Hackers have been infiltrating Microsoft services by sending emails to targets saying their Live IDs have been used to distribute unsolicited email, and their accounts will be blocked unless they click on an embedded link and fulfill new security requirements, Kaspersky researcher Andrey Kostin reported last week.
Clicking on the link takes victims to the real Live ID site.
Instead of then stealing the user’s login and password, this new attack triggers a pop-up message stating that an app requests permission to automatically log into victims’ accounts, view their profile information, and access the list of email addresses in their contacts file.
Agreeing to the request lets the hackers vacuum up personal information stored in victims’ user profiles on services such as Xbox Live, Hotmail, Outlook, MSN, Messenger and OneDrive.
“Most people do not consider [security] a priority,” said Jim McGregor, principal analyst at Tirias Research.
“They may say they do when you ask them, but their actions say otherwise,” he told the E-Commerce Times. “Just about everyone we’ve asked — and we’ve spoken to hundreds of people — accepts the application’s request for permissions without checking.”
How the Scam Works
The hackers take advantage of OAuth’s Open Redirect feature.
Once victims agree to provide rights to an application listed on the pop-up page, they are redirected to a landing page, whose URL contains a token that can be used to access the resources the victims have agreed to share.
Rights and information the application seeks include automatic login to any website supporting the authorization; basic information about the user; access to the user’s email addresses and contact list, and, in some cases, to the users’ and their contacts’ photos, dates of birth, and lists of meetings and important events.
A Thumbnail Sketch of Open Redirect
The redirect feature comes into play when you log into a site through, say, Facebook.
Once Facebook has authenticated you, you are redirected to the site you wanted to go to in the first place.
The problem is that some third-party sites allow redirects to be specified in their URLs and may not validate them before redirecting the user.
This lets attackers create links letting users login with, in this case, Facebook, to get to a valid third-party site — then covertly redirect the users to their own site.
Issues With OAuth
OAuth is an open standard for authorization, and “there have been multiple updates to address OAuth, [but] this is a moving target and hackers look for gaps created to accomplish their tasks,” said Richard Blech, CEO of Secure Channels.
The current version of OAuth is 2.0. The open redirect issue was detailed in 2011 by former OAuth developer Eran Hammer.
It’s also listed in Section 4.2.4 of its RFC, as G. Singh pointed out in an online discussion.
In a nutshell, the problem is improper implementation by users; Hammer recommends users register a full redirection URL without allowing any variations or partial matching.
“The quality of the tools and how they are integrated by a human create the gap [that hackers exploit],” Blech told the E-Commerce Times.
Fixing the Problem
The first rule of avoiding hacks is to just not click on links embedded in unsolicited emails or on social networking sites, Kaspersky suggested.
Users also should refrain from giving unknown applications the right to access their personal data; ensure they understand what account access rights each application wants; and keep antivirus software up to date.
Shutting down attackers is no trivial task, noted Brad Taylor, CEO of Proficio.
“When you actually do discover a hijacked domain and redirect attack, the security pros have got to find out where the bad code is redirecting,” he told the E-Commerce Times, “and ask the ISP or business partner to make the change on their network, DNS or websites … while the hacker simply moves on to the next ISP or partner.”