Site   Web

May 5, 2014

OAuth, OpenID Security Bug Discovered

Image courtesy of (renjith krishnan) /

A new vulnerability found in popular open-source security software is making the online rounds.

Dubbed Covert Redirect, the bug targets the log-in tools OAuth and OpenID — tools that are used by a number of popular websites including Google, Facebook, Yahoo, Microsoft, LinkedIn and PayPal.

The bug can leave websites visitors vulnerable to phishing attacks that try to trick users into revealing their private data. For instance, if you were using Facebook and clicked on a malicious link, a popup window would appear requesting you authorize the app. Rather than using a fake domain name, Covert Redirect uses the real site address for authentication, making the request look legit.

If you were to be fooled by the request and log in, personal data —such as e-mail addresses, birth dates, address books or friends lists — would be released to the attacker and possibly even grant him or her control of the account.

Even if you choose not to authorize the app, you would still be redirected to a website chosen by the hacker, which could also endanger your data.

The Covert Redirect flaw was discovered by Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore.

According to Wang, the vulnerability is a serious one because it affects most of the major Internet companies that provide authentication/authorization services and is difficult to patch.

“Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved,” Wang wrote in a blog post.

“The vulnerability is usually due to the existing weakness in the third-party websites. However, they may be unaware of the vulnerability. Or they do not bother to fix it. One concern is the cost. And the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem.”

“In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them,” he added. “As the Internet becomes ever more connected, it is no longer sufficient to ensure security by safeguarding one’s own site without paying attention to that of its neighbors.”

Wang told CNet he has contacted Facebook, Google, Microsoft and LinkedIn about the bug.

Facebook told Wang that “short of forcing every single application on the platform to use a whitelist,” fixing the security issue was “something that can’t be accomplished in the short-term.”

LinkedIn, however, has had a whitelist in the works since at least early last month. Engineer Shikha Sehgal, in a blog post, asked all of those who use OAuth 2 to register an application’s redirect URLs with the site by April 11.

“We are asking you to register your application’s redirect URLs with us to enhance security on the LinkedIn platform and for better compliance with OAuth 2 specifications,” he wrote. “By confirming that the redirect_uri in your OAuth 2 authorization request matches a URL you’ve provided to us in advance, we are better able to protect you from people who may try to abuse your API key.”

Microsoft told Wang an investigation by the company found the vulnerability existed on a third-party domain, not on its own sites. Google, meanwhile, told Wang the issue was being tracked.

PayPal has also responded to the new threat.

Chief technology officer James Barrese, in a blog post, said the new vulnerability has no impact on PayPal, meaning all accounts remain secure.

“We take the responsibility of keeping your financial details protected very seriously at PayPal,” Barrese said. “When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers.  These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability.

“We want to reassure you that if your PayPal account is accessed without your permission, PayPal will help you resolve the problem and will cover 100 percent of any eligible transactions to keep your money secure.”


Jennifer Cowan is the Managing Editor for SiteProNews.