OAuth Security Advisory: 2014.1 "Covert Redirect"

04-May-2014

What is it?

Covert Redirect is a name given to an open redirector attack by security researcher Wang Jing in the Spring of 2014.

It describes a process where a malicious attacker intercepts a request from an OAuth Client to an OAuth 2.0 Authorization Server and alters a query parameter in the request called "redirect_uri" with the intention of causing the OAuth Authorization Server to direct the resulting OAuth Response to a malicious location rather than to the originally requesting client, thus exposing any returned secrets to the attacker.

Is Covert Redirect a New Threat?

No. Section 4.1.5 and Section 4.2.4 of the official OAuth 2.0 Threat Model (RFC 6819) details this threat, and section 5.2.3.5 of the RFC documents the recommended mitigations. This threat is more commonly known as "Open Redirector". The threat model was ratified as an RFC in January of 2013, and has been used effectively by many OAuth implementations and deployments to secure their services against Open Redirector attacks.

Who Should be Concerned?

Anyone who deploys OAuth 2.0, either as a client or as an Authorization Service, should be concerned. However this concern should not be new; anyone who deploys OAuth 2.0 should be aware of and understand the mitigations for all of the threats in RFC 6819, not just this one.

Recommendations

Require clients to register full redirect URI as described in RFC 6819 Section 5.2.3.5

Use the state parameter to add custom information to the request so that you don't have to add it to the redirect URI. (Note: Don't include a URL in the state parameter otherwise you may set yourself up for an open redirect vulnerability again.)

More Information