Fresh off of the Heartbleed threat comes a brand new one. Flaws have been found in OAuth and OpenID which are used by websites by Facebook LinkedIn and Google among others. Here’s why this is scary:
Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability “Covert Redirect” flaw can masquerade as a log-in popup based on an affected site’s domain. Covert Redirect is based on a well-known exploit parameter.
For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that’s similar to trick users, the Covert Redirect flaw uses the real site address for authentication.
If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.
Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker’s choice, which could potentially further compromise the victim.
And if that’s not enough, here’s what makes this worse. It’s not going to get fixed anytime soon as fixing it is an extremely complex matter. So the question is, how do you protect yourself? It’s simple. You should be careful about clicking links that immediately ask you to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks.
Hopefully this gets fixed and companies that are affected open about the fact that they’ve fixed this.
Like this:
Like Loading...
Related
This entry was posted on May 5, 2014 at 6:00 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New Serious Security Flaw Found And It Should Concern You
Fresh off of the Heartbleed threat comes a brand new one. Flaws have been found in OAuth and OpenID which are used by websites by Facebook LinkedIn and Google among others. Here’s why this is scary:
Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability “Covert Redirect” flaw can masquerade as a log-in popup based on an affected site’s domain. Covert Redirect is based on a well-known exploit parameter.
For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that’s similar to trick users, the Covert Redirect flaw uses the real site address for authentication.
If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.
Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker’s choice, which could potentially further compromise the victim.
And if that’s not enough, here’s what makes this worse. It’s not going to get fixed anytime soon as fixing it is an extremely complex matter. So the question is, how do you protect yourself? It’s simple. You should be careful about clicking links that immediately ask you to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks.
Hopefully this gets fixed and companies that are affected open about the fact that they’ve fixed this.
Share this:
Like this:
Related
This entry was posted on May 5, 2014 at 6:00 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.