Another week, and seemingly another new internet security flaw has been reported. Well, I guess we all need to change our passwords again because of this newest flaw, “Covert Redirect,” right? However, unlike the Heartbleed bug, this one isn’t actually much of a problem. (Don’t actually go change your passwords)
Wang Jing, a Ph.D student from Nanyang Technological University in Singapore is credited with “discovering” Covert Redirect, along with creating its website and logo. He found a vulnerability in the OAuth framework that powers the identity logins for services such as Facebook, Microsoft, Google and LinkedIn. This vulnerability lies in the way that Facebook, or YouTube, for example, has implemented this framework to their own needs. (It isn’t clear yet who’s implementation either does or doesn’t contain this vulnerability) In this flaw, it is possible to hijack login credentials by redirecting the credentials from the intended target, such as Facebook, to the malicious site. However, (using the known example of Facebook) this is only possible after a user clicks on a link or visits a malicious website, and then, not only does the user have to click on a malicious link, they have to then click on a Facebook login button and agree to authorize the login and release of information. Essentially, you have to be completely unaware that you’re on a bad site, which you should always be aware of, but not only this, you have to authorize the release of info in the pop up box as well. Therefore, this vulnerability is nowhere near the same level as Heartbleed and should not be recognized as such.
Really, what this comes down to is someone attempting to profit and make a name for themselves off of a minor vulnerability by giving it a fancy name, website, and logo like Heartbleed did. Despite what major news outlets such as cnet are reporting, the problem does not lie in the OpenID and OAuth frameworks. It lies in the implementation that services such as Facebook created, and therefore is not as big of an issue. Don’t get me wrong, this is still an issue that needs fixing ASAP, but this is not the next Heartbleed.
This type of flaw is not new, there have been other ways in the past for malicious links and sites to redirect login information away from the intended sites. The best way to protect yourself is just to be aware of where you are on the internet at all times, be careful of what you click on, and ALWAYS pay attention to login pages and confirmations. Despite this being being a minor flaw, I hope that internet security flaws will stop becoming weekly news.