Welcome to WebmasterWorld Guest from 184.108.40.206
Forum Moderators: phranque
joined:Feb 28, 2004
Called the "Covert Redirect" flaw, the vulnerability allows hackers to trick users into authorizing an app or site using malicious phishing links. For example, if you visit a site and click a button to log in with Google or Facebook, you'll see the familiar authorization popup. If you authorize the login, your personal data can be sent to the hacker instead of to the site. This can include your email address, contact lists, birthday, and more. The vulnerability could also redirect you to a different look-alike website.
joined:Nov 11, 2000
Another day, another major internet security flaw (step aside, Heartbleed).
...Already, we're seeing news organizations report this as the next major web security crisis.
Fortunately, Covert Redirect is not the next Heartbleed. In fact, from what we can ascertain, the Covert Redirect "flaw" isn't even new. Moreover, classifying Covert Redirect as a vulnerability with OAuth 2.0 and OpenID is incorrect.
That isn't to say that a potential problem doesn't exist — it does and we'll discuss how it works — but it is important to understand that this isn't a new discovery and that companies such as LinkedIn, Facebook and Google are already aware of the potential concerns....