The Next Heartbleed Bug? Hard-to-Fix "Covert Redirect" Flaw Discovered

The worst part? Google, Facebook, LinkedIn, and other affected sites can't easily patch it.

Remember Heartbleed, the recent web-wide security flaw? In terms of nascent vulnerabilities on the web, the OpenSSL bug might have been just the tip of the iceberg. Wang Jing, a PhD student at Singapore's Nanyang Technological University, unearthed a flaw in OAuth 2.0 and OpenID—which are open-sourced login tools used by sites like Google, Facebook, and LinkedIn—that could put a user's data at risk.

It's being called the "Covert Redirect" flaw, which allows potential hackers to steal your login data using a familiar-looking login prompt. Here's how CNet describes it:

If a user chooses to authorize the login, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.

In other words, the Cover Redirect flaw makes it super easy for users to be phished from what are otherwise real sign-in tabs. The worst part, though, is that patching the vulnerability is "easier said than done," writes Wang. "If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks."

That isn't the case, however. The problem is that the big companies with actual resources like Google and Facebook can't easily patch the flaw—like they did Heartbleed—because the weakness exists on the third-party websites involved. A quick and dirty fix just isn't available. As security consultant Chris Eng notes here:

[Image: Flickr user Tawheed Manzoor]

Add New Comment

0 Comments