Researchers debunk severity of OAuth "Covert Redirect" bug
Posted on 05 May 2014.
Late last week, a Ph.D. student at the Nanyang Technological University in Singapore made the information security world pause for a moment by claiming that he had found a "serious" OAuth 2.0 and OpenID security flaw that could be attackers to obtain sensitive information from both providers and clients.


"For OAuth 2.0, these attacks might jeopardize 'the token' of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If 'the token' has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the userís behalf," he explained.

"For OpenID, the attackers may get userís information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved."

He contacted a number of big Internet companies and services to notify them of the danger, and the responses he received are varied: LinkedIn and Weibo said that they will be working on fixing the problem, Google is "aware of the problem and are tracking it at the moment", Facebook acknowledged the problem but said that there is not much they can do "short of forcing every single application on the platform to use a whitelist."

In fact, the vulnerability is not actually in the authentication standards, but in the implementation of OAuth by service providers, as confirmed by Symantec researchers, who said that this flaw is nothing like the OpenSSL Heartbleed bug.

"Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers," they noted. "Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users."

"Covert Redirect serves as a reminder to be careful about what applications you grant access to," they pointed out, then added: "Do not expect a patchóit is up to the service providers to secure their own implementations to effectively address the Covert Redirect flaw."

More technical details about the flaw and its potential for exploitation can be found here and here.










Spotlight

Leveraging network intelligence and deep packet inspection

Posted on 26 November 2014.  |  Tomer Saban, CEO of WireX Systems, talks about how deep packet inspection helps with identifying emerging threats, the role of network intelligence, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //