OAuth and OpenID – two widely used login protocols for websites such as Facebook, Google, Twitter, LinkedIn, Microsoft, PayPal, Yahoo, and many others – have a security flaw, according to Wang Jing, a Ph.D student at Nanyang Technological University, which could be used to steal data and redirect users to malicious websites.
OAuth and OpenID let users log into sites or apps using their Google, Twitter, Facebook, or other credentials, without having to create a separate account or give the app more permission than necessary. Because they make logging into sites easy, OAuth and OpenID are used widely on the Internet by the aforementioned sites.
Named the “Covert Redirect” flaw, the security flaw could allow a hacker (or attacker) to mimic login protocols and, through a pop-up message or other false screen, trick a user into providing sensitive personal information or secretly direct them to a look-alike, yet unauthorized, website.
What makes the “Covert Redirect” flaw hard to detect is that it does not utilize an outside fake domain that might be spotted by more experience Internet users but instead uses the real site address that is being logged into.
As of this date, there have been vague responses from websites affected with no detailed information as to how they plan to correct the issue.
Jeremiah Grossman, founder and interim CEO at WhiteHat Security, a website security firm, stated, “It would appear this issue is essentially a known WONTFIX. This is to say it’s not easy to fix and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”
It is advised that Internet users be mindful and careful about logging into sites that use Twitter, Google, or Facebook. Be wary of links that immediately ask a user to log into them and close the window (or tab) to prevent the redirection attack. As always, users should be careful about the sites and links they visit.