Late last week, a Ph.D. student at the Nanyang Technological University in Singapore made the information security world pause for a moment by claiming that he had found a “serious” OAuth 2.0 and OpenID security flaw that could be attackers to obtain sensitive information from both providers and clients.
“For OAuth 2.0, these attacks might jeopardize ‘the token’ of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If ‘the token’ has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf,” he explained.
“For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved.”
He contacted a number of big Internet companies and services to notify them of the danger, and the responses he received are varied: LinkedIn and Weibo said that they will be working on fixing the problem, Google is “aware of the problem and are tracking it at the moment”, Facebook acknowledged the problem but said that there is not much they can do “short of forcing every single application on the platform to use a whitelist.”
In fact, the vulnerability is not actually in the authentication standards, but in the implementation of OAuth by service providers, as confirmed by Symantec researchers, who said that this flaw is nothing like the OpenSSL Heartbleed bug.
“Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers,” they noted. “Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.”
“Covert Redirect serves as a reminder to be careful about what applications you grant access to,” they pointed out, then added: “Do not expect a patch—it is up to the service providers to secure their own implementations to effectively address the Covert Redirect flaw.”