Serious security flaw in OAuth and OpenID discovered

  • 2 May 2014
  • 3 replies
  • 2018 views

Userlevel 7
Badge +54
Malicious attackers can use the 'Covert Redirect' vulnerability in the OAuth 2.0 and OpenID open-source login systems to steal your personal info as well as redirect you to unsafe sites.
 
Following in the steps of the OpenSSL vulnerability Heartbleed, another major flaw has been found in popular open-source security software. This time, the holes have been found in the login tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.
Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability "Covert Redirect" flaw can masquerade as a login popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter.
For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication.
 
Full Article

3 replies

Userlevel 7
Badge +56
That's a big one - maybe after it get's exploited then they'll change their tune on fixing it.
Userlevel 7
Badge +54
Is it fair to call Covert Redirect a vulnerability?
 
On Friday, a PhD student at the Nanyang Technological University in Singapore, Wang Jing, published a report focused on a method of attack called "Covert Redirect," promoting it as a vulnerability in OAuth 2.0 and OpenID.
However, this isn't the first time the issue has been raised, and it isn't anywhere near as bad as Heartbleed was.
 
OAuth 2.0 and OpenID enable access. Using these services allows a visitor to a given domain, to gain access by using their existing credentials on another website, such as Facebook, Google, Microsoft, or LinkedIn. Doing so removed the step of registering a new account.
Over the years, the two services have grown in popularity, as they enable a wide range of interaction across brands, and offer an easy path of access for the end user.
Jing's disclosure points out the fact that unless implemented properly, users who see the typical OAuth 2.0 or OpenID pop-up form a given provider, could be falling for a trap.
 
Full Article
Userlevel 7
Badge +54
Last week, Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, reported finding an OAuth and OpenID security flaw that could be exploited to obtain sensitive information. 

OAuth is the open standard for authorization used for many high-profile web, desktop and mobile applications. The security issue, which has been dubbed “Covert Redirect,” can expose all sorts of information.

“For OAuth 2.0, these attacks might jeopardize ‘the token’ of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc,” the expert noted in a blog post.
 
Full Article

Reply