Researchers debunk severity of OAuth "Covert Redirect" bug
Posted on 05 May 2014.
Late last week, a Ph.D. student at the Nanyang Technological University in Singapore made the information security world pause for a moment by claiming that he had found a "serious" OAuth 2.0 and OpenID security flaw that could be attackers to obtain sensitive information from both providers and clients.


"For OAuth 2.0, these attacks might jeopardize 'the token' of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If 'the token' has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf," he explained.

"For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved."

He contacted a number of big Internet companies and services to notify them of the danger, and the responses he received are varied: LinkedIn and Weibo said that they will be working on fixing the problem, Google is "aware of the problem and are tracking it at the moment", Facebook acknowledged the problem but said that there is not much they can do "short of forcing every single application on the platform to use a whitelist."

In fact, the vulnerability is not actually in the authentication standards, but in the implementation of OAuth by service providers, as confirmed by Symantec researchers, who said that this flaw is nothing like the OpenSSL Heartbleed bug.

"Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers," they noted. "Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users."

"Covert Redirect serves as a reminder to be careful about what applications you grant access to," they pointed out, then added: "Do not expect a patch—it is up to the service providers to secure their own implementations to effectively address the Covert Redirect flaw."

More technical details about the flaw and its potential for exploitation can be found here and here.










Spotlight

eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Thu, Dec 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //