Another week, another extremely serious and hitherto unknown security flaw has been discovered. This time the holes seems to be in found in the log-in tools OAuth and OpenID–which are used prominently on such extremely popular sites as Facebook, Google+, LinkedIn and Microsoft, among others.
Discovered by Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, the “Covert Redirect” flaw allows cyber-attackers to disguise themselves as a log-in popup based on an affected site’s domain.
Users taken in by the phony log-in can have their personal data released to the attacker instead of to their intended website. The type of information taken will be whatever the phisher is looking for and can be valuable pieces of information such as name, birthdate, social security number or address among other possible fields.
Wang has attempted to report the potential issue to Facebook, which reportedly (according to CNET) told him they “understood the risks associated with OAuth 2.0,” and that “short of forcing every single application on the platform to use a whitelist,” fixing this bug was “something that can’t be accomplished in the short term.” Attempts to reach out to Microsoft ended with their assertion that the problem existed on third party domains not their own sites. Google told Wang they were tracking the situation and LinkedIN had already began creating a white list before this newest bug announcement. PayPal has already taken steps to fix the problem.
“Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,” Wang told CNet.”However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable,” he added.