All about Covert Redirect Vulnerability

May 13, 2014 | By Editor 

Just days after OpenSSL vulnerability Heartbleed was found, another major security flaw Covert Redirect vulnerability has surfaced in open-source security program. This time, the flaws have been identified in the log-in tools OpenID and OAuth that are widely used by many websites and tech giants including Microsoft, Google, Facebook, PayPal, Yahoo, and LinkedIn, among others.

A PhD student in mathematics, Wang Jing from the Nanyang Technological University in Singapore discovered and reported this Covert Redirect vulnerability last week. He demonstrated how this major security flaw can impersonate as log-in popups depending on a affected website’s domain. He also showed how “Covert Redirect” allowed attackers to trick users and acquire their tokens. There were video demonstrations on the tricks applied to the implementation of OAuth in Facebook where the log-in tool’s tokens were sent to a malicious website.

Covert Redirect Vulnerability

For example, consider someone clicking an harmful phishing link; the person will get a pop-up window in Facebook asking the him or her to authorize the application. Instead of using a fake site domain name that is similar to phish users, Covert Redirect security flaw uses the real website address for authentication.

In case if the user chooses to authorize the application, personal information, instead of being directed to the legitimate site, will be sent to the attacker. Personal data can range from email addresses, contact lists, birth dates, and even the whole account.

Wang further added that he had already informed Facebook about the flaw but was informed that the social networking site had “understood the threats associated with Oauth version 2.0,” and rectifying this vulnerability was “something that cannot be easily achieved within short time.”

According to Wang, Facebook was not the only social media website to be affected. He had reported the same to tech titans Google, Microsoft, and LinkedIn who gave him various responses on how they intend on handling the situation.

Google informed Wang that the issue was being sorted out, while LinkedIn told him that it has published a blog on thes found that the flaw existed on a third-party domain and not on its own websites.

PayPal also addressed the flaw by saying that the company was engineering extra security measures to safeguard their customers and merchants, and the measures will protect PayPal customers from OAuth2.0 vulnerability. Founder and interim CEO of White Hat Security, a leading web security company, Jeremiah Grossman agreed with Wang’s findings. Grossman said that the vulnerability was not a easy one to fix and any potential remedies could have a negative impact on the user.

Though this vulnerability is not as severe as Heartbleed, at the best it has served as a cold reminder to users to be careful of granting permissions to web apps without due thought.


Posted in Technology

Be Sociable, Share!

Leave a Comment


* fields are mandatory