白帽子安全

白帽子文章
计算机安全
安全漏洞
网络攻击

© 白帽子安全 | Powered by LOFTER

Des vulnérabilités pour les boutons types S’ident

Des vulnérabilités pour les boutons types  S’identifier avec Facebook



Quelques semaines seulement après la découverte du bug Heartbleed, les utilisateurs moyens comme vous et moi pourraient s’inquiéter d’un autre problème très répandu qui ne sera pas facile à réparer. Il s’agit du bug « Covert Redirect » récemment révélé par Wang Jing, un étudiant en doctorat de mathématiques à l’université de technologie de Nanyang à Singapour. Le problème a été détecté au sein des célèbres protocoles Internet OpenID et OAuth. Le premier est utilisé quand vous vous identifiez dans des sites qui utilisent vos profils Google, Facebook, LinkedIn, etc. Le deuxième est utilisé quand vous vous autorisez des sites, des applications ou des services avec Facebook/G+/etc., sans révéler pour autant votre mot de passe à ces sites externes. Ces deux protocoles sont utilisés ensemble et vous pourriez bien être en train de communiquer vos informations aux mauvaises personnes.









La menace


Nos amis de Threatpost ont une explication du problème plus technique ainsi qu’un lien vers la recherche originale, mais nous vous épargnerons les détails inutiles et allons vous décrire le possible scénario d’attaque et ces conséquences. Premièrement, dans le cas où un utilisateur visiterait un site d’hameçonnage qui utilise le bouton « S’identifier avec Facebook ». Un site peut ressembler de prêt à un service populaire ou se faire passer pour un tout nouveau service. Ensuite, une vraie fenêtre Facebook/G+/LinkedIn s’ouvrira, demandant à l’utilisateur de rentrer son nom d’utilisateur et son mot de passe afin d’autoriser le service à accéder au profil de l’utilisateur. Enfin, l’autorisation d’utiliser le profil est envoyée au mauvais site (d’hameçonnage) en utilisant une redirection incorrecte.





Une vraie fenêtre Facebook/G+/LinkedIn s’ouvrira, demandant à l’utilisateur de rentrer son nom d’utilisateur et son mot de passe afin d’autoriser le service à accéder au profil de l’utilisateur.



En fin de compte, un cybercriminel reçoit l’autorisation d’accéder au profil de la victime (jeton OAuth) avec toutes les permissions que les applications ont en général, et dans le pire des cas, avec l’habilité d’accéder aux contacts de l’utilisateur, d’envoyer des messages, etc.


Est-ce réparé ? Pas vraiment.


Cette menace ne disparaîtra pas de si tôt, car la réparation devra être aussi bien réalisée du côté du fournisseur (Facebook, LinkedIn, Google, etc.) que du côté du client (le service ou l’application externe). Le protocole OAuth est toujours en version Beta et plusieurs fournisseurs utilisent différentes mises en place qui varient selon leur habilité de contre-attaquer l’attaque mentionnée précédemment. LinkedIn est mieux positionné pour mettre en place la réparation et gère les choses de manière plus stricte en exigeant que le développeur du service externe fournisse une « liste blanche » des redirections correctes. Pour le moment, chaque application qui utilise une autorisation LinkedIn est soit sécurisée soit non fonctionnelle. Les choses sont différentes pour Facebook qui dispose malheureusement d’un très grand nombre d’applications externes et peut-être d’une version de OAuth plus ancienne. C’est pourquoi les porte-paroles de Facebook ont informé Jing que la création d’une liste blanche « n’est pas quelque chose qui pourra être mis en place à court terme ».


Il existe de nombreux autres fournisseurs qui semblent être vulnérables (regardez la photo), donc si vous vous identifiez dans certains sites en utilisant ces services, vous devez prendre des mesures.


Votre plan d’action


Pour les plus prudents, la solution infaillible serait d’abandonner l’utilisation d’OpenID et ces fameux boutons « S’identifier avec… » pendant quelques mois. Cela vous permettra peut-être également de renforcer votre confidentialité, car autoriser ces identifications sur des réseaux sociaux rend votre activité en ligne plus facile à suivre et permet à de plus en plus de sites de lire vos données démographiques de base. Pour éviter d’avoir à mémoriser différents identifiants sur tous ces sites, commencez à utiliser un gestionnaire de mots de passe efficace. La plupart des services, de nos jours, sont équipés de clients multiplateformes et de synchronisation avec le Cloud afin de garantir un accès à vos mots de passe sur tous les ordinateurs que vous possédez.


Néanmoins, si vous avez l’intention de continuer à utiliser l’autorisation OpenID, il n’y a pas de danger immédiat. Vous devez juste faire attention et éviter les arnaques d’hameçonnage qui commencent typiquement par un message étrange dans votre boîte de réception ou par un lien provocateur sur Facebook et autres réseaux sociaux. Si vous vous authentifiez dans un service utilisant Facebook/Google/etc., assurez-vous que vous accédez au site de ce service en tapant l’adresse manuellement ou en utilisant un marque page, et non pas le lien contenu dans vos e-mails ou votre messagerie. Vérifiez bien la barre d’adresse afin de ne pas vous rendre sur des sites louches et ne souscrivez pas de nouveaux services avec OpenID, sauf si vous êtes certain à 100% que le service est réputé et qu’il s’agit bien du bon site. De plus, nous vous conseillons d’utiliser une solution de navigation sécurisée telle que Kaspersky Internet Security – Multi-Device qui empêchera votre navigateur de visiter des endroits dangereux tels que des sites d’hameçonnage.



Il s’agit juste de mesures de précaution, que tous les utilisateurs Internet devraient prendre chaque jour, car les menaces d’hameçonnage sont très répandues et efficaces et peuvent mener à toutes sortes de pertes numériques, y compris à la perte de numéros de carte bancaire, d’identifiants de messagerie, etc. Le bug « Covert Redirect » dans OpenID et OAuth n’est qu’une raison supplémentaire de les suivre, et ce, sans exception.


http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/





Crédit:

WANG Jing , un étudiant en mathématiques de doctorat de l'Université technologique de Nanyang .

Université technologique de Nanyang et l'Université des Sciences et Technologies de Chine et du Moyen- école n ° 1 de Jiaonan ( Huangdao )

http://www.tetraph.com/wangjing/





Nouvelles Plus connexes:

http://zh.wikipedia.org/zh-tw/OAuth

https://www.owasp.org/index.php/Singapore

http://www.aqniu.com/neotech/endpoint/2734.html

http://www.ustcif.com/default.php/content/2128/

http://aga.ustc.edu.cn/news/view?id=2094

http://www.cnvd.org.cn/flaw/show/CNVD-2014-02785

http://www.slideshare.net/woodentwaddle6758/facebook-google-users-threatened-by-new-security-flaw

http://www.theregister.co.uk/2014/05/05/covert_redirect_is_overt_hype_more_heartbleat_than_heartbleed/

http://www.maverickcyberdefense.com/intell-blog/entry/oauth-opnid-security-vulnerbility-03may14

http://soylentnews.org/article.pl?sid=14/05/02/2214247

http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html

http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html

http://mathtuition88.com/2014/05/05/math-news-math-student-detects-oauth-openid-security-vulnerability/

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://www.scu.edu/is/secure/blog/index.cfm?b=480&tag=5422

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://digital-era.net/critical-holes-in-oauth-openid-could-leak-information-redirect-users/

http://blogs.mcafee.com/consumer/what-is-covert-redirect

http://mathfas.wordpress.com/2014/10/11/9/

http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/

http://www.appps.jp/88572/

http://scan.netsecurity.ne.jp/article/2014/05/08/34126.html

http://blog.kaspersky.co.jp/facebook-openid-oauth-vulnerable/3558/

http://newvo.jp/408699/OAuth2.0%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%28!?%29%22CovertRedirect%22%E3%81%A8%E3%81%AF-OAuth.jp

http://sp05rdcy.jugem.jp/?eid=1934

http://www.megafm.com.br/noticia/falha-de-seguranca-afetam-logins-de-facebook

http://www.opinionesdispersas.net/2014/05/otra-brecha-seguridad.html

http://www.it.co.kr/common/mediaitPrint.php?nSeq=2628799&nBoardSeq=60

http://xakep.ru/62448/

http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/

http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/

http://www.baboo.com.br/seguranca/covert-redirect-o-novo-heartbleed/

http://www.slideshare.net/greentask/maxwells-formulation-differential-forms-on-euclidean-space

http://www.inzeed.com/articles/mathematics/Maxwells-Formulation--Differential-Forms-on-Euclidean-Space.pdf

http://www.slideshare.net/greentask/dunbars-conjecture-for-planar-graphs-40822284

http://www.inzeed.com/articles/mathematics/dunbars-conjecture-for-planar-graphs.pdf

http://www.slideshare.net/greentask/use-problem-based-and-cooperative-based-strategies-teaching-method

http://www.inzeed.com/articles/teaching/Use-Problem-Based-and-Cooperative-Based-Strategies--Teaching-Method.pdf

http://www.slideshare.net/greentask/delaunay-triangulation-from-2d-delaunay-to-3d-delaunay

http://www.inzeed.com/articles/mathematics/delaunay-triangulation-from-2d-delaunay-to-3d-delaunay.pdf

http://www.slideshare.net/greentask/ss-40847595

http://www.inzeed.com/articles/psychology/Management-Psychology-Research-Paper.pdf

http://www.inzeed.com/honour/wangjing/Outstanding-Undergraduate-Research.pdf

http://www.inzeed.com/honour/wangjing/president-of-student-reporter-union.PDF

http://www.inzeed.com/honour/wangjing/zuaas-trial-walk-winner.PDF

http://zh.wikipedia.org/zh-tw/OAuth

https://www.owasp.org/index.php/Singapore

http://www.aqniu.com/neotech/endpoint/2734.html

http://www.ustcif.com/default.php/content/2128/

http://aga.ustc.edu.cn/news/view?id=2094

http://www.cnvd.org.cn/flaw/show/CNVD-2014-02785

http://www.slideshare.net/woodentwaddle6758/facebook-google-users-threatened-by-new-security-flaw

http://www.theregister.co.uk/2014/05/05/covert_redirect_is_overt_hype_more_heartbleat_than_heartbleed/

http://www.maverickcyberdefense.com/intell-blog/entry/oauth-opnid-security-vulnerbility-03may14

http://soylentnews.org/article.pl?sid=14/05/02/2214247

http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html

http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html

http://mathtuition88.com/2014/05/05/math-news-math-student-detects-oauth-openid-security-vulnerability/

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://www.scu.edu/is/secure/blog/index.cfm?b=480&tag=5422

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://digital-era.net/critical-holes-in-oauth-openid-could-leak-information-redirect-users/

http://blogs.mcafee.com/consumer/what-is-covert-redirect

http://mathfas.wordpress.com/2014/10/11/9/

http://www.electronista.com/articles/14/05/02/google.microsoft.facebook.all.potentially.affected.by.attack.vector/

http://www.chimerarevo.com/internet/covert-redirect-non-heartbleed-perche-167189/

http://www.bankinfosecurity.com/covert-redirect-flaw-big-deal-a-6813

http://digi.163.com/14/0503/08/9RACJBK900162OUT.html

http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml

http://www.freebuf.com/vuls/33750.html

http://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/

http://network.pconline.com.cn/471/4713896.html

http://www.csdn.net/article/2014-05-04/2819588

http://it.people.com.cn/n/2014/0504/c1009-24969253.html

http://www.360doc.com/content/14/0511/09/9200790_376595021.shtml

http://www.youxia.org/oauth-openid-login-tools-bug.html

http://media.sohu.com/20140504/n399096249.shtml

http://it.rising.com.cn/info/2014-05-04/15575.html

http://www.xianguo.com/article/a254ea6b9981093b5a91bed22991d4d8

http://www.douban.com/note/348973705/

http://www.safedog.cn/news.html?id=1179

http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E

http://baike.baidu.com/link?url=S-n7eFQzl8EYDhvDMFnEnLyIlBz6Rk1k5qtNk7raMU9xMl7sIvKrjnwllp8rNPLu3cfNpuznGaSrH82DSF6wQq

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.zdnet.com/student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols-7000029419/

https://news.ycombinator.com/item?id=7685677

http://tech.firstpost.com/news-analysis/after-heartbleed-major-covert-redirect-flaw-threatens-oauth-openid-and-the-internet-222945.html?utm_source=top_stories

http://www.channelnewsasia.com/news/singapore/vigilantes-testing/1386694.html

http://forums.hardwarezone.com.sg/eat-drink-man-woman-16/vigilantes-hacked-into-m1-iphone-website-4827334.html

http://www.allsingaporestuff.com/article/white-hat-hackers-testing-security-computer-systems-singapore

http://www.todayonline.com/singapore/vigilantes-testing-security-it-systems

https://www.xssposed.org/researchers/wangjing/

https://support.bitcasa.com/hc/en-us/articles/202210658-How-To-Responsibly-Report-Security-Concerns

http://www.constantcontact.com/legal/report-vulnerability

https://www.heroku.com/policy/security-hall-of-fame

http://company.nokia.com/en/acknowledgements

http://aq.163.com/module/rank/card.html?id=1571fa56d2c0263641b5536a61de3d87

http://sec.kingsoft.com/heroes/memberDetail/329/

http://sec.sina.com.cn/User/view?code=4abfc6987d3e5582

http://sec.baidu.com/index.php?honor/list/y/2014/m/3/page/2

http://security.jd.com/index.php/Index/montop/y/2014/mo/4/

http://us.blackberry.com/business/enterprise-mobility/mobile-security/incident-response-team/collaborations.html

http://technet.microsoft.com/en-sg/security/cc308575.aspx

http://ebay.com/securitycenter/ResearchersAcknowledgement.html

https://www.airbnb.com.sg/info/security

https://lastpass.com/support_security.php

http://help.getpocket.com/customer/portal/articles/1225832-pocket-security-overview

http://covertredirect.com/test/
https://vimeo.com/buzzer/videos

http://www.tudou.com/home/diebiyi

http://blog.sina.com.cn/inzeed

https://vimeo.com/buzzer/
http://www.tudou.com/home/diebiyi

http://blog.sina.com.cn/yimaiyu
http://blog.sina.com.cn/diebiyi

http://www.cnvd.org.cn/flaw/show/CNVD-2014-02785

http://news.0937.net/newsshow-73936.html

http://www.yzdjbh.com/Article.aspx?Id=236865185771

http://www.zmke.com/i/5376.html

http://www.zhujicp.com/news/422.html

http://www.ynyue.com/News/xingyexinwen/3660.html

http://www.linuxidc.com/Linux/2014-05/101507.htm

http://www.wanho.net/hangye/2458.html

http://finance.takungpao.com/tech/q/2014/0504/2454551.html

http://www.chengshiw.com/tech/2014/328183.html

http://www.idcps.com/news/20140504/72515.html

http://www.safedog.cn/news.html?id=1179

http://www.myhack58.com/Article/html/3/62/2014/46433_2.htm

http://www.xianguo.com/article/a254ea6b9981093b5a91bed22991d4d8

http://yw.learnatchina.com/201405033774-view-comments-for-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VEz2AoV5MxA

http://weekly.securityfrontline.org/201405075475-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VEz2HYV5MxA

http://w3.isvoc.com/201405055707-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VE4KNIV5MxA

http://yw.learnatchina.com/201405033774-view-comments-for-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html#.VE4K54V5MxA

http://www.gdyfs.com/news/she/20140503/050313M3262014.html

http://www.hbrc.com/rczx/shownews-5626620-14.html

http://www.douban.com/note/348973705/

http://tetraph.blog.163.com/blog/static/2346030512014471384217/

http://networksecurity.isvoc.com/201405152555-student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols.html#.VFBxpIV5MxA

http://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/

http://www.ctjin.com/chuangye/touzirenjigou/2014-05-03/22200.html

http://zhan.renren.com/yunnet?gid=3602888498049839484&checked=true

http://www.myhack58.com/Article/html/3/62/2014/46954.htm

http://www.shellsec.com/tech/55733.html

http://www.xycity.cn/news/14/n-1257514.html

http://www.cnbeta.com/articles/288503.htm

http://www.csdn.net/article/2014-05-04/2819588

http://www.shangxueba.com/jingyan/2189665.html

http://www.2cto.com/Article/201405/301778.html

http://www.pubeta.com/3033.html

http://www.2cto.com/Article/201405/301778.html

http://www.techweb.com.cn/internet/2014-05-03/2032301.shtml

http://blog.knownsec.com/2014/05/oauth_vulnerability_analysis/

http://t.163.com/7758515660

http://www.weibo.com/tetraph

http://www.youxia.org/oauth-openid-login-tools-bug.html

http://v.youku.com/v_show/id_XNzA4ODI5MDY0.html

http://www.aiweibang.com/yuedu/tech/499816.html

http://essayjeans.blog.163.com/blog/static/2371730742014521103639930/

http://linux.cn/article-2962-1.html

http://media.sohu.com/20140504/n399096249.shtml

http://www.backlion.com/%E9%92%88%E5%AF%B9%E8%BF%91%E6%9C%9F%E5%8D%9A%E5%85%A8%E7%90%83%E7%9C%BC%E7%90%83%E7%9A%84oauth%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%86%E6%9E%90%E4%B8%8E%E9%98%B2%E8%8C%83%E5%BB%BA/

http://www.xycity.cn/news/14/n-1257514.html

http://t.163.com/7758515660

http://www.kaixin001.com/repaste/index_159835659.html

http://www.tuicool.com/articles/fuaeMf

http://blog.sina.com.cn/s/blog_9c466a590101j4k4.html

http://essayjeans.blog.163.com/blog/static/237173074201493101817921/

http://tetraph.blog.163.com/blog/static/23460305120149410334290/

http://www.kankanews.com/ICkengine/archives/138987.shtml

http://img.sootoo.com/content/492302.shtml

http://it.rising.com.cn/info/2014-05-04/15575.html

http://www.tuicool.com/articles/qEzUneY

http://www.linuxidc.com/Linux/2014-05/101182.htm

http://www.linuxeden.com/html/news/20140503/151358.html

http://code.csdn.net/news/2819588

http://tieba.baidu.com/p/3030252100

http://www.52rkl.cn/anquan/06102T102014.html

http://www.m4sk.net/post/3703b3_12d3b49

http://www.1398.org/itnews/ippmrk_1.html

http://www.360doc.com/content/14/0511/09/9200790_376595021.shtml

http://www.safedog.cn/news.html?id=1179

http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml?_114sobiaoqian

https://blog.instantssl.com/2014/05/covert-redirect-vulnerability/

http://tetraph.blogspot.sg/2014/05/wordpress-covert-redirect-vulnerability.html

http://newsmaine.net/19206-covert-redirect-vulnerability-discovered-oauth-20-and-openid

http://vulnerabilitypost.wordpress.com/category/covert-redirect-vulnerability/

https://benoitis.com/tag/covert-redirect/

http://blogs.mcafee.com/consumer/what-is-covert-redirect

http://threatpost.com/critical-holes-in-oauth-openid-could-leak-information-redirect-users/105876

https://krystal.co.uk/blog/2014/05/openauth-covert-redirection-vulnerability-explained/

https://www.facebook.com/jaicomputer/posts/732480143456948

http://www.csoonline.com/article/2150742/malware-cybercrime/oauth-weakness-threatens-users-of-social-media-sites.html

http://blog.sina.com.cn/s/blog_12ff797370101ewc2.html

http://www.infosecurity-magazine.com/news/bitly-compromised-users-warned-to-reset-accounts/

http://tetraph.tumblr.com/

http://whatis.techtarget.com/definition/covert-redirect

http://www.veooz.com/news/mH9R~~L.html

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://www.pymnts.com/news/2014/security-flaw-in-open-source-log-in-tools-could-leave-social-media-users-at-risk/#.VFBdloV5MxA

http://redmondmag.com/articles/2014/05/02/oauth-and-openid-flaw-found.aspx

http://www.darkreading.com/authentication/oauth-openid-flaw-7-facts/d/d-id/1251127

http://www.hubberts-arms.org/computing/math-student-detects-oauth-openid-security-vulnerability/?PHPSESSID=79184ab9be7276a12ec9d85c3374d49a

https://www.qualys.com/research/sans-at-risk/2014/week-18/

http://www.sciencenewsdaily.org/internet-news/cluster560745642/

http://omgdgt.com/?p=34396

http://www.reddit.com/r/netsec/comments/24knlj/serious_security_flaw_in_oauth_openid_discovered/

http://it-beta.slashdot.org/story/14/05/02/2015227/nasty-security-flaw-in-oauth-openid

http://soylentnews.org/comments.pl?sid=1632&threshold=-1&commentsort=5&mode=nested

http://www.suvsystem.com/a/16702.aspx

http://t.qq.com/tetraph

http://cissp.com/security-news/29-thought-leadership/social-media-latest-to-feel-security-flaw-impact

https://friendica.libertypod.com/display/aliena23p/382571

http://securityrelated.blogspot.sg/2014_10_01_archive.html

http://the-hacker-news.tumblr.com/post/84623817091/nasty-covert-redirect-vulnerability-found-in-oauth-and

http://clipsin.com/view/mailru-oauth-20-covert-redirect-vulnerability/qcHmirNBT6QtMdY.html

http://tweets.seraph.me/search/OAuth%20Security

http://historimac.nerdzblog.com/Mac-mini-9g.phpHTTP/1.1%20200%20OKDate:%20Tue,%2021%20Jul%202009%2012:01:33%20GMTServer:%20Apache/1.3.37%20%28Unix%29%20mod_fastcgi/mod_fastcgi-SNAP-0404142202X-Powered-By:%20PHP/Linkedin-OAuth-2.0-Covert-Redirect-Vulnerability-_-iif6eq2cvso.html

http://www.asurekazani.com/video/1FZ6yfsp09U

http://nevarneyox.com/watch?v=0yEB58S8WBI

http://computerobsess.blogspot.sg/2014/10/odnoklassnikiru-covert-redirect.html

http://cooldotz.com/blog/google-facebook-users-face-new-security-threat-delhi-daily-news/

http://videocurso.globocaxias.com/video/GyNGBuHNoJ0/watch.html

http://www.isssource.com/security-flaw-in-oauth-2-0-openid/

http://yw.learnatchina.com/201405033774-view-comments-for-critical-holes-in-oauth-openid-could-leak-information-redirect-users.html

http://www.popbuzz.me/uk/p/3477751/

http://www.vintegris.com/en/news/openid-and-oauth-vulnerability-affects-facebook-google-and-others/_id:47/

http://www.hackbusters.com/news/stories/43931-oauth-openid-flaw-7-facts

http://www.almdares.net/vz/youtube_browser.php?do=show&vidid=6m1CoV8JTmc

http://irfansalam.wordpress.com/2014/05/10/openid-oauth-vulnerability-affects-facebook-google-and-others/

http://completosec.wordpress.com/2014/05/14/exploits-violate-oauth-2-0-and-openid-assumptions/

http://www.digitalmunition.me/?p=2459

http://www.inzeed.com/people/fengdong.html

http://www.tetraph.com/people/wangzhenen.html

http://www.tetraph.com/people/liumeilan.html

http://www.tudou.com/home/essaybeans/item

http://www.tudou.com/programs/view/lg8T2bhkZpc/

http://www.tudou.com/programs/view/Px3eEBhXjpc/

http://www.tudou.com/programs/view/3R4kJrIbr5U/

http://www.tudou.com/programs/view/XyiwT4wbQ4I/

http://www.tudou.com/programs/view/qkX60p9KHsk/

http://www.tudou.com/programs/view/6qw_vdy5yD0/

http://i.youku.com/essayjeans

http://v.youku.com/v_show/id_XODA3NDMyMDY4.html

http://v.youku.com/v_show/id_XODA3MzUxMDMy.html

http://v.youku.com/v_show/id_XODA0NTE0ODU2.html

http://v.youku.com/v_show/id_XNzIzMDU0NTc2.html

http://v.youku.com/v_show/id_XNzIzMDI4MDAw.html

http://v.youku.com/v_show/id_XNzIyOTI5MjY0.html

http://v.youku.com/v_show/id_XNzExNDY3OTI0.html

http://v.youku.com/v_show/id_XNzEwNzQ0NDY4.html

http://v.youku.com/v_show/id_XNzA4OTY2Mjg4.html

http://v.youku.com/v_show/id_XNzA4OTY2Mjg4.html

http://v.youku.com/v_show/id_XNzA4ODM1MDIw.html

http://v.youku.com/v_show/id_XNzA4ODM0OTQw.html

http://v.youku.com/v_show/id_XNzA4ODM0OTA0.html

http://v.youku.com/v_show/id_XNzA4ODI5MDY0.html

http://v.youku.com/v_show/id_XNzA4ODI4ODg0.html

http://v.youku.com/v_show/id_XNzA4ODI0NjY0.html

http://v.youku.com/v_show/id_XNzA4ODI0NTQw.html

http://i.youku.com/essaybeans

http://v.youku.com/v_show/id_XODE1MDMwNzQ4.html

http://v.youku.com/v_show/id_XODE1MDMwNzA0.html

http://v.youku.com/v_show/id_XODE1MDMwNjIw.html

http://v.youku.com/v_show/id_XODE1MDI4OTcy.html

http://www.youtube.com/user/justqdjing

http://www.youtube.com/user/essaybeans

http://www.youtube.com/watch?v=k37gpKaql6k

http://www.youtube.com/watch?v=L78blHqHVsA

http://www.youtube.com/watch?v=EtfQvsNGik0

http://www.youtube.com/watch?v=89AexKfxM5g

http://www.youtube.com/watch?v=KiNKYD9VRK8

http://www.youtube.com/watch?v=KF0_p5XdJfs

http://www.youtube.com/watch?v=HgemMetVPP4

http://www.youtube.com/watch?v=D2jvlD1-1OA

http://www.youtube.com/watch?v=0GtSV4fcE9g

http://www.youtube.com/watch?v=xi41o7W4UWQ

http://www.youtube.com/watch?v=QeFDU_LlKqs

http://www.youtube.com/user/tetraph

http://www.youtube.com/watch?v=3gNhi8h2AQY

http://www.youtube.com/watch?v=onA5BgC3zIY

http://www.youtube.com/watch?v=RekCK5tjXWQ

http://www.youtube.com/watch?v=D-X8qAO2q_I

http://www.youtube.com/watch?v=T1XW31s92qA

http://www.youtube.com/watch?v=-lxaX9xvUfE

http://www.youtube.com/watch?v=m7_NSa9CJ2A

http://www.youtube.com/watch?v=HUE8VbbwUms

http://www.youtube.com/watch?v=Y2-2Scp0pbs

Reference::

https://vulnerabilitypost.wordpress.com/

http://tetraph.wordpress.com/

http://mathfas.wordpress.com/

http://tetraph.blog.163.com/

http://essayjeans.blog.163.com/

http://blog.sina.com.cn/justqdjing

http://blog.sina.com.cn/essayjeans

http://blog.sina.com.cn/whitehatpost

http://user.qzone.qq.com/2519094351/2

http://tetraph.tumblr.com/

http://whitehatview.tumblr.com/

http://tetraph.blogspot.com/

http://computerobsess.blogspot.com/

http://essayjeans.blogspot.com/

http://essaybeans.blogspot.com/

https://www.facebook.com/essaybeans

https://www.facebook.com/essayjeans

http://www.tetraph.com/blog/

http://www.tetraph.com/security/

http://inzeed.com/blog/

http://inzeed.com/kaleidoscope/

http://diebiyi.com/blog/

http://diebiyi.com/articles/

http://covertredirect.com/blog/

http://covertredirect.com/wangjing/

http://www.inzeed.com/bowen/

http://www.ustcif.com/default.php/content/2128/

http://aga.ustc.edu.cn/news/view?id=2094

http://user.qzone.qq.com/137372921

https://www.linkedin.com/in/essayjeans

http://www.kaixin001.com/repaste/index_159835659.html

http://t.qq.com/blackswall1544?previewtgo

http://www.weibo.com/justqdjing?

http://blog.sina.com.cn/justqdjing

https://www.facebook.com/fei.yu.3323

https://plus.google.com/u/0/118367468423066098176/posts

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

http://www.letv.com/ptv/vplay/20130165.html

http://blog.163.com/essayjeans

https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts

https://www.facebook.com/essaybeans?

http://t.qq.com/tetraph

http://www.tetraph.com/cn/wangjing https://www.facebook.com/wangjing.justqdjing
https://twitter.com/justqdjing
http://www.linkedin.com/in/justqdjing
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/ 
http://www.youtube.com/user/justqdjing
http://www.weibo.com/justqdjing
http://i.youku.com/essayjeans

http://blog.sina.com.cn/justqdjing

https://www.facebook.com/fei.yu.3323

https://plus.google.com/u/0/118367468423066098176/posts

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

http://www.letv.com/ptv/vplay/20130165.html

http://blog.163.com/essayjeans

https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts

http://user.qzone.qq.com/137372921

https://www.linkedin.com/in/essayjeans

http://www.kaixin001.com/repaste/index_159835659.html

http://t.qq.com/blackswall1544?previewtgo

http://www.weibo.com/justqdjing?

http://blog.sina.com.cn/justqdjing

https://www.facebook.com/fei.yu.3323

https://plus.google.com/u/0/118367468423066098176/posts

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

http://www.letv.com/ptv/vplay/20130165.html

http://blog.163.com/essayjeans

https://plus.google.com/u/0/b/113698571167401884560/113698571167401884560/posts

Related links

http://essaybeans.blogspot.sg/

http://vimeo.com/tetraph

http://i.youku.com/essayjeans

http://www.youtube.com/user/tetraph

http://www.youtube.com/user/justqdjing

https://www.facebook.com/essaybeans?skip_nax_wizard=true

http://www.tetraph.com/forum/

http://www.tetraph.com/blog/

http://blog.sina.com.cn/essayjeans

http://blog.sina.com.cn/justqdjing

http://essayjeans.blog.163.com/

http://tetraph.blog.163.com/

http://tetraph.blog.163.com/blog/static/23460305120144210374933/

http://tetraph.tumblr.com/post/100080251777/covert-redirect-vulnerability-related-to-oauth-2-0-and

https://www.facebook.com/permalink.php?id=420695091405296&story_fbid=420705068070965

http://blog.sina.com.cn/s/blog_12ff797370101edm4.html

http://blog.sina.com.cn/s/blog_ecd65d410102v3jx.html

http://whitehatview.tumblr.com/post/100080520381/covert-redirect-vulnerability-related-to-oauth-2-0-and

https://vulnerabilitypost.wordpress.com/2014/10/15/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid-2/

https://tetraph.wordpress.com/2014/10/15/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid-3/

http://securityrelated.blogspot.sg/2014/10/covert-redirect-vulnerability-related.html

http://tetraph.blogspot.sg/2014/10/covert-redirect.html

http://essayjeans.blogspot.sg/2014/06/top-5-ways-to-prevent-wrinkles-from.html

http://essaybeans.blogspot.sg/2014/10/blog-post.html

http://mathfas.wordpress.com/2014/10/15/covert-redirect-vulnerability/

http://blog.sina.com.cn/s/blog_12ff797370102v467.html

http://blog.sina.com.cn/s/blog_ecd65d410102v4vd.html

http://blog.sina.com.cn/s/blog_9c466a590102v2hv.html

http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/

http://tetraph.blog.163.com/blog/static/23460305120149159422371/

http://essayjeans.blog.163.com/blog/static/237173074201491510534996/

http://user.qzone.qq.com/137372921

http://user.qzone.qq.com/2519094351/2

http://www.pinterest.com/pin/326018460499818774/

http://www.pinterest.com/pin/465278205227138242/

http://computerobsess.blogspot.sg/2014/10/covert-redirect-vulnerability-related.html

http://tetraph.com/security/xss-vulnerability/mozilla-mozilla-org-two-sub-domains-cross-reference-xss-vulnerability-all-urls-under-the-two-domains/

http://tetraph.com/security/cves/cve-2014-7292-newtelligence-dasblog-open-redirect-vulnerability/

https://www.facebook.com/essayjeans?

https://www.facebook.com/tetraph?

http://www.weibo.com/tetraph

https://twitter.com/justqdjing

https://twitter.com/tetraphibious

https://twitter.com/essayjeans

http://www.pinterest.com/essaybeans

http://www.pinterest.com/tetraph/

http://i.youku.com/essaybeans

http://www.weibo.com/essayjeans

http://www.weibo.com/justqdjing?

http://tetraph.blogspot.sg/

http://essayjeans.blogspot.sg/

http://essaybeans.blogspot.sg/

http://vimeo.com/tetraph

http://i.youku.com/essayjeans

http://www.youtube.com/user/tetraph

http://www.youtube.com/user/justqdjing

https://www.facebook.com/essaybeans?skip_nax_wizard=true

http://www.tetraph.com/forum/

http://www.tetraph.com/blog/

References:

    1.  http://it.people.com.cn/n/2014/0504/c1009-24969253.html

    2.  http://digi.163.com/14/0503/08/9RACJBK900162OUT.html

    3 .    http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml

    4 .    http://www.cnbeta.com/articles/288503.htm

    5 .    http://network.pconline.com.cn/471/4713896.html

    6 .    http://www.hackdig.com/?05/hack-9782.htm

    7 .    http://www.freebuf.com/vuls/33750.html

    8 .    http://www.csdn.net/article/2014-05-04/2819588

    9 .    http://baike.baidu.com/link?url=0v9QZaGB09ePxHb70bzgWqlW-C9jieVguuDObtvJ_6WFY3h2vWnnjNDy4-jliDmqbT47SmdGS1_pZ4BbGN4Re_

    10.     http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E

    11,   http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

    12.   http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

    13,   http://www.zdnet.com/student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols-7000029419/

    14.   http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

    15.   http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

    16.   http://www.allsingaporestuff.com/article/white-hat-hackers-testing-security-computer-systems-singapore

    17.   http://www.channelnewsasia.com/news/singapore/vigilantes-testing/1386694.html

    18.   http://forums.hardwarezone.com.sg/eat-drink-man-woman-16/vigilantes-hacked-into-m1-iphone-website-4827334.html

    19.   http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

    20.   http://oauth.net/advisories/2014-1-covert-redirect/

    21.   http://openid.net/2014/05/15/covert-redirect/

    22.   http://oauth.jp/blog/2014/05/07/covert-redirect/

    23.   http://blogs.mcafee.com/consumer/what-is-covert-redirect

    24.   http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

    25.   http://www.securityweek.com/covert-redirect-issue-oauth-openid-places-security-responsibility-wrong-place

    26.   http://oauth.jp/blog/2014/05/07/covert-redirect-in-implicit-flow/

    27.   http://www.openid.or.jp/blog/2014/05/covert-redirect-and-its-real-impact-on-oauth-and-openid-connect.html

    28.   http://weblog.bulknews.net/post/85008516879/covert-redirect-vulnerability-with-oauth-2

    29.   http://securityaffairs.co/wordpress/24585/intelligence/covert-redirect-oauth-openid.html

    30.   https://www.yireo.com/blog/1678-oauth-covert-redirect-vulnerability

    31.   http://www.net-security.org/secworld.php?id=16795

    32.   http://www.itbusinessedge.com/blogs/data-security/lessons-to-be-learned-from-covert-redirect.html

    33.   http://www.netskope.com/blog/oauth-openid-covert-redirect-vulnerability/

    34.   http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

    35.   http://zeenews.india.com/tags/covert-redirect.html

    36.   http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

    37,   http://www.ceilers-news.de/serendipity/497-Websecurity-Die-Covert-Redirect-Schwachstelle-und-OAuth-2.0-und-OpenID.html

    38.   http://www.reddit.com/r/technology/comments/24oe6q/nasty_covert_redirect_vulnerability_found_in/

    39.   https://news.ycombinator.com/item?id=7685677

    40.   http://canaltech.com.br/noticia/seguranca/Diferencas-entre-Covert-Redirect-e-Heartbleed/

    41.   https://www.idradar.com/news-stories/technology/Covert-Redirect-Software-Bug-Needs-A-Fix

    42.   http://www.komando.com/happening-now/251360/a-new-security-hole-lets-hackers-hijack-your-facebook-login/all

    43.   http://www.hardware.no/artikler/covert-redirect-svakhet-er-ingen-ny-nettkrise/159589

    44.   http://www.sotostips.gr/2014/05/provlima-covert-redirect.html

    45.   http://www.darkreading.com/security-flaw-found-in-oauth-20-and-openid-third-party-authentication-at-risk/d/d-id/1235062

    46.   http://twit.tv/show/tech-news-2night/79

    47.   http://www.baomoi.com/Bkav-Lo-hong-Covert-Redirect-khong-nguy-hiem-bang-trai-tim-ri-mau/76/13729018.epi

    48.   http://www.darraghduffy.ie/covert-redirect-openid-oauth/

    49.   http://conectica.com.mx/2014/05/02/covert-redirect-vulnerabilidad-en-oauth-y-openid-similar-heartbleed/

    50.   http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/

    51.   … …

http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/

http://www.appps.jp/88572/

http://scan.netsecurity.ne.jp/article/2014/05/08/34126.html

http://blog.kaspersky.co.jp/facebook-openid-oauth-vulnerable/3558/

http://newvo.jp/408699/OAuth2.0%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%28!?%29%22CovertRedirect%22%E3%81%A8%E3%81%AF-OAuth.jp

http://sp05rdcy.jugem.jp/?eid=1934

http://www.megafm.com.br/noticia/falha-de-seguranca-afetam-logins-de-facebook

http://www.opinionesdispersas.net/2014/05/otra-brecha-seguridad.html

http://www.it.co.kr/common/mediaitPrint.php?nSeq=2628799&nBoardSeq=60

http://xakep.ru/62448/

http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/

http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/

http://www.baboo.com.br/seguranca/covert-redirect-o-novo-heartbleed/

http://www.tomsguide.com/us/xss-flaw-ny-times,news-19784.html

http://www.tetraph.com/blog/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/

http://www.hotforsecurity.com/blog/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013-10555.html

http://news.softpedia.com/news/XSS-Risk-Found-In-Links-to-New-York-Times-Articles-Prior-to-2013-462334.shtml

http://itsecuritynews.info/2014/10/16/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013/

https://www.youtube.com/watch?v=RekCK5tjXWQ

http://infopunk.org/main/blog/2014/10/16/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013/

http://worldnew.org/xss-flaw-may-exist-in-the-old-new-york-times-article-pages.html

https://twitter.com/justqdjing

http://securitynewswire.com/securitynews2012/article.php?title=XSS_Risk_Found_in_Links_to_New_York_Times_Articles_Prior_to_2013

http://sec.jetlib.com/Full_Disclosure/2014/10/15/Advisory_01_2014:_Drupal7_-_pre_Auth_SQL_InjectionVulnerability

https://www.marshut.net/kqipvz/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-before-2013-are-affected.html

http://news.silobreaker.com/jing-wang-11_3420080

http://www.tudou.com/programs/view/qkX60p9KHsk/

http://www.outofspecs.gr/tech-news/18408-xss-%CE%BA%CE%AF%CE%BD%CE%B4%CF%85%CE%BD%CE%BF%CE%B9-%CE%B5%CE%BD%CF%84%CE%BF%CF%80%CE%AF%CF%83%CF%84%CE%B7%CE%BA%CE%B1%CE%BD-%CF%83%CE%B5-%CF%83%CF%85%CE%BD%CE%B4%CE%AD%CF%83%CE%BC%CE%BF%CF%85%CF%82-%CF%83%CF%84%CE%BF-new-york-times-%CF%83%CE%B5-%CE%AC%CF%81%CE%B8%CF%81%CE%B1-%CF%80%CF%81%CE%B9%CE%BD-%CF%84%CE%BF-2013.html

http://tilegrafos.gr/XSS-kindunoi-entopistikan-se-sundesmous-sto-New-York-Times-se-arthra-prin-to-2013.html

http://essayjeans.blog.163.com/blog/static/237173074201491510534996/

http://telezkope.com/Technology/Programming/3321242/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013

http://www.hotforsecurity.com/blog/cross-site-scripting-vulnerability-in-mozillas-cross-reference-sub-domains-10607.html

http://www.tetraph.com/blog/xss-vulnerability/mozilla-mozilla-org-two-sub-domains-cross-reference-xss-vulnerability-all-urls-under-the-two-domains/

https://www.xssposed.org/incidents/domain/lxr.mozilla.org/

https://www.youtube.com/watch?v=onA5BgC3zIY

http://itsecuritynews.info/2014/10/20/cross-site-scripting-vulnerability-in-mozillas-cross-reference-sub-domains/

https://twitter.com/justqdjing

http://news.softpedia.com/news/XSS-Risk-Found-In-Links-to-New-York-Times-Articles-Prior-to-2013-462334.shtml

https://brica.de/alerts/alert/public/791810/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013/

https://twitter.com/essayjeans

http://infopunk.org/main/blog/2014/10/20/cross-site-scripting-vulnerability-in-mozillas-cross-reference-sub-domains/

http://www.pinterest.com/pin/326018460499818774/

http://www.csoonline.com/article/2136232/application-security/open-redirect-on-yahoo.html

http://sec.jetlib.com/Full_Disclosure/2014/10/19/Mozilla_mozilla.org_Two_Sub-Domains_%28_Cross_Reference%29_XSS_Vulnerability_%28_All_URLs_Under_the_Two_Domains%29

http://t.qq.com/blackswall1544?preview

http://www.securityfocus.com/bid/70603

http://www.scip.ch/en/?vuldb.68036

http://cxsecurity.com/cvepokaz/CVE-2014-2230

http://news.silobreaker.com/cve20142230--openx-open-redirect-vulnerability-5_2268301705772793856

http://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability-2/

http://seclists.org/fulldisclosure/2014/Oct/72

http://www.osvdb.org/creditees/12822-wang-jing

http://infopunk.org/main/blog/2014/10/16/cve-2014-2230-openx-open-redirect-vulnerability/

http://cve.scap.org.cn/CVE-2014-2230.html

http://www.osvdb.org/show/osvdb/113408

http://www.osvdb.org/show/osvdb/113409

http://www.osvdb.org/show/osvdb/106567

http://www.scip.ch/en/?vuldb.13185

http://www.securityfocus.com/bid/70654

http://cxsecurity.com/cveshow/CVE-2014-7292/

http://www.osvdb.org/show/osvdb/113580

http://www.osvdb.org/show/osvdb/106567

http://securitynewswire.com/securitynews2012/article.php?title=CVE20147292_Newtelligence_dasBlog_Open_Redirect_Vulnerability

http://sec.jetlib.com/Full_Disclosure/2014/10/19/CVE-2014-7292_Newtelligence_dasBlog_Open_Redirect_Vulnerability

http://www.venustech.com.cn/NewsInfo/124/30608.Html

http://www.osvdb.org/creditees/12822-wang-jing

http://www.scip.ch/en/?vuldb.13185

http://www.tetraph.com/blog/cves/cve-2014-7292-newtelligence-dasblog-open-redirect-vulnerability/

http://infopunk.org/main/blog/2014/10/20/cve-2014-7292-newtelligence-dasblog-open-redirect-vulnerability/

http://cve.scap.org.cn/CVE-2014-7292.html

http://blog.livedoor.jp/dvw_j/archives/41487850.html

http://essayjeans.blog.163.com/blog/static/237173074201493133220507/

http://computerobsess.blogspot.sg/2014/10/id-oauth.html

https://www.youtube.com/watch?v=HUE8VbbwUms

http://blog.sina.com.cn/s/blog_12ff797370102v5ao.html

http://securityrelated.blogspot.sg/2014/10/sicherheitslucke-in-oauth-20-und-openid.html

http://securityrelated.blogspot.sg/2014/10/openid-oauth-20.html

http://www.tetraph.com/blog/essaybeans/%E8%87%AA%E5%B7%B1%E5%96%9C%E6%AC%A2%E7%9A%84%E5%8F%A4%E4%BB%A3%E7%88%B1%E6%83%85%E8%AF%97-%E5%94%AF%E7%BE%8E%E5%8F%A4%E8%AF%97/

https://www.youtube.com/watch?v=KiNKYD9VRK8

http://vulnerabilitypost.wordpress.com/category/computer-vulnerability/

http://tetraph.wordpress.com/2014/10/31/%E7%94%9F%E6%B4%BB%E5%8F%AA%E6%9C%89%E5%9C%A8%E5%B9%B3%E6%B7%A1%E6%97%A0%E5%91%B3%E7%9A%84%E4%BA%BA%E7%9C%8B%E6%9D%A5%E6%89%8D%E6%98%AF%E7%A9%BA%E8%99%9A%E8%80%8C%E5%B9%B3%E6%B7%A1%E6%97%A0%E5%91%B3/

http://www.tudou.com/programs/view/6qw_vdy5yD0

http://securityrelated.blogspot.sg/2014/10/openid-oauth-20.html

http://essayjeans.blog.163.com/blog/static/237173074201493194049763/

http://v.youku.com/v_show/id_XNzExNDY3OTI0.html

http://blog.sina.com.cn/s/blog_ecd65d410102v6in.html

http://tetraph.blogspot.sg/2014/10/des-vulnerabilites-pour-les-boutons.html

http://whitehatview.tumblr.com/post/101411985996

http://securityrelated.blogspot.sg/2014/10/des-vulnerabilites-pour-les-boutons.html

http://tetraph.com/security/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid-2/

http://essayjeans.blogspot.sg/2014/10/butterfly-motto-sentences-related-to.html

http://essaybeans.blogspot.sg/2014/10/p-o-e-m-s-look-far-and-beyond-games.html

http://user.qzone.qq.com/2519094351/blog/1414740657

http://www.tetraph.com/security/covert-redirect/%D1%81%D1%82%D1%83%D0%B4%D0%B5%D0%BD%D1%82-%D0%BC%D0%B0%D1%82%D0%B5%D0%BC%D0%B0%D1%82%D0%B8%D0%BA-%D0%BD%D0%B0%D1%88%D1%91%D0%BB-%D1%83%D1%8F%D0%B7%D0%B2%D0%B8%D0%BC%D0%BE%D1%81%D1%82%D1%8C-%D0%B2-ope/

http://www.tetraph.com/blog/covert-redirect/372/

http://mathfas.wordpress.com/2014/10/31/the-book-of-songs-bei-feng-drum/

http://blog.sina.com.cn/s/blog_12ff797370102v5at.html

http://www.pinterest.com/pin/465278205227138203/

http://tetraph.tumblr.com/post/101419755007/the-book-of-songs-bei-feng-drum

http://tetraph.blog.163.com/blog/static/2346030512014931102629791/

http://www.pinterest.com/pin/465278205227138242/

http://blog.sina.com.cn/s/blog_12ff797370102v5au.html

http://user.qzone.qq.com/2519094351/blog/1414744839

http://www.pinterest.com/pin/326018460499818774/

http://www.inzeed.com/kaleidoscope/covert-redirect/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://www.diebiyi.com/articles/covert-redirect/falha-de-seguranca-afetam-logins-de-facebook/

http://www.tetraph.com/security/covert-redirect/%ED%95%98%ED%8A%B8%EB%B8%94%EB%A6%AC%EB%93%9C-%EC%9D%B4%EC%96%B4-%EC%98%A4%ED%94%88id%EC%99%80-%EC%98%A4%EC%93%B0oauth%EC%84%9C%EB%8F%84-%EC%8B%AC%EA%B0%81/

http://www.inzeed.com/kaleidoscope/covert-redirect/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/

http://www.diebyi.com/articles/covert-redirect/sicherheitslucke-in-oauth-2-0-und-openid-gefunden/

http://threatpost.com/critical-holes-in-oauth-openid-could-leak-information-redirect-users/105876

https://en.wikipedia.org/wiki/Covert_Redirect

http://aga.ustc.edu.cn/news/view?id=2094

http://blog.kaspersky.com.cn/openid%E5%92%8Coauth%E6%98%93%E5%8F%97%E6%94%BB%E5%87%BB%EF%BC%8C%E9%9C%80%E4%BF%9D%E6%8C%81%E8%AD%A6%E6%83%95/938/

https://zh.wikipedia.org/zh-sg/隱蔽重定向漏洞

http://www.ustcif.com/default.php/content/2128/

http://blog.sina.com.cn/s/blog_13e2110420102v3b4.html

http://blog.sina.com.cn/s/blog_13de2fcd60102v8r6.html

http://yurusi.blogspot.sg/2014/11/covert-redirect.html

http://aibiyi.blogspot.sg/2014/11/covert-redirect.html

http://frenchairing.blogspot.sg/2014/11/des-vulnerabilites-pour-les-boutons.html

http://germancast.blogspot.sg/2014/11/sicherheitslucke-in-oauth-20-und-openid.html

http://japanbroad.blogspot.sg/2014/11/oauthopenid-facebook.html

http://russiapost.blogspot.sg/2014/11/openid-oauth-20.html

https://vulnerabilitypost.wordpress.com/2014/10/02/google-chromium-xss-auditor-filter-bypass/

http://tetraph.wordpress.com/2014/10/31/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://tetraph.tumblr.com/post/101408567382/falha-de-seguranca-afetam-logins-de-facebook

http://whitehatview.tumblr.com/post/101405308531/openid-oauth-2-0

http://blog.sina.com.cn/s/blog_ecd65d410102v6gp.html

http://essayjeans.blog.163.com/blog/static/237173074201493171559786/

http://tetraph.blog.163.com/blog/static/23460305120149316548212/

http://mathfas.wordpress.com/2014/10/31/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://blog.sina.com.cn/s/blog_9c466a590102v2hw.html

http://computerobsess.blogspot.sg/2014/10/sicherheitslucke-in-oauth-20-und-openid.html

http://securityrelated.blogspot.sg/2014/10/id-oauth.html

http://tetraph.blogspot.sg/2014/10/id-oauth.html

http://essaybeans.blogspot.sg/2014/10/blog-post.html

http://www.tetraph.com/blog/love/%E8%AE%A9%E4%BA%BA%E4%BC%A4%E5%BF%83%E7%9A%84%E7%88%B1%E6%83%85%E5%8F%A5%E5%AD%90-%E5%85%B3%E4%BA%8E%E6%8F%8F%E5%86%99%E4%BC%A4%E5%BF%83%E7%9A%84%E5%8F%A5%E5%AD%90-%E6%9C%80%E4%BC%A4%E5%BF%83%E7%9A%84/

http://diebiyi.com/articles/%E6%84%9B%E6%83%85/540/

http://www.youtube.com/watch?v=RekCK5tjXWQ

http://www.youtube.com/watch?v=KiNKYD9VRK8

https://vimeo.com/110769496

https://vimeo.com/110761588

http://v.youku.com/v_show/id_XNzIzMDU0NTc2.html

http://www.tudou.com/programs/view/49qWBJhRm7o

http://www.tudou.com/programs/view/Px3eEBhXjpc

http://v.youku.com/v_show/id_XODE1MDI4OTcy.html

http://tetraph.com/security/covert-redirect/youku%E4%BC%98%E9%85%B7covertredirect%E8%B7%B3%E8%BD%AC%E7%B3%BB%E7%BB%9F%E6%BC%8F%E6%B4%9E%E5%9F%BA%E4%BA%8Ebaidu-com-%E7%99%BE%E5%BA%A6/

http://www.inzeed.com/kaleidoscope/covert-redirect/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://www.tudou.com/programs/view/qkX60p9KHsk/

https://twitter.com/essayjeans/status/529171466202275840

https://www.facebook.com/essaybeans?ref=bookmarks

https://www.facebook.com/essayjeans?ref=bookmarks

https://www.facebook.com/tetraph

https://twitter.com/justqdjing/status/530969599420792832

http://www.reddit.com/user/gadshots

http://www.reddit.com/user/butterdry/

http://www.pinterest.com/pin/326018460499926302/

http://www.pinterest.com/tetraph/life/

http://www

评论
热度 ( 2 )