_discovered/

http://it-beta.slashdot.org/story/14/05/02/2015227/nasty-security-flaw-in-oauth-openid

http://soylentnews.org/comments.pl?sid=1632&threshold=-1&commentsort=5&mode=nested

http://www.suvsystem.com/a/16702.aspx

http://t.qq.com/tetraph

http://cissp.com/security-news/29-thought-leadership/social-media-latest-to-feel-security-flaw-impact

https://friendica.libertypod.com/display/aliena23p/382571

http://securityrelated.blogspot.sg/2014_10_01_archive.html

http://the-hacker-news.tumblr.com/post/84623817091/nasty-covert-redirect-vulnerability-found-in-oauth-and

http://clipsin.com/view/mailru-oauth-20-covert-redirect-vulnerability/qcHmirNBT6QtMdY.html

http://tweets.seraph.me/search/OAuth%20Security

http://historimac.nerdzblog.com/Mac-mini-9g.phpHTTP/1.1%20200%20OKDate:%20Tue,%2021%20Jul%202009%2012:01:33%20GMTServer:%20Apache/1.3.37%20%28Unix%29%20mod_fastcgi/mod_fastcgi-SNAP-0404142202X-Powered-By:%20PHP/Linkedin-OAuth-2.0-Covert-Redirect-Vulnerability-_-iif6eq2cvso.html

http://www.asurekazani.com/video/1FZ6yfsp09U

http://nevarneyox.com/watch?v=0yEB58S8WBI

http://computerobsess.blogspot.sg/2014/10/odnoklassnikiru-covert-redirect.html

http://cooldotz.com/blog/google-facebook-users-face-new-security-threat-delhi-daily-news/

http://videocurso.globocaxias.com/video/GyNGBuHNoJ0/watch.html

http://www.isssource.com/security-flaw-in-oauth-2-0-openid/

http://yw.learnatchina.com/201405033774-view-comments-for-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html

http://www.popbuzz.me/uk/p/3477751/

http://www.vintegris.com/en/news/openid-and-oauth-vulnerability-affects-facebook-google-and-others/_id:47/

http://www.hackbusters.com/news/stories/43931-oauth-openid-flaw-7-facts

http://www.almdares.net/vz/youtube_browser.php?do=show&vidid=6m1CoV8JTmc

http://irfansalam.wordpress.com/2014/05/10/openid-oauth-vulnerability-affects-facebook-google-and-others/

http://completosec.wordpress.com/2014/05/14/exploits-violate-oauth-2-0-and-openid-assumptions/

http://www.digitalmunition.me/?p=2459

刘美兰 (Liu Meilan)

 山东省青岛市黄岛区 
六汪镇王家庄社区 

http://www.inzeed.com/people/fengdong.html

http://www.tetraph.com/people/wangzhenen.html

http://www.tetraph.com/people/liumeilan.html

http://www.tudou.com/home/essaybeans/item

http://www.tudou.com/programs/view/lg8T2bhkZpc/

http://www.tudou.com/programs/view/Px3eEBhXjpc/

http://www.tudou.com/programs/view/3R4kJrIbr5U/

http://www.tudou.com/programs/view/XyiwT4wbQ4I/

http://www.tudou.com/programs/view/qkX60p9KHsk/

http://www.tudou.com/programs/view/6qw_vdy5yD0/

http://i.youku.com/essayjeans

http://v.youku.com/v_show/id_XODA3NDMyMDY4.html

http://v.youku.com/v_show/id_XODA3MzUxMDMy.html

http://v.youku.com/v_show/id_XODA0NTE0ODU2.html

http://v.youku.com/v_show/id_XNzIzMDU0NTc2.html

http://v.youku.com/v_show/id_XNzIzMDI4MDAw.html

http://v.youku.com/v_show/id_XNzIyOTI5MjY0.html

http://v.youku.com/v_show/id_XNzExNDY3OTI0.html

http://v.youku.com/v_show/id_XNzEwNzQ0NDY4.html

http://v.youku.com/v_show/id_XNzA4OTY2Mjg4.html

http://v.youku.com/v_show/id_XNzA4OTY2Mjg4.html

http://v.youku.com/v_show/id_XNzA4ODM1MDIw.html

http://v.youku.com/v_show/id_XNzA4ODM0OTQw.html

http://v.youku.com/v_show/id_XNzA4ODM0OTA0.html

http://v.youku.com/v_show/id_XNzA4ODI5MDY0.html

http://v.youku.com/v_show/id_XNzA4ODI4ODg0.html

http://v.youku.com/v_show/id_XNzA4ODI0NjY0.html

http://v.youku.com/v_show/id_XNzA4ODI0NTQw.html

http://i.youku.com/essaybeans

http://v.youku.com/v_show/id_XODE1MDMwNzQ4.html

http://v.youku.com/v_show/id_XODE1MDMwNzA0.html

http://v.youku.com/v_show/id_XODE1MDMwNjIw.html

http://v.youku.com/v_show/id_XODE1MDI4OTcy.html

http://www.youtube.com/user/justqdjing

http://www.youtube.com/user/essaybeans

http://www.youtube.com/watch?v=k37gpKaql6k

http://www.youtube.com/watch?v=L78blHqHVsA

http://www.youtube.com/watch?v=EtfQvsNGik0

http://www.youtube.com/watch?v=89AexKfxM5g

http://www.youtube.com/watch?v=KiNKYD9VRK8

http://www.youtube.com/watch?v=KF0_p5XdJfs

http://www.youtube.com/watch?v=HgemMetVPP4

http://www.youtube.com/watch?v=D2jvlD1-1OA

http://www.youtube.com/watch?v=0GtSV4fcE9g

http://www.youtube.com/watch?v=xi41o7W4UWQ

http://www.youtube.com/watch?v=QeFDU_LlKqs

http://www.youtube.com/user/tetraph

http://www.youtube.com/watch?v=3gNhi8h2AQY

http://www.youtube.com/watch?v=onA5BgC3zIY

http://www.youtube.com/watch?v=RekCK5tjXWQ

http://www.youtube.com/watch?v=D-X8qAO2q_I

http://www.youtube.com/watch?v=T1XW31s92qA

http://www.youtube.com/watch?v=-lxaX9xvUfE

http://www.youtube.com/watch?v=m7_NSa9CJ2A

http://www.youtube.com/watch?v=HUE8VbbwUms

http://www.youtube.com/watch?v=Y2-2Scp0pbs

Reference::

https://vulnerabilitypost.wordpress.com/

http://tetraph.wordpress.com/

http://mathfas.wordpress.com/

http://tetraph.blog.163.com/

http://essayjeans.blog.163.com/

http://blog.sina.com.cn/justqdjing

http://blog.sina.com.cn/essayjeans

http://blog.sina.com.cn/whitehatpost

http://user.qzone.qq.com/2519094351/2

http://tetraph.tumblr.com/

http://whitehatview.tumblr.com/

http://tetraph.blogspot.com/

http://computerobsess.blogspot.com/

http://essayjeans.blogspot.com/

http://essaybeans.blogspot.com/

https://www.facebook.com/essaybeans

https://www.facebook.com/essayjeans

http://www.tetraph.com/blog/

http://www.tetraph.com/security/

http://inzeed.com/blog/

http://inzeed.com/kaleidoscope/

http://diebiyi.com/blog/

http://diebiyi.com/articles/

http://covertredirect.com/blog/

http://covertredirect.com/wangjing/

http://www.inzeed.com/bowen/

http://www.ustcif.com/default.php/content/2128/

http://aga.ustc.edu.cn/news/view?id=2094

http://user.qzone.qq.com/137372921

https://www.linkedin.com/in/essayjeans

http://www.kaixin001.com/repaste/index_159835659.html

http://t.qq.com/blackswall1544?previewtgo

http://www.weibo.com/justqdjing?

http://blog.sina.com.cn/justqdjing

https://www.facebook.com/fei.yu.3323

https://plus.google.com/u/0/118367468423066098176/posts

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

http://www.letv.com/ptv/vplay/20130165.html

http://blog.163.com/essayjeans

https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts

https://www.facebook.com/essaybeans?

http://t.qq.com/tetraph

http://www.tetraph.com/cn/wangjing

  https://www.facebook.com/wangjing.justqdjing  
  https://twitter.com/justqdjing  
  http://www.linkedin.com/in/justqdjing  
  https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/  
  http://www.youtube.com/user/justqdjing  
  http://www.weibo.com/justqdjing  
  http://i.youku.com/essayjeans  

http://blog.sina.com.cn/justqdjing

https://www.facebook.com/fei.yu.3323

https://plus.google.com/u/0/118367468423066098176/posts

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

http://www.letv.com/ptv/vplay/20130165.html

http://blog.163.com/essayjeans

https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts

http://user.qzone.qq.com/137372921

https://www.linkedin.com/in/essayjeans

http://www.kaixin001.com/repaste/index_159835659.html

http://t.qq.com/blackswall1544?previewtgo

http://www.weibo.com/justqdjing?

http://blog.sina.com.cn/justqdjing

https://www.facebook.com/fei.yu.3323

https://plus.google.com/u/0/118367468423066098176/posts

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

http://www.letv.com/ptv/vplay/20130165.html

http://blog.163.com/essayjeans

https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts

Related links

http://essaybeans.blogspot.sg/

http://vimeo.com/tetraph

http://i.youku.com/essayjeans

http://www.youtube.com/user/tetraph

http://www.youtube.com/user/justqdjing

https://www.facebook.com/essaybeans?skip_nax_wizard=true

http://www.tetraph.com/forum/

http://www.tetraph.com/blog/

http://blog.sina.com.cn/essayjeans

http://blog.sina.com.cn/justqdjing

http://essayjeans.blog.163.com/

http://tetraph.blog.163.com/

http://tetraph.blog.163.com/blog/static/23460305120144210374933/

http://tetraph.tumblr.com/post/100080251777/covert-redirect-vulnerability-related-to-oauth-2-0-and

https://www.facebook.com/permalink.php?id=420695091405296&story_fbid=420705068070965

http://blog.sina.com.cn/s/blog_12ff797370101edm4.html

http://blog.sina.com.cn/s/blog_ecd65d410102v3jx.html

http://whitehatview.tumblr.com/post/100080520381/covert-redirect-vulnerability-related-to-oauth-2-0-and

https://vulnerabilitypost.wordpress.com/2014/10/15/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid-2/

https://tetraph.wordpress.com/2014/10/15/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid-3/

http://securityrelated.blogspot.sg/2014/10/covert-redirect-vulnerability-related.html

http://tetraph.blogspot.sg/2014/10/covert-redirect.html

http://essayjeans.blogspot.sg/2014/06/top-5-ways-to-prevent-wrinkles-from.html

http://essaybeans.blogspot.sg/2014/10/blog-post.html

http://mathfas.wordpress.com/2014/10/15/covert-redirect-vulnerability/

http://blog.sina.com.cn/s/blog_12ff797370102v467.html

http://blog.sina.com.cn/s/blog_ecd65d410102v4vd.html

http://blog.sina.com.cn/s/blog_9c466a590102v2hv.html

http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/

http://tetraph.blog.163.com/blog/static/23460305120149159422371/

http://essayjeans.blog.163.com/blog/static/237173074201491510534996/

http://user.qzone.qq.com/137372921

http://user.qzone.qq.com/2519094351/2

http://www.pinterest.com/pin/326018460499818774/

http://www.pinterest.com/pin/465278205227138242/

http://computerobsess.blogspot.sg/2014/10/covert-redirect-vulnerability-related.html

http://tetraph.com/security/xss-vulnerability/mozilla-mozilla-org-two-sub-domains-cross-reference-xss-vulnerability-all-urls-under-the-two-domains/

http://tetraph.com/security/cves/cve-2014-7292-newtelligence-dasblog-open-redirect-vulnerability/

https://www.facebook.com/essayjeans?

https://www.facebook.com/tetraph?

http://www.weibo.com/tetraph

https://twitter.com/justqdjing

https://twitter.com/tetraphibious

https://twitter.com/essayjeans

http://www.pinterest.com/essaybeans

http://www.pinterest.com/tetraph/

http://i.youku.com/essaybeans

http://www.weibo.com/essayjeans

http://www.weibo.com/justqdjing?

http://tetraph.blogspot.sg/

http://essayjeans.blogspot.sg/

http://essaybeans.blogspot.sg/

http://vimeo.com/tetraph

http://i.youku.com/essayjeans

http://www.youtube.com/user/tetraph

http://www.youtube.com/user/justqdjing

https://www.facebook.com/essaybeans?skip_nax_wizard=true

http://www.tetraph.com/forum/

http://www.tetraph.com/blog/

References:

    1.  http://it.people.com.cn/n/2014/0504/c1009-24969253.html

    2.  http://digi.163.com/14/0503/08/9RACJBK900162OUT.html

    3 .    http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml

    4 .    http://www.cnbeta.com/articles/288503.htm

    5 .    http://network.pconline.com.cn/471/4713896.html

    6 .    http://www.hackdig.com/?05/hack-9782.htm

    7 .    http://www.freebuf.com/vuls/33750.html

    8 .    http://www.csdn.net/article/2014-05-04/2819588

    9 .    http://baike.baidu.com/link?url=0v9QZaGB09ePxHb70bzgWqlW-C9jieVguuDObtvJ_6WFY3h2vWnnjNDy4-jliDmqbT47SmdGS1_pZ4BbGN4Re_

    10.     http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E

    11,   http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

    12.   http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

    13,   http://www.zdnet.com/student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols-7000029419/

    14.   http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

    15.   http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

    16.   http://www.allsingaporestuff.com/article/white-hat-hackers-testing-security-computer-systems-singapore

    17.   http://www.channelnewsasia.com/news/singapore/vigilantes-testing/1386694.html

    18.   http://forums.hardwarezone.com.sg/eat-drink-man-woman-16/vigilantes-hacked-into-m1-iphone-website-4827334.html

    19.   http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

    20.   http://oauth.net/advisories/2014-1-covert-redirect/

    21.   http://openid.net/2014/05/15/covert-redirect/

    22.   http://oauth.jp/blog/2014/05/07/covert-redirect/

    23.   http://blogs.mcafee.com/consumer/what-is-covert-redirect

    24.   http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

    25.   http://www.securityweek.com/covert-redirect-issue-oauth-openid-places-security-responsibility-wrong-place

    26.   http://oauth.jp/blog/2014/05/07/covert-redirect-in-implicit-flow/

    27.   http://www.openid.or.jp/blog/2014/05/covert-redirect-and-its-real-impact-on-oauth-and-openid-connect.html

    28.   http://weblog.bulknews.net/post/85008516879/covert-redirect-vulnerability-with-oauth-2

    29.   http://securityaffairs.co/wordpress/24585/intelligence/covert-redirect-oauth-openid.html

    30.   https://www.yireo.com/blog/1678-oauth-covert-redirect-vulnerability

    31.   http://www.net-security.org/secworld.php?id=16795

    32.   http://www.itbusinessedge.com/blogs/data-security/lessons-to-be-learned-from-covert-redirect.html

    33.   http://www.netskope.com/blog/oauth-openid-covert-redirect-vulnerability/

    34.   http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

    35.   http://zeenews.india.com/tags/covert-redirect.html

    36.   http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

    37,   http://www.ceilers-news.de/serendipity/497-Websecurity-Die-Covert-Redirect-Schwachstelle-und-OAuth-2.0-und-OpenID.html

    38.   http://www.reddit.com/r/technology/comments/24oe6q/nasty_covert_redirect_vulnerability_found_in/

    39.   https://news.ycombinator.com/item?id=7685677

    40.   http://canaltech.com.br/noticia/seguranca/Diferencas-entre-Covert-Redirect-e-Heartbleed/

    41.   https://www.idradar.com/news-stories/technology/Covert-Redirect-Software-Bug-Needs-A-Fix

    42.   http://www.komando.com/happening-now/251360/a-new-security-hole-lets-hackers-hijack-your-facebook-login/all

    43.   http://www.hardware.no/artikler/covert-redirect-svakhet-er-ingen-ny-nettkrise/159589

    44.   http://www.sotostips.gr/2014/05/provlima-covert-redirect.html

    45.   http://www.darkreading.com/security-flaw-found-in-oauth-20-and-openid-third-party-authentication-at-risk/d/d-id/1235062

    46.   http://twit.tv/show/tech-news-2night/79

    47.   http://www.baomoi.com/Bkav-Lo-hong-Covert-Redirect-khong-nguy-hiem-bang-trai-tim-ri-mau/76/13729018.epi

    48.   http://www.darraghduffy.ie/covert-redirect-openid-oauth/

    49.   http://conectica.com.mx/2014/05/02/covert-redirect-vulnerabilidad-en-oauth-y-openid-similar-heartbleed/

    50.   http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/

    51.   … …

http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/

http://www.appps.jp/88572/

http://scan.netsecurity.ne.jp/article/2014/05/08/34126.html

http://blog.kaspersky.co.jp/facebook-openid-oauth-vulnerable/3558/

http://newvo.jp/408699/OAuth2.0%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%28!?%29%22CovertRedirect%22%E3%81%A8%E3%81%AF-OAuth.jp

http://sp05rdcy.jugem.jp/?eid=1934

http://www.megafm.com.br/noticia/falha-de-seguranca-afetam-logins-de-facebook

http://www.opinionesdispersas.net/2014/05/otra-brecha-seguridad.html

http://www.it.co.kr/common/mediaitPrint.php?nSeq=2628799&nBoardSeq=60

http://xakep.ru/62448/

http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/

http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/

http://www.baboo.com.br/seguranca/covert-redirect-o-novo-heartbleed/

  http://tetraph.com/wangjing/chinese.html


评论
热度 ( 4 )
  1. 琐事,日常之事谷雨 醉心 冬小麦 转载了此文字
  2. 白帽子安全點滴的記錄 转载了此文字  到 湛天雲海碧波影
TOP