Security flaw discovered in OAuth, OpenID

By Kyle Johnson,

A vulnerability in OAuth 2.0 and OpenID has been discovered, one which could allow hackers to steal personal information and redirect people to malicious websites.

According to CNet, the flaw was found by Nanyang Technological University Ph.D student Wang Jing. He said he reported it to Facebook, Google, Microsoft and LinkedIn, but they aren't the only sites affected.

While most responses were similar to Google's, which noted they were looking into it, Facebook's response was a little less comforting. The social media site noted that "short of forcing every single application on the platform to use a whitelist," solving the problem is "something that can't be accomplished in the short term."

Lifehacker explained that the "Covert Redirect" problem could allow hackers to make it appear like an authorization-styled popup to login to a website using Facebook or Google that uses OAuth or OpenID is genuine and when really it's just a malicious link. From there hackers could steal users' information and then send them to an identical-looking site that's actually a harmful one.

Though Google and others have been made aware of the issue, Jeremiah Grossman, the founder and interim CEO of WhiteHat Security, said it isn't an easy fix and many simply won't bother. "While I can't be 100 percent certain, I could have sworn I've seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known WONTFIX."



Join Our Newsletter

Popular Threads