Malicious attackers can use the 'Covert Redirect' vulnerability in the OAuth 2.0 and OpenID open-source login systems to steal your personal info as well as redirect you to unsafe sites.
Following in the steps of the OpenSSL vulnerability Heartbleed
, another major flaw has been found in popular open-source security software. This time, the holes have been found in the login tools OAuth and OpenID
, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.
Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability "Covert Redirect" flaw can masquerade as a login popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter.
For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication.