Covert Redirect bug (OAuth / OpenID) – What you need to know …

“… it’s not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.” 
– Jeremiah Grossman, founder and interim CEO at WhiteHat Security

List of site affected.
CNET / Wang Jin

If you visit a lot of different websites, you’ve probably seen some that allow you to login using your Facebook or Google accounts. This is meant to make it easier for everyone; you don’t have to create a new account and remember a separate password and the site owners don’t have to maintain their own membership system.

Unfortunately, there’s a security flaw in the software that enables websites to accept your login information from other sites. Just like with the Heartbleed bug, this is in open-source software used by a number of popular websites. This time, it’s the OAuth and OpenID software and the bug enables “phishing” sites, websites that are specifically designed to get people’s personal information usually by mimicking reputable sites, to grab the Facebook / Google / etc. login information that you enter and then redirect you to a malicious website. This could enable the hackers to get a fair amount of your information or even take over your accounts on the legitimate sites.

This bug was discovered by Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore who then contacted Facebook and other sites. He was given variety of answers but it basically comes down to the fact that this bug is so difficult and costly to fix that the websites aren’t going to be doing anything immediately so it’s up to the users to be more cautious.

So, the newest advice is this: DO NOT USE YOUR FACEBOOK / GOOGLE / YAHOO, ETC. LOGIN INFORMATION TO ACCESS ANY OTHER WEBSITES. IF YOU HAVE, CHANGE YOUR PASSWORDS. As convenient as it is to use one login for many sites, I’ve  never really trusted it and, sure enough, it’s not without a price.

If you need to login to a website, create a separate account for that site. Also, close any suspicious tabs that pop up asking for your login credentials. Hitting “cancel” is not enough because these pages might still redirect you to the phishing site.

Also, as I’ve said in a previous article on security, every link on the Internet carries risk. An extra two or three seconds of thought before you click on a link can save you a lot of trouble.

For more information …

Major Security Hole Found in Popular Login Protocols – Yahoo

Security Flaw Found in OAuth and OpenID – LifeHacker

Serious Security Flaw in OAuth and OpenID Discovered – CNET


Ring Battery Doorbell Plus | Head-to-Toe HD+ Video, motion detection & alerts, and Two-Way Talk (2023 release)
  • See more of who’s there – Battery Doorbell Plus with Head-to-Toe HD+ Video.
  • Stay in the know even at night – Enjoy motion detection, privacy zones and see who stops by at night with Color Night Vision.
  • Convenient power – Powered by a Quick Release Battery Pack for quick and easy recharging.
  • Easy install – Easily setup by connecting your Battery Doorbell Plus to wifi through the Ring app and mounting with the included tools.
  • Additional protection – With a Ring Protect Plan (subscription sold separately), record all your videos, review stored videos for up to 180 days (photos for 7 days), and share videos.
ComeauSoftware.com uses affiliate links through which we earn commissions for sales.

Sign up for our newsletter to receive updates about new projects, including the upcoming book "Self-Guided SQL"!

We respect your privacy and will never share your information with third-parties. See our privacy policy for more information.

×