14 DAY TRIAL // Last week, Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, reported finding an OAuth and OpenID security flaw that could be exploited to obtain sensitive information.
OAuth is the open standard for authorization used for many high-profile web, desktop and mobile applications. The security issue, which has been dubbed “Covert Redirect,” can expose all sorts of information.
“For OAuth 2.0, these attacks might jeopardize ‘the token’ of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc,” the expert noted in a blog post.
“If ‘the token’ has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user's behalf,” he added.
As far as OpenID is concerned, Wang explained that “the attackers may get user's information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved.”
The list of affected providers named by Wang includes Facebook, Google, LinkedIn, Yahoo, Live, VK, QQ, PayPal, Sina, Taobao, Weibo, Sohu, Mail.ru, 163.com, GitHub and Alibaba’s Alipay.
A number of other security experts have analyzed Wang’s findings and report that Covert Redirect is not as bad as it sounds, and it’s certainly not as dangerous as the OpenSSL vulnerability known as Heartbleed, as some have suggested.
For instance, Symantec experts highlight the fact that Covert Redirect is not a vulnerability in OAuth itself. Instead, the issue exists due to the way OAuth is implemented by the various service providers that utilize it.
For an attack to work, user interaction is required. Furthermore, an open redirect must exist on the targeted application for the attack to be successful.
Because it’s not a vulnerability in OAuth itself, it’s up to each service provider to ensure that the Covert Redirect issue is patched.
Google has told Wang that it’s already tracking the issue. Microsoft has told the expert that the vulnerability affects a third party, not login.live.com. LinkedIn reported taking steps to mitigate such attacks back in March.
PayPal has published a blog post to clarify that its customers are not impacted.
“When we heard that security researchers recently discovered a vulnerability in open source login tools OAuth 2.0 and OpenID we moved quickly to determine the impact to our customers,” noted PayPal’s CTO James Barrese.
“We have carefully investigated this situation and can tell you that this vulnerability has no impact on PayPal and your PayPal accounts remain secure.”