Covert Redirect bug (OAuth / OpenID) – What you need to know …
“… it’s not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”
– Jeremiah Grossman, founder and interim CEO at WhiteHat Security
If you visit a lot of different websites, you’ve probably seen some that allow you to login using your Facebook or Google accounts. This is meant to make it easier for everyone; you don’t have to create a new account and remember a separate password and the site owners don’t have to maintain their own membership system.
Unfortunately, there’s a security flaw in the software that enables websites to accept your login information from other sites. Just like with the Heartbleed bug, this is in open-source software used by a number of popular websites. This time, it’s the OAuth and OpenID software and the bug enables “phishing” sites, websites that are specifically designed to get people’s personal information usually by mimicking reputable sites, to grab the Facebook / Google / etc. login information that you enter and then redirect you to a malicious website. This could enable the hackers to get a fair amount of your information or even take over your accounts on the legitimate sites.
This bug was discovered by Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore who then contacted Facebook and other sites. He was given variety of answers but it basically comes down to the fact that this bug is so difficult and costly to fix that the websites aren’t going to be doing anything immediately so it’s up to the users to be more cautious.
So, the newest advice is this: DO NOT USE YOUR FACEBOOK / GOOGLE / YAHOO, ETC. LOGIN INFORMATION TO ACCESS ANY OTHER WEBSITES. IF YOU HAVE, CHANGE YOUR PASSWORDS. As convenient as it is to use one login for many sites, I’ve never really trusted it and, sure enough, it’s not without a price.
If you need to login to a website, create a separate account for that site. Also, close any suspicious tabs that pop up asking for your login credentials. Hitting “cancel” is not enough because these pages might still redirect you to the phishing site.
Also, as I’ve said in a previous article on security, every link on the Internet carries risk. An extra two or three seconds of thought before you click on a link can save you a lot of trouble.
For more information …
Major Security Hole Found in Popular Login Protocols – Yahoo
Security Flaw Found in OAuth and OpenID – LifeHacker
Serious Security Flaw in OAuth and OpenID Discovered – CNET