When the online world was just recovering from the shock of ‘Heartbleed’, another serious security flaw was found in other open-source security software. Severe security flaws have been found in two popular log-in services, namely, OpenID and OAuth, which are used by many websites such as LinkedIn, Microsoft, Facebook, Yahoo, PayPal, GitHub, Weibo, Google, etc. This flaw, which is called as Cover Redirect can hack your personal information and redirect you to malicious sites.
OpenID and OAuth security flaw
OAuth is an open-source standard for authorization. This open-source authorization provides secure and delegated access to third party client applications on behalf of the owner of the resource. The process specified by OAuth helps resource owners authorize the third party access to their server resources without sharing their credentials.
On the other hand, OpenID lets users to be authenticated by RPs or Relying Parties, which are certain co-operating sites. In this process, third party services are used. This way webmasters don’t need to provide their own ad-hoc systems and allow users to merge their online identities. The OpenID authentication is being provided and used by many large websites such as Google, Yahoo!, MySpace, LinkedIn and many more.
How this OpenID and OAuth security flaw affects users
The security flaw was first discovered by Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore. He called this vulnerability as “Covert Redirect” flaw, because it can mask itself as a log-in pop-up. For this, it makes use of the affected site’s domain. When someone clicks on a phishing or malicious weblink, a pop-up window appears in the application being used by the user.
However, users can’t make out the difference because Covert Redirect flaw makes use of the address of the real site for authentication. Since it looks like an authenticate website’s link, users are obliged to enter their personal data such as user ID, password, email ID, contact lists and birth dates.
This vital information is directed to the hacker by the flaw instead of providing it to the legitimate website. Even though the user wants to authorize the application he is using, the user is still redirected to the malicious websites, chosen by the hacker, which further causes damage to the user’s online security, reports CNET.
Wang has mentioned in his statement that,
“Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.”
Though the flaw isn’t serious like Heartbleed, patching it can be a daunting task. However, most of the websites are making it a point to save their users from such vulnerabilities.
Till then, we should be careful while using OpenID and OAuth for logging into sites or while accessing any unknown links.