Researchers debunk severity of OAuth "Covert Redirect" bug
Posted on 05 May 2014.
Late last week, a Ph.D. student at the Nanyang Technological University in Singapore made the information security world pause for a moment by claiming that he had found a "serious" OAuth 2.0 and OpenID security flaw that could be attackers to obtain sensitive information from both providers and clients.


"For OAuth 2.0, these attacks might jeopardize 'the token' of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If 'the token' has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf," he explained.

"For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved."

He contacted a number of big Internet companies and services to notify them of the danger, and the responses he received are varied: LinkedIn and Weibo said that they will be working on fixing the problem, Google is "aware of the problem and are tracking it at the moment", Facebook acknowledged the problem but said that there is not much they can do "short of forcing every single application on the platform to use a whitelist."

In fact, the vulnerability is not actually in the authentication standards, but in the implementation of OAuth by service providers, as confirmed by Symantec researchers, who said that this flaw is nothing like the OpenSSL Heartbleed bug.

"Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers," they noted. "Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users."

"Covert Redirect serves as a reminder to be careful about what applications you grant access to," they pointed out, then added: "Do not expect a patch—it is up to the service providers to secure their own implementations to effectively address the Covert Redirect flaw."

More technical details about the flaw and its potential for exploitation can be found here and here.










Spotlight

The role of the cloud in the modern security architecture

Posted on 31 July 2014.  |  Stephen Pao, General Manager, Security Business at Barracuda Networks, offers advice to CISOs concerned about moving the secure storage of their documents into the cloud and discusses how the cloud shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //