On Friday, a PhD student at the Nanyang Technological University in Singapore, Wang Jing, published a report focused on a method of attack called “Covert Redirect,” promoting it as a vulnerability in OAuth 2.0 and OpenID. Yet Jing’s contention of security flaws in OAuth and OpenID has serious flaws of its own, according to those familiar with the specifications.
This isn’t the first time the issue has been raised, and it isn’t anywhere near as bad as Heartbleed was.
OAuth 2.0 and OpenID enable access. Using these services allows a visitor to a given domain, to gain access by using their existing credentials on another website, such as Facebook, Google, Microsoft, or LinkedIn. Doing so removed the step of registering a new account.
Over the years, the two services have grown in popularity, as they enable a wide range of interaction across brands, and offer an easy path of access for the end user.
Jing’s disclosure points out the fact that unless implemented properly, users who see the typical OAuth 2.0 or OpenID pop-up form a given provider, could be falling for a trap.
In a statement, CloudLock’s Kevin OBrien explained further:
“The ‘Covert Redirect’ component of the vulnerability refers to a similarity to how some phishing attacks work: when the user grants OAUTH access on the provider pop-up, the actual OAUTH token that is generated is not granted to the service that the user thinks they are using, but rather to a third party service that is potentially malicious.”
Is this a potentially serious issue? Yes, it is. However, it isn’t anywhere near as bad as Heartbleed was.
Brandon Edwards, the VP of SilverSky Labs, agreed, stating that Covert Redirect is far less impactful than Heartbleed, “which has the potential to expose the most critical information that a site processes.”