数学日记

数学是科学的皇后 - 高斯

 

Otra brecha de seguridad amenaza parte de Internet

Cuando aún muchos servidores en el mundo se mantienen afectados por Heartbleed hay noticias de otro fallo de grandes magnitudes, aunque sin llegar al nivel del primero. La vulnerabilidad que existe ahora es en OAuth y OpenID y los usuarios muy poco podemos hacer al respecto, ya que la solución está en manos de las empresas.



OAuth y OpenID son herramientas de código abierto para autentificar usuarios y que utilizan empresas como Google, Facebook, Microsoft, Yahoo, Paypal y Linkedin. Todos hemos visto estas herramientas, que abren ventanas emergentes donde se nos pide autentificarnos con alguna de nuestras cuentas para poder acceder a cierto contenido o servicio.

El problema consiste en que aparece una ventana que nos pide redirigirnos a Facebook, la cual parece totalmente segura pero no lo es. Hasta aquí la cuestión funciona como si fuese phishing, pero va más allá ya que el exploid, que se ha llamado Covert Redirect, obtiene la información del usuario desde el servidor, sin que el usuario tenga que introducirla.


Esta nueva vulnerabilidad ha sido descubierta por Wang Jing, un estudiante de doctorado de la Universidad Técnica de Nanyang, en Singapur. El problema podría salir caro para las empresas pero en algún momento tendrán que poner manos a la obra. De momento se recomienda no loggearse a las cuentas digitales a través de ventanas emergentes.

From:   http://www.opinionesdispersas.net/2014/05/otra-brecha-seguridad.html

Student: WANG Jing (王晶), a mathematics PhD student from Nanyang Technological University.

Nanyang Technological University & University of Science and Technology of China & No.1 Middle School of Jiaonan (Huangdao)

http://www.tetraph.com/wangjing/

News:

http://zh.wikipedia.org/zh-tw/OAuth

https://www.owasp.org/index.php/Singapore

http://www.aqniu.com/neotech/endpoint/2734.html

http://www.ustcif.com/default.php/content/2128/

http://aga.ustc.edu.cn/news/view?id=2094

http://www.cnvd.org.cn/flaw/show/CNVD-2014-02785

http://www.slideshare.net/woodentwaddle6758/facebook-google-users-threatened-by-new-security-flaw

http://www.theregister.co.uk/2014/05/05/covert_redirect_is_overt_hype_more_heartbleat_than_heartbleed/

http://www.maverickcyberdefense.com/intell-blog/entry/oauth-opnid-security-vulnerbility-03may14

http://soylentnews.org/article.pl?sid=14/05/02/2214247

http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html

http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html

http://mathtuition88.com/2014/05/05/math-news-math-student-detects-oauth-openid-security-vulnerability/

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://www.scu.edu/is/secure/blog/index.cfm?b=480&tag=5422

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://digital-era.net/critical-holes-in-oauth-openid-could-leak-information-redirect-users/

http://blogs.mcafee.com/consumer/what-is-covert-redirect

http://mathfas.wordpress.com/2014/10/11/9/

http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/

http://www.appps.jp/88572/

http://scan.netsecurity.ne.jp/article/2014/05/08/34126.html

http://blog.kaspersky.co.jp/facebook-openid-oauth-vulnerable/3558/

http://newvo.jp/408699/OAuth2.0%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%28!?%29%22CovertRedirect%22%E3%81%A8%E3%81%AF-OAuth.jp

http://sp05rdcy.jugem.jp/?eid=1934

http://www.megafm.com.br/noticia/falha-de-seguranca-afetam-logins-de-facebook

http://www.opinionesdispersas.net/2014/05/otra-brecha-seguridad.html

http://www.it.co.kr/common/mediaitPrint.php?nSeq=2628799&nBoardSeq=60

http://xakep.ru/62448/

http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/

http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/

http://www.baboo.com.br/seguranca/covert-redirect-o-novo-heartbleed/

http://www.slideshare.net/greentask/maxwells-formulation-differential-forms-on-euclidean-space

http://www.inzeed.com/articles/mathematics/Maxwells-Formulation--Differential-Forms-on-Euclidean-Space.pdf

http://www.slideshare.net/greentask/dunbars-conjecture-for-planar-graphs-40822284

http://www.inzeed.com/articles/mathematics/dunbars-conjecture-for-planar-graphs.pdf

http://www.slideshare.net/greentask/use-problem-based-and-cooperative-based-strategies-teaching-method

http://www.inzeed.com/articles/teaching/Use-Problem-Based-and-Cooperative-Based-Strategies--Teaching-Method.pdf

http://www.slideshare.net/greentask/delaunay-triangulation-from-2d-delaunay-to-3d-delaunay

http://www.inzeed.com/articles/mathematics/delaunay-triangulation-from-2d-delaunay-to-3d-delaunay.pdf

http://www.slideshare.net/greentask/ss-40847595

http://www.inzeed.com/articles/psychology/Management-Psychology-Research-Paper.pdf

http://www.inzeed.com/honour/wangjing/Outstanding-Undergraduate-Research.pdf

http://www.inzeed.com/honour/wangjing/president-of-student-reporter-union.PDF

http://www.inzeed.com/honour/wangjing/zuaas-trial-walk-winner.PDF

http://zh.wikipedia.org/zh-tw/OAuth

https://www.owasp.org/index.php/Singapore

http://www.aqniu.com/neotech/endpoint/2734.html

http://www.ustcif.com/default.php/content/2128/

http://aga.ustc.edu.cn/news/view?id=2094

http://www.cnvd.org.cn/flaw/show/CNVD-2014-02785

http://www.slideshare.net/woodentwaddle6758/facebook-google-users-threatened-by-new-security-flaw

http://www.theregister.co.uk/2014/05/05/covert_redirect_is_overt_hype_more_heartbleat_than_heartbleed/

http://www.maverickcyberdefense.com/intell-blog/entry/oauth-opnid-security-vulnerbility-03may14

http://soylentnews.org/article.pl?sid=14/05/02/2214247

http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html

http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html

http://mathtuition88.com/2014/05/05/math-news-math-student-detects-oauth-openid-security-vulnerability/

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://www.scu.edu/is/secure/blog/index.cfm?b=480&tag=5422

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://digital-era.net/critical-holes-in-oauth-openid-could-leak-information-redirect-users/

http://blogs.mcafee.com/consumer/what-is-covert-redirect

http://mathfas.wordpress.com/2014/10/11/9/

http://www.electronista.com/articles/14/05/02/google.microsoft.facebook.all.potentially.affected.by.attack.vector/

http://www.chimerarevo.com/internet/covert-redirect-non-heartbleed-perche-167189/

http://www.bankinfosecurity.com/covert-redirect-flaw-big-deal-a-6813

http://digi.163.com/14/0503/08/9RACJBK900162OUT.html

http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml

http://www.freebuf.com/vuls/33750.html

http://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/

http://network.pconline.com.cn/471/4713896.html

http://www.csdn.net/article/2014-05-04/2819588

http://it.people.com.cn/n/2014/0504/c1009-24969253.html

http://www.360doc.com/content/14/0511/09/9200790_376595021.shtml

http://www.youxia.org/oauth-openid-login-tools-bug.html

http://media.sohu.com/20140504/n399096249.shtml

http://it.rising.com.cn/info/2014-05-04/15575.html

http://www.xianguo.com/article/a254ea6b9981093b5a91bed22991d4d8

http://www.douban.com/note/348973705/

http://www.safedog.cn/news.html?id=1179

http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E

http://baike.baidu.com/link?url=S-n7eFQzl8EYDhvDMFnEnLyIlBz6Rk1k5qtNk7raMU9xMl7sIvKrjnwllp8rNPLu3cfNpuznGaSrH82DSF6wQq

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.zdnet.com/student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols-7000029419/

https://news.ycombinator.com/item?id=7685677

http://tech.firstpost.com/news-analysis/after-heartbleed-major-covert-redirect-flaw-threatens-oauth-openid-and-the-internet-222945.html?utm_source=top_stories

http://www.channelnewsasia.com/news/singapore/vigilantes-testing/1386694.html

http://forums.hardwarezone.com.sg/eat-drink-man-woman-16/vigilantes-hacked-into-m1-iphone-website-4827334.html

http://www.allsingaporestuff.com/article/white-hat-hackers-testing-security-computer-systems-singapore

http://www.todayonline.com/singapore/vigilantes-testing-security-it-systems

https://www.xssposed.org/researchers/wangjing/

https://support.bitcasa.com/hc/en-us/articles/202210658-How-To-Responsibly-Report-Security-Concerns

http://www.constantcontact.com/legal/report-vulnerability

https://www.heroku.com/policy/security-hall-of-fame

http://company.nokia.com/en/acknowledgements

http://aq.163.com/module/rank/card.html?id=1571fa56d2c0263641b5536a61de3d87

http://sec.kingsoft.com/heroes/memberDetail/329/

http://sec.sina.com.cn/User/view?code=4abfc6987d3e5582

http://sec.baidu.com/index.php?honor/list/y/2014/m/3/page/2

http://security.jd.com/index.php/Index/montop/y/2014/mo/4/

http://us.blackberry.com/business/enterprise-mobility/mobile-security/incident-response-team/collaborations.html

http://technet.microsoft.com/en-sg/security/cc308575.aspx

http://ebay.com/securitycenter/ResearchersAcknowledgement.html

https://www.airbnb.com.sg/info/security

https://lastpass.com/support_security.php

http://help.getpocket.com/customer/portal/articles/1225832-pocket-security-overview

http://www.cnvd.org.cn/flaw/show/CNVD-2014-02785

http://news.0937.net/newsshow-73936.html

http://www.yzdjbh.com/Article.aspx?Id=236865185771

http://www.zmke.com/i/5376.html

http://www.zhujicp.com/news/422.html

http://www.ynyue.com/News/xingyexinwen/3660.html

http://www.linuxidc.com/Linux/2014-05/101507.htm

http://www.wanho.net/hangye/2458.html

http://finance.takungpao.com/tech/q/2014/0504/2454551.html

http://www.chengshiw.com/tech/2014/328183.html

http://www.idcps.com/news/20140504/72515.html

http://www.safedog.cn/news.html?id=1179

http://www.myhack58.com/Article/html/3/62/2014/46433_2.htm

http://www.xianguo.com/article/a254ea6b9981093b5a91bed22991d4d8

http://yw.learnatchina.com/201405033774-view-comments-for-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VEz2AoV5MxA

http://weekly.securityfrontline.org/201405075475-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VEz2HYV5MxA

http://w3.isvoc.com/201405055707-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VE4KNIV5MxA

http://yw.learnatchina.com/201405033774-view-comments-for-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VE4K54V5MxA

http://www.gdyfs.com/news/she/20140503/050313M3262014.html

http://www.hbrc.com/rczx/shownews-5626620-14.html

http://www.douban.com/note/348973705/

http://tetraph.blog.163.com/blog/static/2346030512014471384217/

http://networksecurity.isvoc.com/201405152555-student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols.html#.VFBxpIV5MxA

http://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/

http://www.ctjin.com/chuangye/touzirenjigou/2014-05-03/22200.html

http://zhan.renren.com/yunnet?gid=3602888498049839484&checked=true

http://www.myhack58.com/Article/html/3/62/2014/46954.htm

http://www.shellsec.com/tech/55733.html

http://www.xycity.cn/news/14/n-1257514.html

http://www.cnbeta.com/articles/288503.htm

http://www.csdn.net/article/2014-05-04/2819588

http://www.shangxueba.com/jingyan/2189665.html

http://www.2cto.com/Article/201405/301778.html

http://www.pubeta.com/3033.html

http://www.2cto.com/Article/201405/301778.html

http://www.techweb.com.cn/internet/2014-05-03/2032301.shtml

http://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/

http://t.163.com/7758515660

http://www.weibo.com/tetraph

http://www.youxia.org/oauth-openid-login-tools-bug.html

http://v.youku.com/v_show/id_XNzA4ODI5MDY0.html

http://www.aiweibang.com/yuedu/tech/499816.html

http://essayjeans.blog.163.com/blog/static/2371730742014521103639930/

http://linux.cn/article-2962-1.html

http://media.sohu.com/20140504/n399096249.shtml

http://www.backlion.com/%E9%92%88%E5%AF%B9%E8%BF%91%E6%9C%9F%E5%8D%9A%E5%85%A8%E7%90%83%E7%9C%BC%E7%90%83%E7%9A%84oauth%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%86%E6%9E%90%E4%B8%8E%E9%98%B2%E8%8C%83%E5%BB%BA/

http://www.xycity.cn/news/14/n-1257514.html

http://t.163.com/7758515660

http://www.kaixin001.com/repaste/index_159835659.html

http://www.tuicool.com/articles/fuaeMf

http://blog.sina.com.cn/s/blog_9c466a590101j4k4.html

http://essayjeans.blog.163.com/blog/static/237173074201493101817921/

http://tetraph.blog.163.com/blog/static/23460305120149410334290/

http://www.kankanews.com/ICkengine/archives/138987.shtml

http://img.sootoo.com/content/492302.shtml

http://it.rising.com.cn/info/2014-05-04/15575.html

http://www.tuicool.com/articles/qEzUneY

http://www.linuxidc.com/Linux/2014-05/101182.htm

http://www.linuxeden.com/html/news/20140503/151358.html

http://code.csdn.net/news/2819588

http://tieba.baidu.com/p/3030252100

http://www.52rkl.cn/anquan/06102T102014.html

http://www.m4sk.net/post/3703b3_12d3b49

http://www.1398.org/itnews/ippmrk_1.html

http://www.360doc.com/content/14/0511/09/9200790_376595021.shtml

http://www.safedog.cn/news.html?id=1179

http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml?_114sobiaoqian

https://blog.instantssl.com/2014/05/covert-redirect-vulnerability/

http://tetraph.blogspot.sg/2014/05/wordpress-covert-redirect-vulnerability.html

http://newsmaine.net/19206-covert-redirect-vulnerability-discovered-oauth-20-and-openid

http://vulnerabilitypost.wordpress.com/category/covert-redirect-vulnerability/

https://benoitis.com/tag/covert-redirect/

http://blogs.mcafee.com/consumer/what-is-covert-redirect

http://threatpost.com/critical-holes-in-oauth-openid-could-leak-information-redirect-users/105876

https://krystal.co.uk/blog/2014/05/openauth-covert-redirection-vulnerability-explained/

https://www.facebook.com/jaicomputer/posts/732480143456948

http://www.csoonline.com/article/2150742/malware-cybercrime/oauth-weakness-threatens-users-of-social-media-sites.html

http://blog.sina.com.cn/s/blog_12ff797370101ewc2.html

http://www.infosecurity-magazine.com/news/bitly-compromised-users-warned-to-reset-accounts/

http://tetraph.tumblr.com/

http://whatis.techtarget.com/definition/covert-redirect

http://www.veooz.com/news/mH9R~~L.html

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://www.pymnts.com/news/2014/security-flaw-in-open-source-log-in-tools-could-leave-social-media-users-at-risk/#.VFBdloV5MxA

http://redmondmag.com/articles/2014/05/02/oauth-and-openid-flaw-found.aspx

http://www.darkreading.com/authentication/oauth-openid-flaw-7-facts/d/d-id/1251127

http://www.hubberts-arms.org/computing/math-student-detects-oauth-openid-security-vulnerability/?PHPSESSID=79184ab9be7276a12ec9d85c3374d49a

https://www.qualys.com/research/sans-at-risk/2014/week-18/

http://www.sciencenewsdaily.org/internet-news/cluster560745642/

http://omgdgt.com/?p=34396

http://www.reddit.com/r/netsec/comments/24knlj/serious_security_flaw_in_oauth_openid_discovered/

http://it-beta.slashdot.org/story/14/05/02/2015227/nasty-security-flaw-in-oauth-openid

http://soylentnews.org/comments.pl?sid=1632&threshold=-1&commentsort=5&mode=nested

http://www.suvsystem.com/a/16702.aspx

http://t.qq.com/tetraph

http://cissp.com/security-news/29-thought-leadership/social-media-latest-to-feel-security-flaw-impact

https://friendica.libertypod.com/display/aliena23p/382571

http://securityrelated.blogspot.sg/2014_10_01_archive.html

http://the-hacker-news.tumblr.com/post/84623817091/nasty-covert-redirect-vulnerability-found-in-oauth-and

http://clipsin.com/view/mailru-oauth-20-covert-redirect-vulnerability/qcHmirNBT6QtMdY.html

http://tweets.seraph.me/search/OAuth%20Security

http://historimac.nerdzblog.com/Mac-mini-9g.phpHTTP/1.1%20200%20OKDate:%20Tue,%2021%20Jul%202009%2012:01:33%20GMTServer:%20Apache/1.3.37%20%28Unix%29%20mod_fastcgi/mod_fastcgi-SNAP-0404142202X-Powered-By:%20PHP/Linkedin-OAuth-2.0-Covert-Redirect-Vulnerability-_-iif6eq2cvso.html

http://www.asurekazani.com/video/1FZ6yfsp09U

http://nevarneyox.com/watch?v=0yEB58S8WBI

http://computerobsess.blogspot.sg/2014/10/odnoklassnikiru-covert-redirect.html

http://cooldotz.com/blog/google-facebook-users-face-new-security-threat-delhi-daily-news/

http://videocurso.globocaxias.com/video/GyNGBuHNoJ0/watch.html

http://www.isssource.com/security-flaw-in-oauth-2-0-openid/

http://yw.learnatchina.com/201405033774-view-comments-for-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html

http://www.popbuzz.me/uk/p/3477751/

http://www.vintegris.com/en/news/openid-and-oauth-vulnerability-affects-facebook-google-and-others/_id:47/

http://www.hackbusters.com/news/stories/43931-oauth-openid-flaw-7-facts

http://www.almdares.net/vz/youtube_browser.php?do=show&vidid=6m1CoV8JTmc

http://irfansalam.wordpress.com/2014/05/10/openid-oauth-vulnerability-affects-facebook-google-and-others/

http://completosec.wordpress.com/2014/05/14/exploits-violate-oauth-2-0-and-openid-assumptions/

http://www.digitalmunition.me/?p=2459

http://www.inzeed.com/people/fengdong.html

http://www.tetraph.com/people/wangzhenen.html

http://www.tetraph.com/people/liumeilan.html

http://www.tudou.com/home/essaybeans/item

http://www.tudou.com/programs/view/lg8T2bhkZpc/

http://www.tudou.com/programs/view/Px3eEBhXjpc/

http://www.tudou.com/programs/view/3R4kJrIbr5U/

http://www.tudou.com/programs/view/XyiwT4wbQ4I/

http://www.tudou.com/programs/view/qkX60p9KHsk/

http://www.tudou.com/programs/view/6qw_vdy5yD0/

http://i.youku.com/essayjeans

http://v.youku.com/v_show/id_XODA3NDMyMDY4.html

http://v.youku.com/v_show/id_XODA3MzUxMDMy.html

http://v.youku.com/v_show/id_XODA0NTE0ODU2.html

http://v.youku.com/v_show/id_XNzIzMDU0NTc2.html

http://v.youku.com/v_show/id_XNzIzMDI4MDAw.html

http://v.youku.com/v_show/id_XNzIyOTI5MjY0.html

http://v.youku.com/v_show/id_XNzExNDY3OTI0.html

http://v.youku.com/v_show/id_XNzEwNzQ0NDY4.html

http://v.youku.com/v_show/id_XNzA4OTY2Mjg4.html

http://v.youku.com/v_show/id_XNzA4OTY2Mjg4.html

http://v.youku.com/v_show/id_XNzA4ODM1MDIw.html

http://v.youku.com/v_show/id_XNzA4ODM0OTQw.html

http://v.youku.com/v_show/id_XNzA4ODM0OTA0.html

http://v.youku.com/v_show/id_XNzA4ODI5MDY0.html

http://v.youku.com/v_show/id_XNzA4ODI4ODg0.html

http://v.youku.com/v_show/id_XNzA4ODI0NjY0.html

http://v.youku.com/v_show/id_XNzA4ODI0NTQw.html

http://i.youku.com/essaybeans

http://v.youku.com/v_show/id_XODE1MDMwNzQ4.html

http://v.youku.com/v_show/id_XODE1MDMwNzA0.html

http://v.youku.com/v_show/id_XODE1MDMwNjIw.html

http://v.youku.com/v_show/id_XODE1MDI4OTcy.html

http://www.youtube.com/user/justqdjing

http://www.youtube.com/user/essaybeans

http://www.youtube.com/watch?v=k37gpKaql6k

http://www.youtube.com/watch?v=L78blHqHVsA

http://www.youtube.com/watch?v=EtfQvsNGik0

http://www.youtube.com/watch?v=89AexKfxM5g

http://www.youtube.com/watch?v=KiNKYD9VRK8

http://www.youtube.com/watch?v=KF0_p5XdJfs

http://www.youtube.com/watch?v=HgemMetVPP4

http://www.youtube.com/watch?v=D2jvlD1-1OA

http://www.youtube.com/watch?v=0GtSV4fcE9g

http://www.youtube.com/watch?v=xi41o7W4UWQ

http://www.youtube.com/watch?v=QeFDU_LlKqs

http://www.youtube.com/user/tetraph

http://www.youtube.com/watch?v=3gNhi8h2AQY

http://www.youtube.com/watch?v=onA5BgC3zIY

http://www.youtube.com/watch?v=RekCK5tjXWQ

http://www.youtube.com/watch?v=D-X8qAO2q_I

http://www.youtube.com/watch?v=T1XW31s92qA

http://www.youtube.com/watch?v=-lxaX9xvUfE

http://www.youtube.com/watch?v=m7_NSa9CJ2A

http://www.youtube.com/watch?v=HUE8VbbwUms

http://www.youtube.com/watch?v=Y2-2Scp0pbs

Reference::

https://vulnerabilitypost.wordpress.com/

http://tetraph.wordpress.com/

http://mathfas.wordpress.com/

http://tetraph.blog.163.com/

http://essayjeans.blog.163.com/

http://blog.sina.com.cn/justqdjing

http://blog.sina.com.cn/essayjeans

http://blog.sina.com.cn/whitehatpost

http://user.qzone.qq.com/2519094351/2

http://tetraph.tumblr.com/

http://whitehatview.tumblr.com/

http://tetraph.blogspot.com/

http://computerobsess.blogspot.com/

http://essayjeans.blogspot.com/

http://essaybeans.blogspot.com/

https://www.facebook.com/essaybeans

https://www.facebook.com/essayjeans

http://www.tetraph.com/blog/

http://www.tetraph.com/security/

http://inzeed.com/blog/

http://inzeed.com/kaleidoscope/

http://diebiyi.com/blog/

http://diebiyi.com/articles/

http://covertredirect.com/blog/

http://covertredirect.com/wangjing/

http://www.inzeed.com/bowen/

http://www.ustcif.com/default.php/content/2128/

http://aga.ustc.edu.cn/news/view?id=2094

http://user.qzone.qq.com/137372921

https://www.linkedin.com/in/essayjeans

http://www.kaixin001.com/repaste/index_159835659.html

http://t.qq.com/blackswall1544?previewtgo

http://www.weibo.com/justqdjing?

http://blog.sina.com.cn/justqdjing

https://www.facebook.com/fei.yu.3323

https://plus.google.com/u/0/118367468423066098176/posts

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

http://www.letv.com/ptv/vplay/20130165.html

http://blog.163.com/essayjeans

https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts

https://www.facebook.com/essaybeans?

http://t.qq.com/tetraph

http://www.tetraph.com/cn/wangjing https://www.facebook.com/wangjing.justqdjing

https://twitter.com/justqdjing

http://www.linkedin.com/in/justqdjing

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/ 

http://www.youtube.com/user/justqdjing

http://www.weibo.com/justqdjing

http://i.youku.com/essayjeans

http://blog.sina.com.cn/justqdjing

https://www.facebook.com/fei.yu.3323

https://plus.google.com/u/0/118367468423066098176/posts

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

http://www.letv.com/ptv/vplay/20130165.html

http://blog.163.com/essayjeans

https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts

http://user.qzone.qq.com/137372921

https://www.linkedin.com/in/essayjeans

http://www.kaixin001.com/repaste/index_159835659.html

http://t.qq.com/blackswall1544?previewtgo

http://www.weibo.com/justqdjing?

http://blog.sina.com.cn/justqdjing

https://www.facebook.com/fei.yu.3323

https://plus.google.com/u/0/118367468423066098176/posts

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

http://www.letv.com/ptv/vplay/20130165.html

http://blog.163.com/essayjeans

https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts

Related links

http://essaybeans.blogspot.sg/

http://vimeo.com/tetraph

http://i.youku.com/essayjeans

http://www.youtube.com/user/tetraph

http://www.youtube.com/user/justqdjing

https://www.facebook.com/essaybeans?skip_nax_wizard=true

http://www.tetraph.com/forum/

http://www.tetraph.com/blog/

http://blog.sina.com.cn/essayjeans

http://blog.sina.com.cn/justqdjing

http://essayjeans.blog.163.com/

http://tetraph.blog.163.com/

http://tetraph.blog.163.com/blog/static/23460305120144210374933/

http://tetraph.tumblr.com/post/100080251777/covert-redirect-vulnerability-related-to-oauth-2-0-and

https://www.facebook.com/permalink.php?id=420695091405296&story_fbid=420705068070965

http://blog.sina.com.cn/s/blog_12ff797370101edm4.html

http://blog.sina.com.cn/s/blog_ecd65d410102v3jx.html

http://whitehatview.tumblr.com/post/100080520381/covert-redirect-vulnerability-related-to-oauth-2-0-and

https://vulnerabilitypost.wordpress.com/2014/10/15/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid-2/

https://tetraph.wordpress.com/2014/10/15/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid-3/

http://securityrelated.blogspot.sg/2014/10/covert-redirect-vulnerability-related.html

http://tetraph.blogspot.sg/2014/10/covert-redirect.html

http://essayjeans.blogspot.sg/2014/06/top-5-ways-to-prevent-wrinkles-from.html

http://essaybeans.blogspot.sg/2014/10/blog-post.html

http://mathfas.wordpress.com/2014/10/15/covert-redirect-vulnerability/

http://blog.sina.com.cn/s/blog_12ff797370102v467.html

http://blog.sina.com.cn/s/blog_ecd65d410102v4vd.html

http://blog.sina.com.cn/s/blog_9c466a590102v2hv.html

http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/

http://tetraph.blog.163.com/blog/static/23460305120149159422371/

http://essayjeans.blog.163.com/blog/static/237173074201491510534996/

http://user.qzone.qq.com/137372921

http://user.qzone.qq.com/2519094351/2

http://www.pinterest.com/pin/326018460499818774/

http://www.pinterest.com/pin/465278205227138242/

http://computerobsess.blogspot.sg/2014/10/covert-redirect-vulnerability-related.html

http://tetraph.com/security/xss-vulnerability/mozilla-mozilla-org-two-sub-domains-cross-reference-xss-vulnerability-all-urls-under-the-two-domains/

http://tetraph.com/security/cves/cve-2014-7292-newtelligence-dasblog-open-redirect-vulnerability/

https://www.facebook.com/essayjeans?

https://www.facebook.com/tetraph?

http://www.weibo.com/tetraph

https://twitter.com/justqdjing

https://twitter.com/tetraphibious

https://twitter.com/essayjeans

http://www.pinterest.com/essaybeans

http://www.pinterest.com/tetraph/

http://i.youku.com/essaybeans

http://www.weibo.com/essayjeans

http://www.weibo.com/justqdjing?

http://tetraph.blogspot.sg/

http://essayjeans.blogspot.sg/

http://essaybeans.blogspot.sg/

http://vimeo.com/tetraph

http://i.youku.com/essayjeans

http://www.youtube.com/user/tetraph

http://www.youtube.com/user/justqdjing

https://www.facebook.com/essaybeans?skip_nax_wizard=true

http://www.tetraph.com/forum/

http://www.tetraph.com/blog/

冯冬 (Feng Dong)江苏省

常州市钟楼区

References:

    1.  http://it.people.com.cn/n/2014/0504/c1009-24969253.html

    2.  http://digi.163.com/14/0503/08/9RACJBK900162OUT.html

    3 .    http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml

    4 .    http://www.cnbeta.com/articles/288503.htm

    5 .    http://network.pconline.com.cn/471/4713896.html

    6 .    http://www.hackdig.com/?05/hack-9782.htm

    7 .    http://www.freebuf.com/vuls/33750.html

    8 .    http://www.csdn.net/article/2014-05-04/2819588

    9 .    http://baike.baidu.com/link?url=0v9QZaGB09ePxHb70bzgWqlW-C9jieVguuDObtvJ_6WFY3h2vWnnjNDy4-jliDmqbT47SmdGS1_pZ4BbGN4Re_

    10.     http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E

    11,   http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

    12.   http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

    13,   http://www.zdnet.com/student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols-7000029419/

    14.   http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

    15.   http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

    16.   http://www.allsingaporestuff.com/article/white-hat-hackers-testing-security-computer-systems-singapore

    17.   http://www.channelnewsasia.com/news/singapore/vigilantes-testing/1386694.html

    18.   http://forums.hardwarezone.com.sg/eat-drink-man-woman-16/vigilantes-hacked-into-m1-iphone-website-4827334.html

    19.   http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

    20.   http://oauth.net/advisories/2014-1-covert-redirect/

    21.   http://openid.net/2014/05/15/covert-redirect/

    22.   http://oauth.jp/blog/2014/05/07/covert-redirect/

    23.   http://blogs.mcafee.com/consumer/what-is-covert-redirect

    24.   http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

    25.   http://www.securityweek.com/covert-redirect-issue-oauth-openid-places-security-responsibility-wrong-place

    26.   http://oauth.jp/blog/2014/05/07/covert-redirect-in-implicit-flow/

    27.   http://www.openid.or.jp/blog/2014/05/covert-redirect-and-its-real-impact-on-oauth-and-openid-connect.html

    28.   http://weblog.bulknews.net/post/85008516879/covert-redirect-vulnerability-with-oauth-2

    29.   http://securityaffairs.co/wordpress/24585/intelligence/covert-redirect-oauth-openid.html

    30.   https://www.yireo.com/blog/1678-oauth-covert-redirect-vulnerability

    31.   http://www.net-security.org/secworld.php?id=16795

    32.   http://www.itbusinessedge.com/blogs/data-security/lessons-to-be-learned-from-covert-redirect.html

    33.   http://www.netskope.com/blog/oauth-openid-covert-redirect-vulnerability/

    34.   http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

    35.   http://zeenews.india.com/tags/covert-redirect.html

    36.   http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

    37,   http://www.ceilers-news.de/serendipity/497-Websecurity-Die-Covert-Redirect-Schwachstelle-und-OAuth-2.0-und-OpenID.html

    38.   http://www.reddit.com/r/technology/comments/24oe6q/nasty_covert_redirect_vulnerability_found_in/

    39.   https://news.ycombinator.com/item?id=7685677

    40.   http://canaltech.com.br/noticia/seguranca/Diferencas-entre-Covert-Redirect-e-Heartbleed/

    41.   https://www.idradar.com/news-stories/technology/Covert-Redirect-Software-Bug-Needs-A-Fix

    42.   http://www.komando.com/happening-now/251360/a-new-security-hole-lets-hackers-hijack-your-facebook-login/all

    43.   http://www.hardware.no/artikler/covert-redirect-svakhet-er-ingen-ny-nettkrise/159589

    44.   http://www.sotostips.gr/2014/05/provlima-covert-redirect.html

    45.   http://www.darkreading.com/security-flaw-found-in-oauth-20-and-openid-third-party-authentication-at-risk/d/d-id/1235062

    46.   http://twit.tv/show/tech-news-2night/79

    47.   http://www.baomoi.com/Bkav-Lo-hong-Covert-Redirect-khong-nguy-hiem-bang-trai-tim-ri-mau/76/13729018.epi

    48.   http://www.darraghduffy.ie/covert-redirect-openid-oauth/

    49.   http://conectica.com.mx/2014/05/02/covert-redirect-vulnerabilidad-en-oauth-y-openid-similar-heartbleed/

    50.   http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/

    51.   … …

http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/

http://www.appps.jp/88572/

http://scan.netsecurity.ne.jp/article/2014/05/08/34126.html

http://blog.kaspersky.co.jp/facebook-openid-oauth-vulnerable/3558/

http://newvo.jp/408699/OAuth2.0%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%28!?%29%22CovertRedirect%22%E3%81%A8%E3%81%AF-OAuth.jp

http://sp05rdcy.jugem.jp/?eid=1934

http://www.megafm.com.br/noticia/falha-de-seguranca-afetam-logins-de-facebook

http://www.opinionesdispersas.net/2014/05/otra-brecha-seguridad.html

http://www.it.co.kr/common/mediaitPrint.php?nSeq=2628799&nBoardSeq=60

http://xakep.ru/62448/

http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/

http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/

http://www.baboo.com.br/seguranca/covert-redirect-o-novo-heartbleed/

http://threatpost.com/critical-holes-in-oauth-openid-could-leak-information-redirect-users/105876

https://en.wikipedia.org/wiki/Covert_Redirect

http://aga.ustc.edu.cn/news/view?id=2094

http://blog.kaspersky.com.cn/openid%E5%92%8Coauth%E6%98%93%E5%8F%97%E6%94%BB%E5%87%BB%EF%BC%8C%E9%9C%80%E4%BF%9D%E6%8C%81%E8%AD%A6%E6%83%95/938/

https://zh.wikipedia.org/zh-sg/隱蔽重定向漏洞

http://www.ustcif.com/default.php/content/2128/

http://blog.sina.com.cn/s/blog_13e2110420102v3b4.html

http://blog.sina.com.cn/s/blog_13de2fcd60102v8r6.html

http://yurusi.blogspot.sg/2014/11/covert-redirect.html

http://aibiyi.blogspot.sg/2014/11/covert-redirect.html

http://frenchairing.blogspot.sg/2014/11/des-vulnerabilites-pour-les-boutons.html

http://germancast.blogspot.sg/2014/11/sicherheitslucke-in-oauth-20-und-openid.html

http://japanbroad.blogspot.sg/2014/11/oauthopenid-facebook.html

http://russiapost.blogspot.sg/2014/11/openid-oauth-20.html

https://vulnerabilitypost.wordpress.com/2014/10/02/google-chromium-xss-auditor-filter-bypass/

http://tetraph.wordpress.com/2014/10/31/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://tetraph.tumblr.com/post/101408567382/falha-de-seguranca-afetam-logins-de-facebook

http://whitehatview.tumblr.com/post/101405308531/openid-oauth-2-0

http://blog.sina.com.cn/s/blog_ecd65d410102v6gp.html

http://essayjeans.blog.163.com/blog/static/237173074201493171559786/

http://tetraph.blog.163.com/blog/static/23460305120149316548212/

http://mathfas.wordpress.com/2014/10/31/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://blog.sina.com.cn/s/blog_9c466a590102v2hw.html

http://computerobsess.blogspot.sg/2014/10/sicherheitslucke-in-oauth-20-und-openid.html

http://securityrelated.blogspot.sg/2014/10/id-oauth.html

http://tetraph.blogspot.sg/2014/10/id-oauth.html

http://essaybeans.blogspot.sg/2014/10/blog-post.html

http://www.tetraph.com/blog/love/%E8%AE%A9%E4%BA%BA%E4%BC%A4%E5%BF%83%E7%9A%84%E7%88%B1%E6%83%85%E5%8F%A5%E5%AD%90-%E5%85%B3%E4%BA%8E%E6%8F%8F%E5%86%99%E4%BC%A4%E5%BF%83%E7%9A%84%E5%8F%A5%E5%AD%90-%E6%9C%80%E4%BC%A4%E5%BF%83%E7%9A%84/

http://diebiyi.com/articles/%E6%84%9B%E6%83%85/540/

http://www.youtube.com/watch?v=RekCK5tjXWQ

http://www.youtube.com/watch?v=KiNKYD9VRK8

https://vimeo.com/110769496

https://vimeo.com/110761588

http://v.youku.com/v_show/id_XNzIzMDU0NTc2.html

http://www.tudou.com/programs/view/49qWBJhRm7o

http://www.tudou.com/programs/view/Px3eEBhXjpc

http://v.youku.com/v_show/id_XODE1MDI4OTcy.html

http://tetraph.com/security/covert-redirect/youku%E4%BC%98%E9%85%B7covertredirect%E8%B7%B3%E8%BD%AC%E7%B3%BB%E7%BB%9F%E6%BC%8F%E6%B4%9E%E5%9F%BA%E4%BA%8Ebaidu-com-%E7%99%BE%E5%BA%A6/

http://www.inzeed.com/kaleidoscope/covert-redirect/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://www.tudou.com/programs/view/qkX60p9KHsk/

https://twitter.com/essayjeans/status/529171466202275840

https://www.facebook.com/essaybeans?ref=bookmarks

https://www.facebook.com/essayjeans?ref=bookmarks

https://www.facebook.com/tetraph

https://twitter.com/justqdjing/status/530969599420792832

http://www.reddit.com/user/gadshots

http://www.reddit.com/user/butterdry/

http://www.pinterest.com/pin/326018460499926302/

http://www.pinterest.com/tetraph/life/

http://www.pinterest.com/essaybeans/daily-life/

http://www.pinterest.com/pin/465278205227138284/

http://blog.163.com/whitehatpost/

http://whitehatpost.lofter.com/post/1cc773c8_3a0bb2b

https://www.youtube.com/watch?v=KiNKYD9VRK8

https://www.youtube.com/watch?v=RekCK5tjXWQ

http://essayjeans.lofter.com/post/1cc7459a_3a0d5d4

http://whitehatpost.lofter.com/post/1cc773c8_3a0bab4

http://essayjeans.lofter.com/post/1cc7459a_3a0cf05

http://whitehatpost.blog.163.com/blog/static/2422320542014101585255234/#

http://tetraph.lofter.com/post/1cc758e0_3a0bb89

http://tetraph.lofter.com/post/1cc758e0_3a0bb9b

http://user.qzone.qq.com/137372921

http://user.qzone.qq.com/2519094351/2

https://zh.wikipedia.org/wiki/%E5%96%AE%E4%B8%80%E7%99%BB%E5%85%A5

https://zh.wikipedia.org/wiki/OAuth

https://zh.wikipedia.org/wiki/OpenID

https://zh.wikipedia.org/wiki/%E9%92%93%E9%B1%BC%E5%BC%8F%E6%94%BB%E5%87%BB

https://en.wikipedia.org/wiki/Single_sign-on

https://en.wikipedia.org/wiki/OpenID

https://en.wikipedia.org/wiki/OAuth

https://en.wikipedia.org/wiki/Phishing

http://www.scip.ch/en/?vuldb.13185

http://www.osvdb.org/creditees/12822-wang-jing

http://security.alibaba.com/people.htm?spm=0.0.0.0.pcvqBA&id=2048213134

http://essaybeans.lofter.com/

http://mathdaily.lofter.com/

http://essaybeans.lofter.com/post/1cc77d20_3a5a608

http://essaybeans.lofter.com/post/1cc77d20_3a5a62b

http://seclists.org/fulldisclosure/2014/Oct/91

http://seclists.org/fulldisclosure/2014/Oct/72

http://seclists.org/fulldisclosure/2014/Feb/119

http://seclists.org/fulldisclosure/2014/Nov/28

http://seclists.org/fulldisclosure/2014/Nov/29

http://seclists.org/fulldisclosure/2014/Nov/32

http://seclists.org/fulldisclosure/2014/Jun/6



 
评论

© 数学日记 | Powered by LOFTER