Barely weeks after the Heartbleed security bug was discovered, another major flaw known as the Covert Redirect has surfaced. The new security flaw is found to affect the popular log-in tools OAuth and OpenID that are widely used by tech companies including Google, Facebook, Microsoft, LinkedIn, among oters. Payment gateway PayPal, and even Alibaba’s Taobao are not spared.
As reported by CNET, Wang Jing, a PhD student at the Nanyang Technological University (NTU) in Singapore had found out that the flaw is based on an exploit parameter that can disguise as a log-in popup based on an affected site’s domain. To make matters worse, attackers can use the attack in both open-source log-in systems to perform data theft and redirect users to unsafe sites. Anyone clicking on a malicious link will activate a Facebook popup window, requesting authorization for an app. Instead of using a fake domain name, the exploit is capable of using the original site address for authentication.
From there on regardless of the authorization status, the victim will be redirected to other malicious site for further compromise. According to Wang Jing, “Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable”.
Such an attack is impossible to identify using standard phishing techniques, thus making it more difficult for a user to know whether the authorization request is legitimate. The trust that users have when it comes to sites like Facebook and Google requesting for information only adds on to the possibility of an exploit. As it is, users are reminded to be mindful when clicking links that immediately request for Facebook or Google credentials.