How Attackers Exploit Sina Weibo OAuth to Hijack User Accounts

This article introduces the process of integrating Sina Weibo OAuth for user authentication on web sites and highlights several security issues that can arise.

Standard OAuth Login Flow

User clicks a "Login with Weibo" button and is redirected to

https://api.weibo.com/oauth2/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI

.

User enters Weibo credentials, authorizes the app, and Weibo redirects back to YOUR_REGISTERED_REDIRECT_URI/?code=CODE.

The backend exchanges the code for an access token via

https://api.weibo.com/oauth2/access_token?client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=authorization_code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI&code=CODE

, then can access the user's Weibo data.

Common Vulnerabilities

1. CSRF in Binding Interfaces

Attackers can craft a page that logs into a controlled Weibo account (pre‑authorized for the target site) and then silently binds that account to the victim's site account using an <img> tag pointing to the site's binding endpoint, resulting in account takeover.

2. Incomplete Validation of Binding Flow

Some sites, such as NetEase Cloud Music, rely on a csrf_token but fail to validate the state parameter or confirm that the user initiated the binding, allowing attackers to skip the first step and bind their own Weibo account to the victim.

3. Authorization Code Theft

By manipulating the redirect_uri parameter (e.g., using link.zhihu.com under the same domain), attackers can obtain the code after the user authorizes, then use it to log in as the victim on sites like Zhihu.

Real‑World Examples

• Bilibili: CSRF in the binding endpoint allowed an attacker to bind their Weibo account to a victim's Bilibili account.

• NetEase Cloud Music: Missing state validation enabled an attacker to bind a pre‑authorized Weibo account and gain access.

• Zhihu: By crafting a malicious URL that redirects through link.zhihu.com, the attacker captured the code and used it to log in as the victim.

Mitigation Recommendations

Ensure binding endpoints are protected against CSRF, e.g., by requiring anti‑CSRF tokens and confirming user intent.

Fully validate the OAuth state parameter and verify that the binding request originates from the user.

Require complete redirect_uri specifications (including path) rather than allowing open domain redirects, and consider prompting users before automatic redirects.