Forgot your password?
typodupeerror
Security

Nasty Security Flaw In OAuth, OpenID 18

Posted by Soulskill
from the another-day-another-flaw dept.
jones_supa writes: "A notable security vulnerability has been discovered which impacts both OAuth and OpenID, which are software packages that provide a secure delegated access to websites. Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the 'Covert Redirect' flaw can masquerade as a login popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter. For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication. If a user chooses to authorize the login, personal data will be released to the attacker instead of to the legitimate website. Wang did already warn a handful of tech giants about the vulnerability, but they mostly dodged the issue. In all honesty, it is not trivial to fix, and any effective remedies would negatively impact the user experience. Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google, and be aware of this redirection attack."
This discussion has been archived. No new comments can be posted.

Nasty Security Flaw In OAuth, OpenID

Comments Filter:
  • by GoodNewsJimDotCom (2244874) on Friday May 02, 2014 @05:24PM (#46903225)
    The instant I saw a Facebook login on a non Facebook website, I assumed it was a phisher.

    This phishing attack has been around as long as this flawed protocol has been around.

    Move along, nothing to see here, everyone knew this.
  • by Anonymous Coward on Friday May 02, 2014 @05:28PM (#46903249)

    Some people just can't take a hint.

    [Beta is unusable, unnecessary, and unwanted]

  • by GoodNewsJimDotCom (2244874) on Friday May 02, 2014 @05:32PM (#46903285)
    Heh, I see what they're saying now. This new phishing attack fools the person who "verifies" it is a Facebook.com URL. I guess it is somewhat worse. Your average Facebook user doesn't even know to check that so regular phishing attempts should work too. I guess someone of Slashdot style tech knowledge might have always checked to make sure the URL was Facebook. So I guess the warning is good for some of us. Personally I don't log in to Facebook from rogue sites.

    Oh snap, I just realized where this would get people real hard. Paypal. You click a link to buy with Paypal, but they send you to a PaypalURL to login, but keep your data... Yah, that one could bite. I guess it really is a good heads up. I'll no longer use anyone's paypal links unless I highly trust the site. Thankfully I at least have the 2nd factor security authentication, but not everyone has that.

The best way to avoid responsibility is to say, "I've got responsibilities."

Working...