As reported by PYMNTs earlier, a new security flaw has been found that effects the many, many websites that make use of OAuth or OpenID log-in tools. Called the Covert Redirect flaw, this serious hole makes it theoretically for cyber-criminals to create malicious phishing links to capture social media user data while using the real site address for authentication.
Sites potentially effected by the security flaw are myriad and include such major players and Google, Facebook, LinkedIN, and Microsoft among others. However, one company that is not effected by the Covert Redirect flaw is PayPal.
"When we heard that security researchers recently discovered a vulnerability in open source login tools OAuth 2.0 and OpenID (which are widely used by many websites and web services, including some offered by PayPal) we moved quickly to determine the impact to our customers. We have carefully investigated this situation and can tell you that this vulnerability has no impact on PayPal and your PayPal accounts remain secure."
Users who taken in by a covert redirect will have clicked on a malware link be that triggers a pop-up that asks them to authorize an app through their social media platform, say, for example, Facebook. Once the app is authorized personal data- including email addresses, birth dates, contact lists, and possibly even control of the account- can be released to the attacker instead of to the intended website.
PayPal further noted that though the site does use OAuth2.0/OpenID, the company engineered additional security measures to protect merchants and customers to go along with it. These measures now protect PayPal customers for the security holes recently discovered.
“What’s Hot” is aggregated content. PYMNTS.com claims no responsibility for the accuracy of the content published by the original source.