Serious vulnerabilities in the OAuth 2.0 and OpenID solutions have been discovered that can allow hackers to redirect website visitors to unsafe sites. Wang Jing, a Ph.D student at Singapore’s Nanyang Technological University, is credited as discovering the flaw. Known as a "Covert Redirect" vulnerability, it also allows hackers to access sensitive data.
The news comes in the wake of the Heartbleed vulnerability that was found to impact OpenSSL. The news is not reassuring for Open Source security software, which is used widely amongst web hosting providers. Websites such as Google, Facebook, Microsoft, and LinkedIn are amongst a wide range of websites that utilize OAuth 2.0 and OpenID.
It is possible that links that invite people to log into a website through Facebook could be leveraging the vulnerability. When someone clicks on a link they receive a Facebook popup window which asks them to authorize an app. Covert Redirect uses real site addresses for authentication purposes and once logged in, a range of personal data can be accessed by a hacker.
According to Wang, he contacted Facebook to report the vulnerability but was told it would not be possible to address the issue on a short term basis. Microsoft, Google, and LinkedIn were also contacted. Although not a major issue like Heartbleed, until a patch is applied the vulnerability will remain a threat.
Have you been impacted by this vulnerability? Let us know what happened. Add your comments below.