Serious Security Flaw Found in OAuth and OpenID

security issues, OAuth and OpenID vulnerability, Hearbleed vulnerability, Covert Redirect vulnerability, all about Covert Redirect , news on Covert Redirect , hackers hacked by Covert Redirect , hacking facebook by Covert Redirect , dat exposed, internet vulnerability, hacking facebook, google accounts. prevent Covert Redirect , What is OAuth and OpenID ?,list of websites that are affected by the Covert Redirect vulnerability.

After the major security flaw in the internet "HeartBleed", another major flaw has been found in popular open-source security software. This time, the holes have been found in the login tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.

A Ph.D. student of Nanyang Technological University in Singapore, "Wang Jing" have discovered a critical vulnerability dubbed "Covert Redirect" the flaw could enable phishing sites to grab a user's login information.

Fortunately, Covert Redirect is not the next Heartbleed. In fact, from what we can ascertain, the Covert Redirect "flaw" isn't even new. Moreover, classifying Covert Redirect as a vulnerability with OAuth 2.0 and OpenID is incorrect.

What is Covert Redirect?

Covert Redirect is a flaw that exists in Open Source Software, in the login tools OAuth and OpenID. A covert Redirect flaw can masquerade as a log-in popup based on an affected site's domain.

What are OAuth and OpenID?

OAuth is an open standard for authorization. It's designed as a way for users to sign in or sign up for other services using an existing identity of a site such as Google, Facebook, Microsoft, or Twitter. OpenID is a similar protocol also used for single sign-on (SSO).
These protocols are what companies use to make it easy to sign in for multiple services without having to create several new accounts.

Wang says that about all the major organization sites are being affected by this vulnerability, which includes- Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal, etc... Wang has also reported the vulnerability to all the giants but has got an unexpected response from all of them.

Response of the Reports-

Facebook:- Company "understood the risks associated with OAuth 2.0," and that "short of forcing every single application on the platform to use a whitelist," fixing this bug was "something that can't be accomplished in the short term."

Google:- Google says that they have tracked the issue.

LinkedIn:- The company will publish a blog on the matter soon.

Microsoft:- Microsoft, said that an investigation had been done and that the vulnerability existed in the domain of a third party and not on its own sites.

Wang mentioned that, 

"Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,". "However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable."
Jeremiah Grossman, founder, and interim CEO at WhiteHat Security, a website security firm, have given a positive response to Wang's finding and appreciate his works.

How To Prevent it?

Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask them to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks. To avoid offering up information to a malicious website, users should only log into Facebook or other services through sites that they trust. If users find something different or sketchy, don't do anything on the page.

As the issue is not similar to Heartbleed, this could affect a large number of users. It is easy to practice the vulnerability unless it is patched. It will cost to fix the issue, as the third-party site didn't have many financial sources, but the host company (such as Facebook) bears the responsibility for making the attacks appear more credible.

Read Also
  1. Unknown
    This is a very very old subject. Take a look at this post which is 5+ years old. It is also part of the RFC for OAuth 2 rfc6819 page 22. In the video provided as a proof of vulnerability, they are exploiting an open redirect in ESPN website which is not a responsibility of the OAuth/OpenID provider. Facebook/Google/... can't do anything about that except to remind app developers to watch out for open redirects. It is a shame that pentesters don't do their homework properly before using the headlines that suggests this is a new discovery.
    • Admin
      yup its is old, but its impact is still high.