Serious Security Flaw Found in OAuth and OpenID

Share it:
After the major security flaw in internet "HeartBleed"  another major flaw has been found in popular open-source security software. This time, the holes have been found in the login tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.

A Ph.D student of Nanyang Technological University in Singapore, "Wang Jing" have discover the critical vulnerability dubbed as "Covert Redirect" the flaw could enable phishing sites to grab a user's login information.

Fortunately, Covert Redirect is not the next Heartbleed. In fact, from what we can ascertain, the Covert Redirect "flaw" isn't even new. Moreover, classifying Covert Redirect as a vulnerability with OAuth 2.0 and OpenID is incorrect.

What is Covert Redirect?
Covert Redirect is a flaw that exist in the Open Source Software, in the login tools OAuth and OpenID. Covert Redirect flaw can masquerade as a login popup based on an affected site's domain.

What is OAuth and OpenID ?
OAuth is an open standard for authorization. It's designed as a way for users to sign in or sign up for other services using an existing identity of a site such as Google, Facebook, Microsoft or Twitter. OpenID is a similar protocol also used for single sign-on (SSO).
These protocols are what companies use to make it easy to sign in for multiple services without having to create several new accounts.

Wang says that the about all the major organisation sites is being affected by this vulnerability, which includes- Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal etc... Wang have also reported the vulnerability to all the giants but have got unexpected response form all of them.


Response of the Reports-

Facebook:- Company "understood the risks associated with OAuth 2.0," and that "short of forcing every single application on the platform to use a whitelist," fixing this bug was "something that can't be accomplished in the short term."

Google:- Google says that they have tracked the issue.

LinkedIn:- The company will publish a blog on the matter soon.

Microsoft:- Microsoft, said that an investigation had been done and that the vulnerability existed on a the domain of a third-party and not on its own sites.

Wang mentioned that, 
"Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,". "However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable."
Jeremiah Grossman, founder and interim CEO at WhiteHat Security, a website security firm, have given the positive response to Wang finding and appreciate his works.

How To Prevent it ?
Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks. To avoid offering up information to a malicious website, users should only log into Facebook or other services through sites that they trust. If users finds something different or sketchy, don't do any thing on the page.

As the issue is not similar to Heartbleed, but this could affect the large amount of users. It is easy to practice the vulnerability unless it is patched. It will cost to fixed the issue, as third party site didn't have much financial source, but the host company (such as Facebook) bears the responsibility for making the attacks appear more credible.
Share it:

Covert Redirect

Heart Bleed

News

Security

Vulnerability

Post A Comment:

2 comments:

  1. This is a very very old subject. Take a look at this post which is 5+ years old. It is also part of the RFC for OAuth 2 rfc6819 page 22. In the video provided as a proof of vulnerability, they are exploiting an open redirect in ESPN website which is not a responsibility of the OAuth/OpenID provider. Facebook/Google/... can't do anything about that except to remind app developers to watch out for open redirects. It is a shame that pentesters don't do their homework properly before using the headlines that suggests this is a new discovery.

    ReplyDelete
    Replies
    1. yup its is old, but its impact is still high.

      Delete

Follow by Email