OAuth Security Advisory: 2014.1 "Covert Redirect"
What is it?
Covert Redirect is a name given to an open redirector attack by security researcher Wang Jing in the Spring of 2014.
It describes a process where a malicious attacker intercepts a request from an OAuth Client to an OAuth 2.0 Authorization Server and alters a query parameter in the request called "redirect_uri" with the intention of causing the OAuth Authorization Server to direct the resulting OAuth Response to a malicious location rather than to the originally requesting client, thus exposing any returned secrets to the attacker.
Is Covert Redirect a New Threat?
No. Section 4.1.5 and Section 4.2.4 of the official OAuth 2.0 Threat Model (RFC 6819) details this threat, and section 18.104.22.168 of the RFC documents the recommended mitigations. This threat is more commonly known as "Open Redirector". The threat model was ratified as an RFC in January of 2013, and has been used effectively by many OAuth implementations and deployments to secure their services against Open Redirector attacks.
Who Should be Concerned?
Anyone who deploys OAuth 2.0, either as a client or as an Authorization Service, should be concerned. However this concern should not be new; anyone who deploys OAuth 2.0 should be aware of and understand the mitigations for all of the threats in RFC 6819, not just this one.
Require clients to register full redirect URI as described in RFC 6819 Section 22.214.171.124
Use the state parameter to add custom information to the request so that you don't have to add it to the redirect URI. (Note: Don't include a URL in the state parameter otherwise you may set yourself up for an open redirect vulnerability again.)
- Covert Redirect Flaw in OAuth is Not the Next Heartbleed (symantec.com)
- Another Security Flaw Gets the Heartbleed Treatment, But Don't Believe the Hype (mashable.com)
- Covert Redirect mostly hype and certainly no Heartbleed (zdnet.com)
- Covert Redirect and its real impact on OAuth and OpenID Connect (John Bradley)
- Tech Analysis of "Serious security flaw in OAuth, OpenID Discovered" (Danny Thorpe)
- Security Farce (Tim Bray)
- Covert Redirect is not new but... (Nat Sakimura)