Categories
Technology

Serious security flaw in OAuth and OpenID discovered

Apparently Heartbleed wasn’t enough security exploit for the internet, Attackers can use the “Covert Redirect” vulnerability in both open-source log-in systems to steal your data and redirect you to unsafe sites. A found in popular open-source security software. This time, the holes have been found in the log-in tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.

9-things-businesses-need-to-know-about-web-security-e5e7ae36a9

 

Apparently Heartbleed wasn’t enough security exploit for the internet, Attackers can use the “Covert Redirect” vulnerability in both open-source log-in systems to steal your data and redirect you to unsafe sites.

A found in popular open-source security software. This time, the holes have been found in the log-in tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others. Some of the affected services include:

  • LinkedIN
  • GitHub
  • Facebook
  • Google
  • Paypal
  • Microsoft

There are other affected services but these are some of the bigger players.

What Does This Mean?

A user clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that’s similar to trick users, the Covert Redirect flaw uses the real site address for authentication. If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.

using-oauth-lithium-login-your-users-facebook-twitter-google-others-174

The thing about this exploit is Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker’s choice, which could potentially further compromise the victim.

What is the REAL DANGER!?

In the right set of circumstances, it is currently possible to use a phishing site to hijack Facebook login credentials. Depending on the OAuth 2.0 implementation, this could be possible on other services too.

It’s important to note, however, that in order to take advantage of this vulnerability in the first place, a user has to click on a link or visit a malicious website. And not only does a user have to click on a malicious link, they have to then click on a Facebook login button and agree to authorize the login and release of information.

This exploit is no where near as bad as Heartbleed was, but it is still something to take into consideration. This is something that will be patched and then be up to the services that implement them to actually implement these patches. If you are using an affected service you don’t need to worry too too much but it is something to be aware of.

Sources: CNET, Mashable