Last week Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, published a report detailing how open-source authentication systems OAuth 2.0 and OpenID are vulnerable to “Covert Redirect” attacks that could expose sensitive information, but it has been revealed the flaw is not in the authentication standards themselves, but in how services apply them.
OAuth 2.0 and OpenID are services that enable users to log into accounts using credentials from other platforms such as Google, Facebook, Microsoft, or LinkedIn.
“For OAuth 2.0, these attacks might jeopardize ‘the token’ of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc.,” the researcher stated in his report.
“If ‘the token’ has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf.”
While this flaw does mean users are vulnerable to the “Covert Redirect” attack method, other security analysts say it does not represent a vulnerability in OAuth 2.0 or OpenID themselves, and is in no way comparable to the well publicized Heartbleed vulnerability that affects some versions of OpenSSL.
“Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers,” researchers who have analyzed the flaw stated. “Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.”
CSO’s Steve Ragan agrees, writing that this flaw is something to be concerned over, “but there is so much going on here, that the problem isn’t a big as it seems. Most of the websites using OAuth 2.0 and OpenID are social in nature. So infrastructure, such as VPN access, isn’t impacted and neither is banking or other financial data. In this case, basic Phishing would be more effective at scale. While Covert Redirect would enable some data collection, it’s a multistage process that a majority of criminals won’t bother with.”
“Personally, I think that vulnerability is a strong word, bordering on irresponsible when used in this context,” Ragan said.
The take-away: Be careful about which applications you give such permissions too.
Read More Here…