The Sangfor Security Team was recently invited to attend Black Hat Asia 2019 in Singapore, the world’s top annual information security event, due to their joint research project with the Chinese University of Hong Kong entitled “The Account Security for Single Sign-On,” and its subsequent publication in the Black Hat Asia 2019 report. Sangfor Security researchers participated in the discussion “Make Redirection Evil Again: URL Parser Issues in OAuth,” sharing their knowledge of URL parsing vulnerabilities in multiple browsers and code bases. Hackers use these vulnerabilities to directly control user accounts, affecting billions of users’ account security. The Sangfor Security Team hopes that their research will help the IT industry recognize vulnerabilities in current account systems while providing more secure services to users.
The Sangfor Security Team was selected for Black Hat Asia to present on single sign-on redirect vulnerabilities. As we know, the Internet is currently over-reliant on passwords, with password leakage incidents becoming quite common. Single sign-on can provide a partial solution to the redirect vulnerability situation by allowing the use of social networking sites (i.e. Facebook, Google, etc.) to log into third-party websites or applications (i.e. YouTube, etc.), thereby reducing the number of times account login and password input are required. Due to its popularity and excellent user experience, millions of Internet users are using single sign-on services every day, making the security of single sign-on more and more important to users’ internet security.
Single sign-on requires cooperation and coordination between social networking sites, third-party applications and users, involving multiple redirects and complex technology. Sangfor Security Team research discovered certain URL resolution vulnerabilities in several major browsers and URL parsing vulnerabilities in social networking sites, enabling hackers to use redirects to directly obtain single sign-on tokens and control user accounts. After gaining control of a user account, the hacker can browse the social network user's information, use a third-party application to carry out malicious activities with the user's credit card, browse search histories, access private photos and more.
The Sangfor Security Teams’ research of 50 major social networking sites globally discovered that 11 social networking sites had such vulnerabilities, especially several Chinese social networking sites. The results of this research were fed back to the affected vendors, and most of the vulnerabilities have been fixed. Addressing potential security threats for billions of users proactively.
The Sangfor Security Team published research papers at the Black Hat Asia Conferences in 2014 (USA), 2016 (Europe) and 2019 (Asia), demonstrating Sangfor’s security ability and gaining them recognition as a first-class security manufacturer in China.
About Black Hat
Black Hat is the most technical and cutting-edge information security event series in the world. For more than 20 years, Black Hat Briefings have provided attendees with the very latest in information security research, development and trends in a strictly vendor-neutral environment.
Source: Black Hat’s website