My Opinion on the identity audit vulnerability of ipad sina Weibo

According to LTJ, the sina Weibo ipad Client

This should be the case he encountered and his testing process.

After being authorized by the ipad client, I often send Weibo posts, read Weibo posts, and so on. (Assume) when the ipad is lost (no cancellation or exit), go to the sina account center to change the password and find that the ipad can still send Weibo posts and view Weibo posts. The situation is as follows: http://www.bkjia.com/article/201511/104557.html's sixth article"We know that website login can save the login status. If you do not click to exit, you will still log on. This is common knowledge for elementary school students.", I agree with the opinion of the netizen QZ. In this case, we can give a general example. For example, if both browsers log on to a website, the authentication information will be saved to the cookie or session. When cookies and sessions are not destroyed and recycled, they are regarded as valid. Even if the user password is saved in the cookie and session, it is unlikely that no request is sent to the database to verify the user password for efficiency considerations. As long as the cookie and session take effect, the user information is directly retrieved from them, even if the user changes the password. Therefore, in this case, you can use two browsers to log on. Then, change the password in one of the browsers and then log on with the old password. Then, the system will prompt that the password is incorrect because the password has been changed, because the COOKIE and session are gone, the program needs to verify the user name and password in the database. However, in other browsers that still retain cookies and sessions, some authentication methods are valid. The program does not verify the password in the database, so it is still considered valid. Therefore, I agree with the sixth article in QZ.

 

However, many people mentioned OAUTH and other related topics in the comment on QZ Weibo. I don't think this issue involves the OAUTH layer. The problem with the Internet user LTJ is that the sina website can still send Weibo posts to the ipad (which is still valid before it exits. Weibo posts can be sent because the reply is valid and the authentication is legal. (If you pass the legal authentication, the Weibo account is sent through the OAUTH protocol, which is correct here ). The netizen LTJ is actually entangled in changing the password for the sina website, and the ipad client still thinks that the user is legal.

 

I think so for the sina ipad client, the sina Weibo website, and the sina passport center logon verification process, such:

The picture is a little ugly. Sorry.

Explanation:

For sina passport, sina Weibo webpage edition and sina Weibo ipad Edition, including sina mailbox and sina Blog, are all sina passport's sub-systems, they do not save the password, and all verification is performed on sina passport.

 

For the sina Weibo web page version, sina Weibo ipad version, sina Weibo iphone version, and other use cases such as jieke and jiebian are all applications of sina Weibo web page version, their levels are the same. Users can revoke authorization and allow authorization on sina Weibo.

 

When a user logs on to the ipad client, the ipad client sends the account and password entered by the user to the background server corresponding to the ipad client. The background server sends the user name and password to the sina passport for verification, after the verification is passed, sina passport tells the sina Weibo ipad server, the server then tells the ipad client that the authentication is successful, and saves the session information on the ipad client. After that, the ipad client sends this session every time you log on to the Weibo ipad server, and the validity period of this session is long enough.

When an ipad client user sends Weibo messages to the ipad server, the Weibo ipad server determines that the session takes effect and sends the Weibo messages to the webpage server through the OAUTH protocol.

 

Applications such as the street and the client are basically the same. The user must first log on to the customer and the users next to the street (even those who log on Via sina Weibo). Then, these users posted Weibo posts on websites such as jieke and jiebian, first sent to their servers, and then pushed to the sina Weibo Webpage Through the OAUTH protocol.

The sina Weibo ipad client has the same role as the browser used to log on to the client and the streetside application.

(Maybe the login process of the sina Weibo ipad client is not as I drew, but the following points can be determined: users who are entangled in changing passwords on the sina website, the reason why the ipad still thinks the session is valid does not matter with OAUTH. At least this step is not done .)

That is to say, the user LTJ's Tangle is not involved in OAUTH.

 

SO, some netizens mentioned OAUTH. I think it's okay with OAUTH for the moment, even though OAUTH1.0 has encountered security problems.

 

I did not test the question about the cancellation of authorization for ipad and iphone mentioned by QZ, but the iphone is still accessible because I have no iphone.

I think the loss of the ipad mentioned by LTJ is the same as the loss of the computer after the user logs on to the computer and saves the authentication information. All the authentication information is legal, can be used, so the program considers this session as legal, so it is logical to allow users to send messages and other operations.

 

In addition, for the sixth question asked by the netizen QZ, both accounts log on at the same time and are considered legal. In web programs, it is common and almost always the case. If you want to save only one account online, you can. However, sina Weibo does not seem to be able to solve this problem because they are different applications.

 

The above is a programmer's opinion. If you have any mistakes, please forgive me and correct me. THANKS ALL

From: hi.baidu.com/cffiles