OAuthとOpenIDに深刻な脆弱性か--Facebookなど大手サイトに影響も
OAuthとOpenIDに深刻な脆弱性か--Facebookなど大手サイトに影響も
こんにちは~♪いつもいつもご来訪どうもありがとうございます。本日は長いこと高校の時の幼なじみと二人で買い物してました。意味のない時間だったな・・・。OpenSSLの脆弱性「Heartbleed」に続き、人気のオープンソースセキュリ ティソフトウェアでまた1つ大きな脆弱性が見つかった。今回、脆 弱性が見つかったのはログインツールの「OAuth」と「OpenID」で、これらのツールは多数のウェブサイトと、Google、Facebook、 Microsoft、LinkedInといったテクノロジ大手に使われている。
シンガポールにあるNanyang Technological University(南洋理工大学)で学ぶ博士課程の学生Wang Jing氏は、「Covert Redirect」という深刻な脆弱性によって、影響を受けるサイトのドメイン上でログイン用ポップアップ画面を偽装できることを発見した。Covert Redirectは、既知のエクスプロイトパラメータに基づいている。
たとえば、悪意あるフィッシングリンクをクリックすると、 Facebook内でポップアップウィンドウが開き、アプリを許可するよう求められる。 Covert Redirect脆弱性の場合、本物に似た偽ドメイン名を使ってユーザーをだますのではなく、本物のサイトアドレスを使って許可を求める。
ユーザーがログインの許可を選択すると、正当なウェブサイトではなく攻撃者に個人データが送られてしまう。渡される個人データは、何を要求されるかにもよるが、メールアドレス、誕生日、連絡先リスト、さらにはアカウント管理情報にも及ぶ可能性がある。
アプリを許可したかどうかにかかわらず、標的になったユーザーはその後、攻撃者が選ぶウェブサイトにリダイレクトされ、そこでさらなる攻撃を受ける可能性がある。
Wang 氏によると、すでにFacebookには連絡し、この脆弱性を報告したが、同社は「OAuth 2.0に関連するリスクは理解していた」と述べた上で、「当プラットフォーム上の各アプリケーションにホワイトリストの利用を強制することが難しい」た め、このバグを修正することは「短期間で達成できるものではない」と返答したという。
影響を受けるサイトはFacebookだけではない。Wang氏は、Google、LinkedIn、Microsoftにもこの件を報告したが、問題への対処についてさまざまな回答を受け取ったと述べている。
Google(OpenID を利用している)はWang氏に、現在この問題に取り組んでいると伝えた。LinkedInは、この件に関するブログを公開 したと述べた。一方でMicrosoftは、調査を行ったところ、脆弱性はサードパーティーのドメインに存在しており、自社サイトには存在しないと述べ た。
この記事は海外CBS Interactive発の記事を朝日インタラクティブが日本向けに編集したものです。
From:
https://sp05rdcy.jugem.jp/?eid=1934
レポーター:WANGジン (Wang Jing)、ナンヤン工科大学で数学の博士課程の学生。彼は、中国科学技術大学から数学の彼bachelar学位を得た。
https://tetraph.com/wangjing/chinese.html
関連ニュース: https://zh.wikipedia.org/zh-tw/OAuth
https://www.owasp.org/index.php/Singapore
https://www.aqniu.com/neotech/endpoint/2734.html
https://www.ustcif.com/default.php/content/2128/
https://aga.ustc.edu.cn/news/view?id=2094
https://www.cnvd.org.cn/flaw/show/CNVD-2014-02785
https://www.slideshare.net/woodentwaddle6758/facebook-google-users-threatened-by-new-security-flaw
https://www.maverickcyberdefense.com/intell-blog/entry/oauth-opnid-security-vulnerbility-03may14
https://soylentnews.org/article.pl?sid=14/05/02/2214247
https://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html
https://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html
https://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/
https://www.scu.edu/is/secure/blog/index.cfm?b=480&tag=5422
https://blog.kaspersky.com/facebook-openid-oauth-vulnerable/
https://digital-era.net/critical-holes-in-oauth-openid-could-leak-information-redirect-users/
https://blogs.mcafee.com/consumer/what-is-covert-redirect
https://mathfas.wordpress.com/2014/10/11/9/
https://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/
https://scan.netsecurity.ne.jp/article/2014/05/08/34126.html
https://blog.kaspersky.co.jp/facebook-openid-oauth-vulnerable/3558/
https://sp05rdcy.jugem.jp/?eid=1934
https://www.megafm.com.br/noticia/falha-de-seguranca-afetam-logins-de-facebook
https://www.opinionesdispersas.net/2014/05/otra-brecha-seguridad.html
https://www.it.co.kr/common/mediaitPrint.php?nSeq=2628799&nBoardSeq=60
https://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/
https://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/
https://www.baboo.com.br/seguranca/covert-redirect-o-novo-heartbleed/
https://www.slideshare.net/greentask/maxwells-formulation-differential-forms-on-euclidean-space
https://www.slideshare.net/greentask/dunbars-conjecture-for-planar-graphs-40822284
https://www.inzeed.com/articles/mathematics/dunbars-conjecture-for-planar-graphs.pdf
https://www.slideshare.net/greentask/delaunay-triangulation-from-2d-delaunay-to-3d-delaunay
https://www.slideshare.net/greentask/ss-40847595
https://www.inzeed.com/articles/psychology/Management-Psychology-Research-Paper.pdf
https://www.inzeed.com/honour/wangjing/Outstanding-Undergraduate-Research.pdf
https://www.inzeed.com/honour/wangjing/president-of-student-reporter-union.PDF
https://www.inzeed.com/honour/wangjing/zuaas-trial-walk-winner.PDF
https://zh.wikipedia.org/zh-tw/OAuth
https://www.owasp.org/index.php/Singapore
https://www.aqniu.com/neotech/endpoint/2734.html
https://www.ustcif.com/default.php/content/2128/
https://aga.ustc.edu.cn/news/view?id=2094
https://www.cnvd.org.cn/flaw/show/CNVD-2014-02785
https://www.slideshare.net/woodentwaddle6758/facebook-google-users-threatened-by-new-security-flaw
https://zh.wikipedia.org/wiki/%E5%96%AE%E4%B8%80%E7%99%BB%E5%85%A5
https://zh.wikipedia.org/wiki/OAuth
https://zh.wikipedia.org/wiki/OpenID
https://zh.wikipedia.org/wiki/%E9%92%93%E9%B1%BC%E5%BC%8F%E6%94%BB%E5%87%BB
https://en.wikipedia.org/wiki/Single_sign-on
https://en.wikipedia.org/wiki/OpenID
https://en.wikipedia.org/wiki/OAuth
https://en.wikipedia.org/wiki/Phishing
https://www.maverickcyberdefense.com/intell-blog/entry/oauth-opnid-security-vulnerbility-03may14
https://soylentnews.org/article.pl?sid=14/05/02/2214247
https://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html
https://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html
https://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/
https://www.scu.edu/is/secure/blog/index.cfm?b=480&tag=5422
https://blog.kaspersky.com/facebook-openid-oauth-vulnerable/
https://digital-era.net/critical-holes-in-oauth-openid-could-leak-information-redirect-users/
https://blogs.mcafee.com/consumer/what-is-covert-redirect
https://mathfas.wordpress.com/2014/10/11/9/
https://www.chimerarevo.com/internet/covert-redirect-non-heartbleed-perche-167189/
https://www.bankinfosecurity.com/covert-redirect-flaw-big-deal-a-6813
https://digi.163.com/14/0503/08/9RACJBK900162OUT.html
https://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml
https://www.freebuf.com/vuls/33750.html
https://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/
https://network.pconline.com.cn/471/4713896.html
https://www.csdn.net/article/2014-05-04/2819588
https://it.people.com.cn/n/2014/0504/c1009-24969253.html
https://www.360doc.com/content/14/0511/09/9200790_376595021.shtml
https://www.youxia.org/oauth-openid-login-tools-bug.html
https://media.sohu.com/20140504/n399096249.shtml
https://it.rising.com.cn/info/2014-05-04/15575.html
https://www.xianguo.com/article/a254ea6b9981093b5a91bed22991d4d8
https://www.douban.com/note/348973705/
https://www.safedog.cn/news.html?id=1179
https://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E
https://news.yahoo.com/facebook-google-users-threatened-security-192547549.html
https://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
https://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html
https://news.ycombinator.com/item?id=7685677
https://www.channelnewsasia.com/news/singapore/vigilantes-testing/1386694.html
https://www.todayonline.com/singapore/vigilantes-testing-security-it-systems
https://www.xssposed.org/researchers/wangjing/
https://support.bitcasa.com/hc/en-us/articles/202210658-How-To-Responsibly-Report-Security-Concerns
https://www.constantcontact.com/legal/report-vulnerability
https://www.heroku.com/policy/security-hall-of-fame
https://company.nokia.com/en/acknowledgements
https://aq.163.com/module/rank/card.html?id=1571fa56d2c0263641b5536a61de3d87
https://sec.kingsoft.com/heroes/memberDetail/329/
https://sec.sina.com.cn/User/view?code=4abfc6987d3e5582
https://sec.baidu.com/index.php?honor/list/y/2014/m/3/page/2
https://security.jd.com/index.php/Index/montop/y/2014/mo/4/
https://technet.microsoft.com/en-sg/security/cc308575.aspx
https://ebay.com/securitycenter/ResearchersAcknowledgement.html
https://www.airbnb.com.sg/info/security
https://lastpass.com/support_security.php
https://help.getpocket.com/customer/portal/articles/1225832-pocket-security-overview
https://www.cnvd.org.cn/flaw/show/CNVD-2014-02785
https://news.0937.net/newsshow-73936.html
https://www.yzdjbh.com/Article.aspx?Id=236865185771
https://www.zmke.com/i/5376.html
https://www.zhujicp.com/news/422.html
https://www.ynyue.com/News/xingyexinwen/3660.html
https://www.linuxidc.com/Linux/2014-05/101507.htm
https://www.wanho.net/hangye/2458.html
https://finance.takungpao.com/tech/q/2014/0504/2454551.html
https://www.chengshiw.com/tech/2014/328183.html
https://www.idcps.com/news/20140504/72515.html
https://www.safedog.cn/news.html?id=1179
https://www.myhack58.com/Article/html/3/62/2014/46433_2.htm
https://www.xianguo.com/article/a254ea6b9981093b5a91bed22991d4d8
https://www.gdyfs.com/news/she/20140503/050313M3262014.html
https://www.hbrc.com/rczx/shownews-5626620-14.html
https://www.douban.com/note/348973705/
https://tetraph.blog.163.com/blog/static/2346030512014471384217/
https://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/
https://www.ctjin.com/chuangye/touzirenjigou/2014-05-03/22200.html
https://zhan.renren.com/yunnet?gid=3602888498049839484&checked=true
https://www.myhack58.com/Article/html/3/62/2014/46954.htm
https://www.shellsec.com/tech/55733.html
https://www.xycity.cn/news/14/n-1257514.html
https://www.cnbeta.com/articles/288503.htm
https://www.csdn.net/article/2014-05-04/2819588
https://www.shangxueba.com/jingyan/2189665.html
https://www.2cto.com/Article/201405/301778.html
https://www.pubeta.com/3033.html
https://www.2cto.com/Article/201405/301778.html
https://www.techweb.com.cn/internet/2014-05-03/2032301.shtml
https://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/
https://www.youxia.org/oauth-openid-login-tools-bug.html
https://v.youku.com/v_show/id_XNzA4ODI5MDY0.html
https://www.aiweibang.com/yuedu/tech/499816.html
https://essayjeans.blog.163.com/blog/static/2371730742014521103639930/
https://linux.cn/article-2962-1.html
https://media.sohu.com/20140504/n399096249.shtml
https://www.xycity.cn/news/14/n-1257514.html
https://www.kaixin001.com/repaste/index_159835659.html
https://www.tuicool.com/articles/fuaeMf
https://blog.sina.com.cn/s/blog_9c466a590101j4k4.html
https://essayjeans.blog.163.com/blog/static/237173074201493101817921/
https://tetraph.blog.163.com/blog/static/23460305120149410334290/
https://www.kankanews.com/ICkengine/archives/138987.shtml
https://img.sootoo.com/content/492302.shtml
https://it.rising.com.cn/info/2014-05-04/15575.html
https://www.tuicool.com/articles/qEzUneY
https://www.linuxidc.com/Linux/2014-05/101182.htm
https://www.linuxeden.com/html/news/20140503/151358.html
https://code.csdn.net/news/2819588
https://tieba.baidu.com/p/3030252100
https://www.52rkl.cn/anquan/06102T102014.html
https://www.m4sk.net/post/3703b3_12d3b49
https://www.1398.org/itnews/ippmrk_1.html
https://www.360doc.com/content/14/0511/09/9200790_376595021.shtml
https://www.safedog.cn/news.html?id=1179
https://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml?_114sobiaoqian
https://blog.instantssl.com/2014/05/covert-redirect-vulnerability/
https://tetraph.blogspot.sg/2014/05/wordpress-covert-redirect-vulnerability.html
https://newsmaine.net/19206-covert-redirect-vulnerability-discovered-oauth-20-and-openid
https://covertredirect.com/test/
https://vimeo.com/buzzer/videos
https://www.tudou.com/home/diebiyi
https://blog.sina.com.cn/inzeed
https://www.tudou.com/home/diebiyi
https://vulnerabilitypost.wordpress.com/category/covert-redirect-vulnerability/
https://benoitis.com/tag/covert-redirect/
https://blogs.mcafee.com/consumer/what-is-covert-redirect
https://threatpost.com/critical-holes-in-oauth-openid-could-leak-information-redirect-users/105876
https://krystal.co.uk/blog/2014/05/openauth-covert-redirection-vulnerability-explained/
https://www.facebook.com/jaicomputer/posts/732480143456948
https://blog.sina.com.cn/s/blog_12ff797370101ewc2.html
https://www.infosecurity-magazine.com/news/bitly-compromised-users-warned-to-reset-accounts/
https://whatis.techtarget.com/definition/covert-redirect
https://www.veooz.com/news/mH9R~~L.html
https://blog.kaspersky.com/facebook-openid-oauth-vulnerable/
https://redmondmag.com/articles/2014/05/02/oauth-and-openid-flaw-found.aspx
https://www.darkreading.com/authentication/oauth-openid-flaw-7-facts/d/d-id/1251127
https://www.qualys.com/research/sans-at-risk/2014/week-18/
https://www.sciencenewsdaily.org/internet-news/cluster560745642/
https://www.reddit.com/r/netsec/comments/24knlj/serious_security_flaw_in_oauth_openid_discovered/
https://it-beta.slashdot.org/story/14/05/02/2015227/nasty-security-flaw-in-oauth-openid
https://soylentnews.org/comments.pl?sid=1632&threshold=-1&commentsort=5&mode=nested
https://www.suvsystem.com/a/16702.aspx
https://friendica.libertypod.com/display/aliena23p/382571
https://securityrelated.blogspot.sg/2014_10_01_archive.html
https://clipsin.com/view/mailru-oauth-20-covert-redirect-vulnerability/qcHmirNBT6QtMdY.html
https://tweets.seraph.me/search/OAuth%20Security
https://www.asurekazani.com/video/1FZ6yfsp09U
https://nevarneyox.com/watch?v=0yEB58S8WBI
https://computerobsess.blogspot.sg/2014/10/odnoklassnikiru-covert-redirect.html
https://cooldotz.com/blog/google-facebook-users-face-new-security-threat-delhi-daily-news/
https://videocurso.globocaxias.com/video/GyNGBuHNoJ0/watch.html
https://www.isssource.com/security-flaw-in-oauth-2-0-openid/
https://www.popbuzz.me/uk/p/3477751/
https://www.hackbusters.com/news/stories/43931-oauth-openid-flaw-7-facts
https://www.almdares.net/vz/youtube_browser.php?do=show&vidid=6m1CoV8JTmc
https://completosec.wordpress.com/2014/05/14/exploits-violate-oauth-2-0-and-openid-assumptions/
https://www.digitalmunition.me/?p=2459
刘美兰 (Liu Meilan)
山东省青岛市黄岛区六汪镇王家庄社区
https://www.inzeed.com/people/fengdong.html
https://www.tetraph.com/people/wangzhenen.html
https://www.tetraph.com/people/liumeilan.html
https://www.tudou.com/home/essaybeans/item
https://www.tudou.com/programs/view/lg8T2bhkZpc/
https://www.tudou.com/programs/view/Px3eEBhXjpc/
https://www.tudou.com/programs/view/3R4kJrIbr5U/
https://www.tudou.com/programs/view/XyiwT4wbQ4I/
https://www.tudou.com/programs/view/qkX60p9KHsk/
https://www.tudou.com/programs/view/6qw_vdy5yD0/
https://i.youku.com/essayjeans
https://v.youku.com/v_show/id_XODA3NDMyMDY4.html
https://v.youku.com/v_show/id_XODA3MzUxMDMy.html
https://v.youku.com/v_show/id_XODA0NTE0ODU2.html
https://v.youku.com/v_show/id_XNzIzMDU0NTc2.html
https://v.youku.com/v_show/id_XNzIzMDI4MDAw.html
https://v.youku.com/v_show/id_XNzIyOTI5MjY0.html
https://v.youku.com/v_show/id_XNzExNDY3OTI0.html
https://v.youku.com/v_show/id_XNzEwNzQ0NDY4.html
https://v.youku.com/v_show/id_XNzA4OTY2Mjg4.html
https://v.youku.com/v_show/id_XNzA4OTY2Mjg4.html
https://v.youku.com/v_show/id_XNzA4ODM1MDIw.html
https://v.youku.com/v_show/id_XNzA4ODM0OTQw.html
https://v.youku.com/v_show/id_XNzA4ODM0OTA0.html
https://v.youku.com/v_show/id_XNzA4ODI5MDY0.html
https://v.youku.com/v_show/id_XNzA4ODI4ODg0.html
https://v.youku.com/v_show/id_XNzA4ODI0NjY0.html
https://v.youku.com/v_show/id_XNzA4ODI0NTQw.html
https://i.youku.com/essaybeans
https://v.youku.com/v_show/id_XODE1MDMwNzQ4.html
https://v.youku.com/v_show/id_XODE1MDMwNzA0.html
https://v.youku.com/v_show/id_XODE1MDMwNjIw.html
https://v.youku.com/v_show/id_XODE1MDI4OTcy.html
https://www.youtube.com/user/justqdjing
https://www.youtube.com/user/essaybeans
https://www.youtube.com/watch?v=k37gpKaql6k
https://www.youtube.com/watch?v=L78blHqHVsA
https://www.youtube.com/watch?v=EtfQvsNGik0
https://www.youtube.com/watch?v=89AexKfxM5g
https://www.youtube.com/watch?v=KiNKYD9VRK8
https://www.youtube.com/watch?v=KF0_p5XdJfs
https://www.youtube.com/watch?v=HgemMetVPP4
https://www.youtube.com/watch?v=D2jvlD1-1OA
https://www.youtube.com/watch?v=0GtSV4fcE9g
https://www.youtube.com/watch?v=xi41o7W4UWQ
https://www.youtube.com/watch?v=QeFDU_LlKqs
https://www.youtube.com/user/tetraph
https://www.youtube.com/watch?v=3gNhi8h2AQY
https://www.youtube.com/watch?v=onA5BgC3zIY
https://www.youtube.com/watch?v=RekCK5tjXWQ
https://www.youtube.com/watch?v=D-X8qAO2q_I
https://www.youtube.com/watch?v=T1XW31s92qA
https://www.youtube.com/watch?v=-lxaX9xvUfE
https://www.youtube.com/watch?v=m7_NSa9CJ2A
https://www.youtube.com/watch?v=HUE8VbbwUms
https://www.youtube.com/watch?v=Y2-2Scp0pbs
Reference::
https://vulnerabilitypost.wordpress.com/
https://tetraph.wordpress.com/
https://mathfas.wordpress.com/
https://essayjeans.blog.163.com/
https://blog.sina.com.cn/justqdjing
https://blog.sina.com.cn/essayjeans
https://blog.sina.com.cn/whitehatpost
https://user.qzone.qq.com/2519094351/2
https://whitehatview.tumblr.com/
https://computerobsess.blogspot.com/
https://essayjeans.blogspot.com/
https://essaybeans.blogspot.com/
https://www.facebook.com/essaybeans
https://www.facebook.com/essayjeans
https://www.tetraph.com/security/
https://inzeed.com/kaleidoscope/
https://covertredirect.com/blog/
https://covertredirect.com/wangjing/
https://www.ustcif.com/default.php/content/2128/
https://aga.ustc.edu.cn/news/view?id=2094
https://user.qzone.qq.com/137372921
https://www.linkedin.com/in/essayjeans
https://www.kaixin001.com/repaste/index_159835659.html
https://t.qq.com/blackswall1544?previewtgo
https://www.weibo.com/justqdjing?
https://blog.sina.com.cn/justqdjing
https://www.facebook.com/fei.yu.3323
https://plus.google.com/u/0/118367468423066098176/posts
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts
https://www.letv.com/ptv/vplay/20130165.html
https://blog.163.com/essayjeans
https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts
https://www.facebook.com/essaybeans?
https://www.tetraph.com/cn/wangjing
https://www.facebook.com/wangjing.justqdjinghttps://l.bst.126.net/cms/18031/404.html?1&2=/justqdjing
https://www.linkedin.com/in/justqdjing
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/
https://www.youtube.com/user/justqdjing
https://www.weibo.com/justqdjing
https://i.youku.com/essayjeans
https://blog.sina.com.cn/justqdjing
https://www.facebook.com/fei.yu.3323
https://plus.google.com/u/0/118367468423066098176/posts
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts
https://www.letv.com/ptv/vplay/20130165.html
https://blog.163.com/essayjeans
https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts
https://user.qzone.qq.com/137372921
https://www.linkedin.com/in/essayjeans
https://www.kaixin001.com/repaste/index_159835659.html
https://t.qq.com/blackswall1544?previewtgo
https://www.weibo.com/justqdjing?
https://blog.sina.com.cn/justqdjing
https://www.facebook.com/fei.yu.3323
https://plus.google.com/u/0/118367468423066098176/posts
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts
https://www.letv.com/ptv/vplay/20130165.html
https://blog.163.com/essayjeans
https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts
Related links
https://essaybeans.blogspot.sg/
https://i.youku.com/essayjeans
https://www.youtube.com/user/tetraph
https://www.youtube.com/user/justqdjing
https://www.facebook.com/essaybeans?skip_nax_wizard=true
https://www.tetraph.com/forum/
https://blog.sina.com.cn/essayjeans
https://blog.sina.com.cn/justqdjing
https://essayjeans.blog.163.com/
https://tetraph.blog.163.com/blog/static/23460305120144210374933/
https://tetraph.tumblr.com/post/100080251777/covert-redirect-vulnerability-related-to-oauth-2-0-and
https://www.facebook.com/permalink.php?id=420695091405296&story_fbid=420705068070965
https://blog.sina.com.cn/s/blog_12ff797370101edm4.html
https://blog.sina.com.cn/s/blog_ecd65d410102v3jx.html
https://securityrelated.blogspot.sg/2014/10/covert-redirect-vulnerability-related.html
https://tetraph.blogspot.sg/2014/10/covert-redirect.html
https://essayjeans.blogspot.sg/2014/06/top-5-ways-to-prevent-wrinkles-from.html
https://essaybeans.blogspot.sg/2014/10/blog-post.html
https://mathfas.wordpress.com/2014/10/15/covert-redirect-vulnerability/
https://blog.sina.com.cn/s/blog_12ff797370102v467.html
https://blog.sina.com.cn/s/blog_ecd65d410102v4vd.html
https://blog.sina.com.cn/s/blog_9c466a590102v2hv.html
https://tetraph.blog.163.com/blog/static/23460305120149159422371/
https://essayjeans.blog.163.com/blog/static/237173074201491510534996/
https://user.qzone.qq.com/137372921
https://user.qzone.qq.com/2519094351/2
https://www.pinterest.com/pin/326018460499818774/
https://www.pinterest.com/pin/465278205227138242/
https://computerobsess.blogspot.sg/2014/10/covert-redirect-vulnerability-related.html
https://tetraph.com/security/cves/cve-2014-7292-newtelligence-dasblog-open-redirect-vulnerability/
https://www.facebook.com/essayjeans?
https://www.facebook.com/tetraph?
https://l.bst.126.net/cms/18031/404.html?1&2=/justqdjing
https://l.bst.126.net/cms/18031/404.html?1&2=/tetraphibious
https://l.bst.126.net/cms/18031/404.html?1&2=/essayjeans
https://www.pinterest.com/essaybeans
https://www.pinterest.com/tetraph/
https://i.youku.com/essaybeans
https://www.weibo.com/essayjeans
https://www.weibo.com/justqdjing?
https://essayjeans.blogspot.sg/
https://essaybeans.blogspot.sg/
https://i.youku.com/essayjeans
https://www.youtube.com/user/tetraph
https://www.youtube.com/user/justqdjing
https://www.facebook.com/essaybeans?skip_nax_wizard=true
https://www.tetraph.com/forum/
References:
1. https://it.people.com.cn/n/2014/0504/c1009-24969253.html.
2. https://digi.163.com/14/0503/08/9RACJBK900162OUT.html
3 . https://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml
4 . https://www.cnbeta.com/articles/288503.htm
5 . https://network.pconline.com.cn/471/4713896.html
6 . https://www.hackdig.com/?05/hack-9782.htm
7 . https://www.freebuf.com/vuls/33750.html
8 . https://www.csdn.net/article/2014-05-04/2819588
10. https://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E
11, https://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
12. https://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/
14. https://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html
15. https://news.yahoo.com/facebook-google-users-threatened-security-192547549.html
17. https://www.channelnewsasia.com/news/singapore/vigilantes-testing/1386694.html
19. https://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
20. https://oauth.net/advisories/2014-1-covert-redirect/
21. https://openid.net/2014/05/15/covert-redirect/
22. https://oauth.jp/blog/2014/05/07/covert-redirect/
23. https://blogs.mcafee.com/consumer/what-is-covert-redirect
24. https://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/
26. https://oauth.jp/blog/2014/05/07/covert-redirect-in-implicit-flow/
28. https://weblog.bulknews.net/post/85008516879/covert-redirect-vulnerability-with-oauth-2
29. https://securityaffairs.co/wordpress/24585/intelligence/covert-redirect-oauth-openid.html
30. https://www.yireo.com/blog/1678-oauth-covert-redirect-vulnerability
31. https://www.net-security.org/secworld.php?id=16795
32. https://www.itbusinessedge.com/blogs/data-security/lessons-to-be-learned-from-covert-redirect.html
33. https://www.netskope.com/blog/oauth-openid-covert-redirect-vulnerability/
34. https://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html
35. https://zeenews.india.com/tags/covert-redirect.html
36. https://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/
38. https://www.reddit.com/r/technology/comments/24oe6q/nasty_covert_redirect_vulnerability_found_in/
39. https://news.ycombinator.com/item?id=7685677
40. https://canaltech.com.br/noticia/seguranca/Diferencas-entre-Covert-Redirect-e-Heartbleed/
41. https://www.idradar.com/news-stories/technology/Covert-Redirect-Software-Bug-Needs-A-Fix
43. https://www.hardware.no/artikler/covert-redirect-svakhet-er-ingen-ny-nettkrise/159589
44. https://www.sotostips.gr/2014/05/provlima-covert-redirect.html
46. https://twit.tv/show/tech-news-2night/79
48. https://www.darraghduffy.ie/covert-redirect-openid-oauth/
50. https://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/
51. … …
https://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/
https://scan.netsecurity.ne.jp/article/2014/05/08/34126.html
https://blog.kaspersky.co.jp/facebook-openid-oauth-vulnerable/3558/
https://sp05rdcy.jugem.jp/?eid=1934
https://www.megafm.com.br/noticia/falha-de-seguranca-afetam-logins-de-facebook
https://www.opinionesdispersas.net/2014/05/otra-brecha-seguridad.html
https://www.it.co.kr/common/mediaitPrint.php?nSeq=2628799&nBoardSeq=60
https://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/
https://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/
https://www.baboo.com.br/seguranca/covert-redirect-o-novo-heartbleed/
https://tetraph.com/wangjing/chinese.html