Following the Heartbleed bug, a new vulnerability called “Covert Redirect” has been discovered in OpenID and OAuth 2.0, where attackers could steal your user ID and password from most visited websites such as Facebook, Twitter, Microsoft and Google.
Wang Jing, who is pursuing his PhD in mathematics from Nanyang Technological University has discovered and blogged about this Covert Redirect security flaw.
Recently, the Hearbleed bug has made several institutes and governmental services to reset all of their users’ passwords and many of them has already stopped some critical services, as an example, a Canadian revenue agency has suspended the tax efiling.
As of now, both the OpenID and OAuth 2.0 has been used by millions of users, as many webmasters it API to allow users to log into their websites by using the credentials of popular sites such as Facebook, Twitter and Google. It works behind the screen as you will only see the login using Facebook, Twitter or Google buttons.
So far, the security experts hasn’t labelled this vulnerability as a major security flaw, but still it’s a threat. It works like this – If you try to login any websites or forums with your social accounts, it has to be redirected back to the original website once after completing the authentication, but this bug allows hackers to redirect (mislead) users to other malicious websites so that they can also have your credentials, indirectly.
However, attackers cannot see your passwords from those popular websites, but they can use the security token provided by such sites to do some bad stuff on behalf of your user ID.
Although Wang, in the blog post, said that Covert Redirect would not be possible if third-party applications adhere to a whitelist, Wang explained that it is not practical for groups to do this, and added that it is also tough to determine who is responsible for fixing the vulnerability.
Microsoft and Facebook already responded to the security threat and promised to take every threat seriously, where the latter one has already documented an advisory for developers to specify a whitelist of OAuth redirect URLs.
In last May, Covert Redirect has been first discovered, which was found in Amazon and eBay redirect URLs.
[ Source ]