Comeau Software Solutions

Making sense of technology since 2000.

Menu
  • Home / Updates
  • Services / Contact Us
  • Rogue C# Project Page
  • More Resources
    • Join Ocala’s Tech Community!
    • YouTube Channel
    • Personal Site
Menu

Covert Redirect bug (OAuth / OpenID) – What you need to know …

Posted on May 2, 2014November 8, 2022 by Andrew Comeau

“… it’s not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.” 
– Jeremiah Grossman, founder and interim CEO at WhiteHat Security

List of site affected.
CNET / Wang Jin

If you visit a lot of different websites, you’ve probably seen some that allow you to login using your Facebook or Google accounts. This is meant to make it easier for everyone; you don’t have to create a new account and remember a separate password and the site owners don’t have to maintain their own membership system.

Unfortunately, there’s a security flaw in the software that enables websites to accept your login information from other sites. Just like with the Heartbleed bug, this is in open-source software used by a number of popular websites. This time, it’s the OAuth and OpenID software and the bug enables “phishing” sites, websites that are specifically designed to get people’s personal information usually by mimicking reputable sites, to grab the Facebook / Google / etc. login information that you enter and then redirect you to a malicious website. This could enable the hackers to get a fair amount of your information or even take over your accounts on the legitimate sites.

This bug was discovered by Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore who then contacted Facebook and other sites. He was given variety of answers but it basically comes down to the fact that this bug is so difficult and costly to fix that the websites aren’t going to be doing anything immediately so it’s up to the users to be more cautious.

So, the newest advice is this: DO NOT USE YOUR FACEBOOK / GOOGLE / YAHOO, ETC. LOGIN INFORMATION TO ACCESS ANY OTHER WEBSITES. IF YOU HAVE, CHANGE YOUR PASSWORDS. As convenient as it is to use one login for many sites, I’ve  never really trusted it and, sure enough, it’s not without a price.

If you need to login to a website, create a separate account for that site. Also, close any suspicious tabs that pop up asking for your login credentials. Hitting “cancel” is not enough because these pages might still redirect you to the phishing site.

Also, as I’ve said in a previous article on security, every link on the Internet carries risk. An extra two or three seconds of thought before you click on a link can save you a lot of trouble.

For more information …

Major Security Hole Found in Popular Login Protocols – Yahoo

Security Flaw Found in OAuth and OpenID – LifeHacker

Serious Security Flaw in OAuth and OpenID Discovered – CNET

ComeauSoftware.com provides learning resources, including tutorials and videos, to guide you in understanding today's technology. Please check out our YouTube channel and bookmark this site to stay informed of upcoming projects.

Comeau Software Solutions also provides software consultation, including the development of database solutions, in Ocala, Florida. This includes rescuing Microsoft Access database projects and assistance in move to other solutions. Please contact us for more information on how we can help you with your project needs.

Available on Amazon.com


2023 State & Federal Labor Law Posters
Keep your workplace compliant with the newest updates for your employees. Laminated and waterproof. Posters for various states available (Florida shown).

Labor Law Center Store
  • Articles
  • C#
  • Careers
  • Commentary
  • Database Design
  • Databases
  • Hardware
  • How-to
  • Humor
  • Internet
  • Jobs
  • Linux
  • Microsoft Access
  • MySQL
  • Ocala I.T. Professionals
  • Personal
  • Personal Tech
  • Programming
  • Resources
  • Reviews
  • Rogue C# Series
  • Software
  • SQL
  • Uncategorized
  • Web Design
  • Writing
©2023 Comeau Software Solutions | Theme by SuperbThemes