Security Advisor
Oauth and OpenID Flaw Affecting Google, Hotmail, Facebook
Another major Web software flaw has been disclosed, one that could redirect your personal information into the wrong hands.
Following on the heels of last month's Heartbleed bug disclosure, anther flaw in a pair of open source online security software tool has been found. This time the issue is in Oauth and OpenID -- software designed to protect online user credentials.
Used in many popular Web sites, including Google, LinkedIn, Hotmail and Facebook, both Oauth 2.0 and OpenID could be used to leverage phishing attacks against users who click on malicious links. Found by Chinese mathematics PhD student Wang Jing, the security researcher used "Covert Redirect" vulnerability -- a technique that spoofs an authorization screen popup from a company like Facebook to redirect to a malicious site -- to find the hole.
"If [the authorization popup] has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user's behalf," wrote Jing in a blog post.
What makes this vulnerability even more dangerous is that a covert redirect flaw uses the legitimate Web URL of the site it's spoofing before redirecting users. And, according to Jing, a simple patch would be hard to pull off to address this vulnerability. Just like Heartbleed, due to the widespread use of Oauth and OpenID online, patching would fall to each and every site owner and ISP to push through -- something that will either take time or be forgotten by a certain percentage of Web sites.
One good piece of news is it seems that there hasn't been any attacks seen using this flaw yet.
As users wait for a possible patch to be rolled out, it's advised that the only action users can take is to practice safe browsing habits and keep an eye out on suspicious links that may redirect you to log into popular sites like Facebook and Google's Gmail.
While the legitimacy of the flaw is not being argued, some security experts said Jing's finding may be a well-known issue that has been present in the open source software for some time.
"While I can't be 100 percent certain, I could have sworn I've seen a report of a very similar if not identical vulnerability in OAuth," said Jeremiah Grossman, founder and CEO at WhiteHat Security, to CNET. "It would appear this issue is essentially a known WONTFIX."
Whether it is or is not a new security vulnerability find, Grossman does agree that providing a fix for something that affects such a huge part of the Web will be a difficult task to pull off.