homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

Security Flaw Found in OAuth and OpenID
travelin cat

WebmasterWorld Administrator travelin_cat us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4668046 posted 4:59 pm on May 2, 2014 (gmt 0)

Called the "Covert Redirect" flaw, the vulnerability allows hackers to trick users into authorizing an app or site using malicious phishing links. For example, if you visit a site and click a button to log in with Google or Facebook, you'll see the familiar authorization popup. If you authorize the login, your personal data can be sent to the hacker instead of to the site. This can include your email address, contact lists, birthday, and more. The vulnerability could also redirect you to a different look-alike website.



Robert Charlton

WebmasterWorld Administrator robert_charlton us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Msg#: 4668046 posted 8:04 pm on May 2, 2014 (gmt 0)

From the above LifeHacker article...

Another day, another major internet security flaw (step aside, Heartbleed).

That's going way too far. It's understandable that we're all a bit wary after Heartbleed... but the press is always eager to make hay, and I'm tending to believe Mashable's more careful descriptions of the Covert Redirect flaw....

Another Security Flaw Gets the Heartbleed Treatment, But Don't Believe the Hype
Mashable - May 2, 2014
http://mashable.com/2014/05/02/oauth-openid-not-new-heartbleed/ [mashable.com]

My emphasis added...
...Already, we're seeing news organizations report this as the next major web security crisis.

Fortunately, Covert Redirect is not the next Heartbleed. In fact, from what we can ascertain, the Covert Redirect "flaw" isn't even new. Moreover, classifying Covert Redirect as a vulnerability with OAuth 2.0 and OpenID is incorrect.

That isn't to say that a potential problem doesn't exist it does and we'll discuss how it works but it is important to understand that this isn't a new discovery and that companies such as LinkedIn, Facebook and Google are already aware of the potential concerns....

It's good to be aware of the potential phishing problem the flaw might create, and to push Facebook and others to come up with a more secure implementation.

A lot of the article has to do with the type of overblown reporting we're likely to see on security matters going forward, which is unfortunate if that makes us blind to real emergencies. Again, this isn't on the Heartbleed level.

I hope we'll see more detail in the coming days.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved