Major security hole found in popular login protocols – and it won’t be fixed anytime soon

OAuth and OpenID Security Flaw

Following the major Heartbleed security issue that affected millions of websites, a different vulnerability has been discovered that could have allowed hackers to steal certain personal data from users. CNET reports that a security flaw in the OAuth and OpenID online login protocols could be used to steal data and redirect users to malicious websites.

Dubbed “Covert Redirect,” the exploit masquerades as a login pop-up based on an affected site’s domain, which would easily fool unsuspecting Internet users. “For example, someone clicking on a malicious phishing link will get a pop-up window in Facebook, asking them to authorize the app,” the publication writes. “Instead of using a fake domain name that’s similar to trick users, the Covert Redirect flaw uses the real site address for authentication.”

Authorizing the app will lead to user data being released to the attacker instead of reaching a legitimate site like Facebook or Google. Thus, personal data including email addresses, birth dates, contact lists and even control of the account could be given to hackers.

One way to deal with potential attacks based on these exploits is to close any suspicious-looking tabs that pop up demanding login credentials for Facebook, Google, or other Internet services that use these open-source protocols.

The Covert Redirect exploit has been discovered by Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore who already contacted Facebook about it. However, Facebook told him that while it “understood the risks associated with OAuth 2.0,” but fixing the bug is “something that can’t be accomplished in the short-term.” “Short of forcing every single application on the platform to use a whitelist,” a simple fix isn’t available.

Similarly, Wang contacted other sites that use these login protocols, including Google, Microsoft and LinkedIn, each one giving him different answers.

Google said the matter was being tracked, while LinkedIn said it would publicly address it in a blog post. Microsoft said it completed an investigation into the matter, and the security flaw has been discovered on a third-party site, not on one of its own.

WhiteHat Security founder and interim CEO Jeremiah Grossman agreed with Wang’s findings, but also with what Internet companies told him.

“While I can’t be 100 percent certain, I could have sworn I’ve seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known WONTFIX,” Grossman said. “This is to say, it’s not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”

Chris Wysopal, CTO at Veracode, a programming code verification company also confirmed Wang’s findings. “Given the trust users put in Facebook and other major OAuth providers I think it will be easy for attackers to trick people into giving some access to their personal information stored on those services,” the exec said.

Source:
CNET
blog comments powered by Disqus